exploit.pl

use strict;
use warnings;
use IO::Socket::INET;
use IO::Select;

my $REMOTE = @ARGV >= 1 && $ARGV[0] eq 'r';

my ($host, $port);
if ($REMOTE) {
    $host = '';
    $port = 0;
} else {
    $host = '127.0.0.1';
    $port = 4000;
}

my $s = conn();
my $payload = (
    ''
);
$s->send($payload);
interact();


sub p { pack 'I<', $_[0] }
sub u { unpack 'I<', $_[0] }
sub h { sprintf '%x', $_[0] }

sub conn {
    IO::Socket::INET->new(
        PeerAddr => $host,
        PeerPort => $port,
        Proto => 'tcp',
    ) or die $@;
}

sub recvuntil {
    my ($st, $debug) = @_;
    my $ret = '';
    while ($ret !~ /\Q$st\E/) {
        my $lret = $s->recv(1);
        if ($debug && length $lret > 0) {
            print $lret;
        }
        $ret .= $lret;
    }
    return $ret;
}

sub recvn {
    my ($n) = @_;
    my $ret = '';
    while (length $ret != $n) {
        $ret .= $s->recv(1);
    }
    return $ret;
}

sub interact {
    my $sel = IO::Select->new($s, \*STDIN);
    while (1) {
        for my $fh ($sel->can_read()) {
            if ($fh == $s) {
                my $text = <$fh>;
                unless (defined $text) {
                    print "*** Connection closed by remote host ***\n";
                    goto END_INTERACT;
                }
                print $text;
            }
            if ($fh == \*STDIN) {
                my $line = <$fh>;
                unless (defined $line) {
                    goto END_INTERACT;
                }
                $s->send($line);
            }
        }
    }
  END_INTERACT:
}