hoenirvili/reverse_hashcode_exploit.py

## reverse_hashcode_exploit.py
#!/usr/bin/python

import subprocess

# decode_hashcode into even blocks such that the
# the sum of those are the final hash code
def decode_hashcode(hashcode, iterations):
    decoded = []

    if hashcode % iterations == 0:
        for i in iterations:
            value = hashcode / iterations
            decoded.append(value)
    else:
        s = 0
        h = hashcode // iterations # just the int value
        for i in range(0, iterations-1):
            decoded.append(h)
            s += h

        remainder = hashcode - s
        decoded.append(remainder)

    return decoded

def main():
    print("[*] Initialize exploit")
    hashcode = 0x21DD09EC
    iterations = 5
    lenght = 20
    decoded = decode_hashcode(hashcode, iterations)
    print("[*] Decoded blocks")
    for a in decoded:
        print("[*] Block: {:08x}".format(a))

    pattern = ""
    for a in decoded:
        # extract all 32 bits in chunks of one byte
        # from left to right
        one = a >> 3*8              # 24 bits
        two = a >> 2*8 & 0x000000FF # 16 bits
        three = a >> 8 & 0x000000FF # 8 bits
        fourth = a & 0x000000FF    # 0 bits
        # make this in reverse order because of LE
        pattern += chr(fourth)
        pattern += chr(three)
        pattern += chr(two)
        pattern += chr(one)


    if len(pattern) != 20:
        print("[!] Pattern length is not 20 bytes")
        return

    print("[*] Pattern found in string: {}".format(pattern))

    pattern_hex =  "\\x".join("{:02x}".format(ord(c)) for c in pattern)
    pattern_hex = "\\x" + pattern_hex
    print("[*] Pattern found in hex format " +  pattern_hex)

    exploit = "$(python2.7 -c \"print '{}'\")".format(pattern_hex)
    print("[*] Exploiting string {}".format(exploit))
    subprocess.call('/home/col/col '+exploit, shell=True)


if __name__ == "__main__":
    main()
	#!/usr/bin/python

	import subprocess

	# decode_hashcode into even blocks such that the
	# the sum of those are the final hash code
	def decode_hashcode(hashcode, iterations):
	decoded = []

	if hashcode % iterations == 0:
	for i in iterations:
	value = hashcode / iterations
	decoded.append(value)
	else:
	s = 0
	h = hashcode // iterations # just the int value
	for i in range(0, iterations-1):
	decoded.append(h)
	s += h

	remainder = hashcode - s
	decoded.append(remainder)

	return decoded

	def main():
	print("[*] Initialize exploit")
	hashcode = 0x21DD09EC
	iterations = 5
	lenght = 20
	decoded = decode_hashcode(hashcode, iterations)
	print("[*] Decoded blocks")
	for a in decoded:
	print("[*] Block: {:08x}".format(a))

	pattern = ""
	for a in decoded:
	# extract all 32 bits in chunks of one byte
	# from left to right
	one = a >> 3*8 # 24 bits
	two = a >> 2*8 & 0x000000FF # 16 bits
	three = a >> 8 & 0x000000FF # 8 bits
	fourth = a & 0x000000FF # 0 bits
	# make this in reverse order because of LE
	pattern += chr(fourth)
	pattern += chr(three)
	pattern += chr(two)
	pattern += chr(one)


	if len(pattern) != 20:
	print("[!] Pattern length is not 20 bytes")
	return

	print("[*] Pattern found in string: {}".format(pattern))

	pattern_hex = "\\x".join("{:02x}".format(ord(c)) for c in pattern)
	pattern_hex = "\\x" + pattern_hex
	print("[*] Pattern found in hex format " + pattern_hex)

	exploit = "$(python2.7 -c \"print '{}'\")".format(pattern_hex)
	print("[*] Exploiting string {}".format(exploit))
	subprocess.call('/home/col/col '+exploit, shell=True)


	if __name__ == "__main__":
	main()