Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from pwn import *
- import time
- frontPadding = '.' * 43
- backPadding = '.' * 3
- # implementation of the poodle attack
- def send(frontPadding, backPadding, flag):
- # returns false and an empty array if unsuccessful, if unsuccessful, returns true and an array holding the char of interest
- p = remote('2018shell1.picoctf.com', 14263)
- p.recvuntil('(S)')
- p.sendline('e')
- p.recvuntil('report: ')
- p.sendline(frontPadding)
- p.recvuntil('else? ')
- p.sendline(backPadding)
- outputStr = p.recvuntil('(S)').split('\n')[0][11:] # getting the hex output
- output = []
- for i in range(0, len(outputStr) - 32, 32):
- output.append(outputStr[i:i+32])
- # we are interested in block 8 and its previous block, 7, remember first block is the randomized iv
- interestBlock = output[8]
- interestBlockPrev = output[7]
- # also need second to last block for decryption if successful
- interestBlockLast = output[13]
- # replace padding block (block 14) with interestBlock
- exploit = outputStr[0:448] + interestBlock
- print exploit
- # sending in the probable exploit
- p.sendline('s')
- p.recvuntil('message: ')
- p.sendline(exploit)
- result = p.recvuntil('(S)')
- p.close()
- print flag
- if 'Successful decryption' not in result:
- print 'FAIL'
- return False, []
- else:
- print 'SUCCESS'
- time.sleep(2.0)
- return True, [xor(xor(0x10, interestBlockLast[-1].decode('hex')), interestBlockPrev[-1].decode('hex'))]
- #exploiting
- flag = ''
- result = False
- output = []
- # Exception catching
- repeat = True
- for i in range(29):
- while repeat:
- try:
- result, output = send(frontPadding[i:], backPadding + '.' * i, flag)
- repeat = False
- if result:
- print '\033[92mSUCCESS ON ONE CHARACTER\033[0m'
- print '\033[92m' + chr(output[0]) + '\033[0m'
- break
- else:
- repeat = True
- except Exception as e:
- print 'Error... retrying'
- flag += chr(output[0])
- print flag
- print flag
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement