SHARE
TWEET

Untitled

a guest Mar 24th, 2019 50 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. from pwn import *
  2. import time
  3. frontPadding = '.' * 43
  4. backPadding = '.' * 3
  5.  
  6. # implementation of the poodle attack
  7. def send(frontPadding, backPadding, flag):
  8. # returns false and an empty array if unsuccessful, if unsuccessful, returns true and an array holding the char of interest
  9.     p = remote('2018shell1.picoctf.com', 14263)
  10.     p.recvuntil('(S)')
  11.     p.sendline('e')
  12.     p.recvuntil('report: ')
  13.     p.sendline(frontPadding)
  14.     p.recvuntil('else? ')
  15.     p.sendline(backPadding)
  16.     outputStr = p.recvuntil('(S)').split('\n')[0][11:] # getting the hex output
  17.     output = []
  18.     for i in range(0, len(outputStr) - 32, 32):
  19.         output.append(outputStr[i:i+32])
  20.     # we are interested in block 8 and its previous block, 7, remember first block is the randomized iv
  21.     interestBlock = output[8]
  22.     interestBlockPrev = output[7]
  23.     # also need second to last block for decryption if successful
  24.     interestBlockLast = output[13]
  25.     # replace padding block (block 14) with interestBlock
  26.     exploit = outputStr[0:448] + interestBlock
  27.     print exploit
  28.     # sending in the probable exploit
  29.     p.sendline('s')
  30.     p.recvuntil('message: ')
  31.     p.sendline(exploit)
  32.     result = p.recvuntil('(S)')
  33.     p.close()
  34.     print flag
  35.     if 'Successful decryption' not in result:
  36.         print 'FAIL'
  37.         return False, []
  38.     else:
  39.         print 'SUCCESS'
  40.         time.sleep(2.0)
  41.         return True, [xor(xor(0x10, interestBlockLast[-1].decode('hex')), interestBlockPrev[-1].decode('hex'))]
  42.  
  43. #exploiting
  44. flag = ''
  45. result = False
  46. output = []
  47. # Exception catching
  48. repeat = True
  49. for i in range(29):
  50.     while repeat:
  51.         try:
  52.             result, output = send(frontPadding[i:], backPadding + '.' * i, flag)
  53.             repeat = False
  54.             if result:
  55.                 print '\033[92mSUCCESS ON ONE CHARACTER\033[0m'
  56.                 print '\033[92m' + chr(output[0]) + '\033[0m'
  57.                 break
  58.             else:
  59.                 repeat = True
  60.         except Exception as e:
  61.             print 'Error... retrying'
  62.     flag += chr(output[0])
  63.     print flag
  64. print flag
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top