API tools faq
paste
Advertisement
angelboy

SecretFS.py

angelboy
May 4th, 2015
462
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.27 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/python
  2. import socket
  3. import telnetlib
  4. import hashlib
  5. import string
  6. import itertools
  7.  
  8.  
  9. LOG = True
  10.  
  11. def recvuntil(delim):
  12.     res = ""
  13.     while delim not in res:
  14.         res += s.recv(1)
  15.     if LOG:
  16.         print res
  17.     return res
  18.  
  19. def interact():
  20.     print "[!] Interact:"
  21.     t = telnetlib.Telnet()
  22.     t.sock = s
  23.     t.interact()
  24.  
  25. def find_root(size) :
  26.     root = 0
  27.     rootmap = {}
  28.     for i in range(1,size+1):
  29.         for j in range(1,size+1):
  30.             if i == j :
  31.                 continue
  32.             else :
  33.                 print i,j
  34.                 s.send(str(i) + " " + str(j) + "\n")
  35.                 ans = recvuntil("folders.").split()
  36.                 ans = int(ans[4])
  37.                 rootmap[j] = ans - 1
  38.                 if ans == 1 :
  39.                     rootmap = {}
  40.                     break
  41.                 elif j == size :
  42.                     root = i
  43.  
  44.         if root != 0 :
  45.             rootmap[root] = 1
  46.             break
  47.  
  48.     return rootmap
  49.  
  50. def submit_ans(rootmap):
  51.    s.send("-1 -1\n")
  52.    for i in range(10):
  53.        q = recvuntil("folder?").split()
  54.        if i == 0 :
  55.            q = q[12].split(".")
  56.        else :
  57.            q = q[7].split(".")
  58.        q = int(q[1])
  59.        s.send(str(rootmap[q])+"\n")
  60.  
  61.  
  62. target = ("119.254.101.232", 8888)
  63.  
  64. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  65. s.connect(target)
  66.  
  67. # Exploit code goes here
  68.  
  69. q = recvuntil(":\n").split("=")
  70. mid = q[0][9:17]
  71. sha1 = q[1].split("\n")[0].strip()
  72.  
  73. done = False
  74. l = [''.join(c) for c in itertools.product(string.lowercase, repeat=2)]
  75. for i in range(9999+1):
  76.     for c in l:
  77.         plain = '{0:04}'.format(i) + mid + c
  78.         if hashlib.sha1(plain).hexdigest() == sha1:
  79.             print "PLAIN:", plain
  80.             done = True
  81.             break
  82.     if done:
  83.         break
  84. s.send(plain+"\n")
  85.  
  86. recvuntil("answer\n")
  87. rootmap = find_root(10)
  88. print rootmap
  89. submit_ans(rootmap)
  90. recvuntil("answer\n")
  91. rootmap = find_root(20)
  92. print rootmap
  93. submit_ans(rootmap)
  94. recvuntil("answer\n")
  95. rootmap = find_root(50)
  96. print rootmap
  97. submit_ans(rootmap)
  98. recvuntil("answer\n")
  99. rootmap = find_root(100)
  100. print rootmap
  101. submit_ans(rootmap)
  102. recvuntil("answer\n")
  103. rootmap = find_root(100)
  104. print rootmap
  105. submit_ans(rootmap)
  106.  
  107. #
  108. interact()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!