Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- import socket
- import telnetlib
- import hashlib
- import string
- import itertools
- LOG = True
- def recvuntil(delim):
- res = ""
- while delim not in res:
- res += s.recv(1)
- if LOG:
- print res
- return res
- def interact():
- print "[!] Interact:"
- t = telnetlib.Telnet()
- t.sock = s
- t.interact()
- def find_root(size) :
- root = 0
- rootmap = {}
- for i in range(1,size+1):
- for j in range(1,size+1):
- if i == j :
- continue
- else :
- print i,j
- s.send(str(i) + " " + str(j) + "\n")
- ans = recvuntil("folders.").split()
- ans = int(ans[4])
- rootmap[j] = ans - 1
- if ans == 1 :
- rootmap = {}
- break
- elif j == size :
- root = i
- if root != 0 :
- rootmap[root] = 1
- break
- return rootmap
- def submit_ans(rootmap):
- s.send("-1 -1\n")
- for i in range(10):
- q = recvuntil("folder?").split()
- if i == 0 :
- q = q[12].split(".")
- else :
- q = q[7].split(".")
- q = int(q[1])
- s.send(str(rootmap[q])+"\n")
- target = ("119.254.101.232", 8888)
- s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- s.connect(target)
- # Exploit code goes here
- q = recvuntil(":\n").split("=")
- mid = q[0][9:17]
- sha1 = q[1].split("\n")[0].strip()
- done = False
- l = [''.join(c) for c in itertools.product(string.lowercase, repeat=2)]
- for i in range(9999+1):
- for c in l:
- plain = '{0:04}'.format(i) + mid + c
- if hashlib.sha1(plain).hexdigest() == sha1:
- print "PLAIN:", plain
- done = True
- break
- if done:
- break
- s.send(plain+"\n")
- recvuntil("answer\n")
- rootmap = find_root(10)
- print rootmap
- submit_ans(rootmap)
- recvuntil("answer\n")
- rootmap = find_root(20)
- print rootmap
- submit_ans(rootmap)
- recvuntil("answer\n")
- rootmap = find_root(50)
- print rootmap
- submit_ans(rootmap)
- recvuntil("answer\n")
- rootmap = find_root(100)
- print rootmap
- submit_ans(rootmap)
- recvuntil("answer\n")
- rootmap = find_root(100)
- print rootmap
- submit_ans(rootmap)
- #
- interact()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement