Advertisement
Guest User

Untitled

a guest
Jun 23rd, 2013
386
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 1.83 KB | None | 0 0
  1. #!/usr/bin/python
  2. # Exploit for k1984
  3. # Aris Adamantiadis (les pas contents)
  4. # unfortunately coded a few hours after the CTF was over :(
  5. # aris@kali64:~/ndh2013$ python xp.py
  6. # found 05:8efc22fcc45fc5901f1bbce521f29bc1
  7. # found 06:98adbaaef36e718f479db3b8dad331c9
  8. # found 13:7da8b66f82aeba067e33859583c4153f
  9. # found 17:083d5f3bcd7c0b39e473844f1326decf
  10. # found 20:3856bd0cbb94460c113259b0b83d9049
  11. # found 35:167f0dbb43c6430cd2d3b4e8f79dd769
  12. # found 46:840c653d087e8e1821b1903f0981ae2d
  13. # found 52:3f45067f05fb180b8f0014a23648d677
  14. # found 64:e17cc98f772d417a3ce261df512c2ab4
  15. # found 99:2385ba276005a5e2098c0acb9bdf8f07
  16.  
  17.  
  18. import socket
  19.  
  20. crypted = "8f d9 4d 70 a9 ce 04 bb 7b a9 7f dd 63 2d 23 8e" + \
  21. "52 bc dc 0b ab 8b d9 f0 f7 05 5e 60 84 e7 63 47" + \
  22. "fe c2 ce 99 10 c7 aa cc ac 65 b2 c8 f8 c3 6e e0" + \
  23. "d9 cd aa a3 f6 57 17 31 52 a6 58 0b 46 8f 91 e9" + \
  24. "11 20 c1 38 4e c4 21 0c 56 4c 77 32 e6 bf 80 bb" + \
  25. "d3 5c cc 9c d8 fc 1d 9e 44 a4 25 a8 5f cb fa 96"
  26. crypted = crypted.replace(" ","").decode("hex")
  27. def xor_strings(xs, ys):
  28.     return "".join(chr(ord(x) ^ ord(y)) for x, y in zip(xs, ys))
  29.  
  30. offset = 65
  31. s=socket.socket(socket.AF_INET,socket.SOCK_STREAM,0)
  32. s.connect(("127.0.0.1",2001))
  33.  
  34. def try_pass(offset, string):
  35.     payload = chr(0x9C /2) + chr(0x10/4) + chr(0x40/8) + chr(0xa0 / 16) +\
  36.         chr(ord('0') + offset/10) + chr(ord('0') + offset % 10) + chr(0xd0 / 8) +\
  37.         string + "\x00"
  38.     s.send(xor_strings(payload,crypted))
  39.     x = s.recv(256)
  40.     #print "recv:" + x
  41.     if(x.find("True")!= -1):
  42.         return True
  43.     else:
  44.         return False
  45.  
  46. for offset in xrange(100):
  47.     string = ""
  48.     for i in xrange(32):
  49.         if (i>0 and len(string)==0):
  50.             break;
  51.         for c in xrange(16):
  52.             x = try_pass(offset, string + "%x"%c)
  53.             if x:
  54.                 string += "%x"%c
  55.                 #print string
  56.                 break
  57.     if(len(string) > 0):
  58.         print "found %.2d:"%offset + string
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement