Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
SECCON 大阪大会 2016 backdoor(easy)
from pwn import *
import hashlib
import commands
import re
def submit(flag):
import commands
import random
res = commands.getoutput("echo tuat_mcc {} | nc 10.0.1.1 {}".format(flag, 10000+random.randint(0, 3)))
print res
if "Incorrect" in res:
return False
if "Invalid user" in res:
return False
return True
def prob_9999(bindata):
return "seccon2016osaka"
def prob_10000(bindata):
h = hashlib.md5(bindata).hexdigest()
path = "./data/10000/bin_{}.elf".format(h)
res = commands.getoutput('objdump -d {} | grep movabs | grep rsi'.format(path))
addr = int(res.split(':')[0], 16)
key_addr = int(re.match(r'.*\$(.*),.*', res).groups()[0], 16) - 0x400000
res = commands.getoutput('objdump -d {} | grep {}'.format(path, hex(addr-0x9)[2:]))
len_val = int(re.match(r'.*\$(.*),.*', res).groups()[0], 16)
key = bindata[key_addr:key_addr+len_val]
res = commands.getoutput('objdump -d {} | grep {}'.format(path, hex(addr+0x12)[2:]))
xor_key = int(re.match(r'.*\$(.*),.*', res).groups()[0], 16)
exploit = ""
for c in key:
exploit += chr(ord(c)^xor_key)
return exploit
def main():
host = "10.0.1.2"
ports = [10000]
for port in ports:
conn = remote(host, port)
conn.recvuntil('IMAGE:')
bindata = conn.recvuntil('\n').decode('base64')
open('data/{}/bin_{}.elf'.format(port, hashlib.md5(bindata).hexdigest()), 'wb').write(bindata)
exploit = globals()['prob_{}'.format(port)](bindata)
conn.send(exploit.encode('base64'))
flag = conn.recvuntil('\n')
if ':' in flag:
flag = flag.split(':')[1].strip()
else:
continue
submit(flag)
conn.close()
if __name__ == '__main__':
while True:
main()
time.sleep(60)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment