Created
April 9, 2021 05:21
-
-
Save pawlos/9e94a863d089c0d6687d48d0e43cb9e5 to your computer and use it in GitHub Desktop.
pwn_thunderbolt.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# -*- coding: utf-8 -*- | |
# This exploit template was generated via: | |
# $ pwn template --host crypto.2021.chall.actf.co --port 21603 | |
from pwn import * | |
# Set up pwntools for the correct architecture | |
exe = context.binary = ELF('./chall') | |
# Many built-in settings can be controlled on the command-line and show up | |
# in "args". For example, to dump all data sent/received, and disable ASLR | |
# for all created processes... | |
# ./exploit.py DEBUG NOASLR | |
# ./exploit.py GDB HOST=example.com PORT=4141 | |
host = args.HOST or 'crypto.2021.chall.actf.co' | |
port = int(args.PORT or 21603) | |
context.log_level = 'warn' | |
def local(argv=[], *a, **kw): | |
'''Execute the target binary locally''' | |
if args.GDB: | |
return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) | |
else: | |
return process([exe.path] + argv, *a, **kw) | |
def remote(argv=[], *a, **kw): | |
'''Connect to the process on the remote host''' | |
io = connect(host, port) | |
if args.GDB: | |
gdb.attach(io, gdbscript=gdbscript) | |
return io | |
def start(argv=[], *a, **kw): | |
'''Start the exploit against the target.''' | |
if args.LOCAL: | |
return local(argv, *a, **kw) | |
else: | |
return remote(argv, *a, **kw) | |
# Specify your GDB script here for debugging | |
# GDB will be launched if the exploit is run via e.g. | |
# ./exploit.py GDB | |
gdbscript = ''' | |
continue | |
'''.format(**locals()) | |
#=========================================================== | |
# EXPLOIT GOES HERE | |
#=========================================================== | |
io = start() | |
io.readuntil(b'Enter a string to encrypt: ') | |
io.sendline(b'aaaaaa') | |
io.sendline() | |
o = io.readline().replace(b'\n',b'') | |
output = bytearray.fromhex(o) | |
io.close() | |
freq_table = [None]*len(output) | |
for i in range(len(freq_table)): | |
freq_table[i] = {} | |
n = 500 | |
for i in range(n): | |
io = start() | |
io.readuntil(b'Enter a string to encrypt: ') | |
io.sendline(b'aaaaaa') | |
io.sendline() | |
o = io.readline().replace(b'\n',b'') | |
output = bytearray.fromhex(o) | |
for i in range(len(output)): | |
l = freq_table[i] | |
if l is None: | |
freq_table[i] = {} | |
l = freq_table[i] | |
c = chr(output[i]) | |
if c not in l: | |
l[c] = 1 | |
else: | |
l[c] += 1 | |
io.close() | |
print(freq_table) | |
output = [] | |
for i in range(len(freq_table)): | |
l = freq_table[i] | |
maxK = max(l, key=l.get) | |
output.append(maxK) | |
print("".join(output)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment