Created
October 2, 2015 08:19
-
-
Save ColdHeat/580b866b7d959b4b32f1 to your computer and use it in GitHub Desktop.
(PWN350) autobots challenge from CSAW CTF 2015
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import random | |
import hashlib | |
import threading | |
import subprocess | |
import SocketServer | |
import os | |
import signal | |
from subprocess import Popen, PIPE, STDOUT | |
import subprocess, shlex | |
from threading import Timer | |
def kill(p, md5sum): | |
print "killing", p.pid | |
p.kill() | |
os.kill(p.pid, signal.SIGKILL) | |
os.unlink(md5sum) | |
def run(cmd, timeout_sec, md5sum): | |
proc = subprocess.Popen(shlex.split(cmd)) | |
kill_proc = kill | |
timer = Timer(timeout_sec, kill_proc, [proc, md5sum]) | |
timer.start() | |
class HandleRequest(SocketServer.BaseRequestHandler): | |
def handle(self): | |
r = self.request | |
read_len = random.randint(0, 512) | |
buf_size = random.randint(0, 512) | |
port = random.randint(1025, 65535) | |
binary = ''' | |
#include <sys/types.h> | |
#include <sys/socket.h> | |
#include <netdb.h> | |
#include <stdio.h> | |
#include<string.h> | |
int main() | |
{{ | |
char str[{buf_size}]; | |
int listen_fd, comm_fd; | |
struct sockaddr_in servaddr; | |
listen_fd = socket(AF_INET, SOCK_STREAM, 0); | |
memset(&servaddr, 0, sizeof(servaddr)); | |
servaddr.sin_family = AF_INET; | |
servaddr.sin_addr.s_addr = htons(INADDR_ANY); | |
servaddr.sin_port = htons({port}); | |
bind(listen_fd, (struct sockaddr *) &servaddr, sizeof(servaddr)); | |
listen(listen_fd, 10); | |
comm_fd = accept(listen_fd, (struct sockaddr*) NULL, NULL); | |
read(comm_fd,str,{read_len}); | |
write(comm_fd, str, strlen(str)+1); | |
}}'''.format(buf_size=buf_size, read_len=read_len, port=port) | |
compiler = Popen(['gcc', '-o', '/dev/stdout', '-fno-stack-protector' ,'-xc', '-'], stdout=PIPE, stdin=PIPE, stderr=STDOUT) | |
binary = compiler.communicate(input=binary)[0] | |
md5sum = hashlib.md5(binary).hexdigest() | |
with open(md5sum, 'w+b') as f: | |
f.write(binary) | |
r.sendall(binary) | |
print 'bufsize:', buf_size | |
print 'read:', read_len | |
print 'port', port | |
print 'md5', md5sum | |
os.chmod(md5sum, 0o777) | |
run('./{}'.format(md5sum), 5, md5sum) | |
class ThreadedServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer): | |
pass | |
if __name__ == "__main__": | |
HOST, PORT = "", int(8888) | |
server = ThreadedServer((HOST, PORT), HandleRequest) | |
server.allow_reuse_address = True | |
server.serve_forever() | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment