Created
June 24, 2017 12:52
-
-
Save hoenirvili/1ebd45a3f7d5a582b4aaa0aa3081c54d to your computer and use it in GitHub Desktop.
CTF reverse hashcode
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
import subprocess | |
# decode_hashcode into even blocks such that the | |
# the sum of those are the final hash code | |
def decode_hashcode(hashcode, iterations): | |
decoded = [] | |
if hashcode % iterations == 0: | |
for i in iterations: | |
value = hashcode / iterations | |
decoded.append(value) | |
else: | |
s = 0 | |
h = hashcode // iterations # just the int value | |
for i in range(0, iterations-1): | |
decoded.append(h) | |
s += h | |
remainder = hashcode - s | |
decoded.append(remainder) | |
return decoded | |
def main(): | |
print("[*] Initialize exploit") | |
hashcode = 0x21DD09EC | |
iterations = 5 | |
lenght = 20 | |
decoded = decode_hashcode(hashcode, iterations) | |
print("[*] Decoded blocks") | |
for a in decoded: | |
print("[*] Block: {:08x}".format(a)) | |
pattern = "" | |
for a in decoded: | |
# extract all 32 bits in chunks of one byte | |
# from left to right | |
one = a >> 3*8 # 24 bits | |
two = a >> 2*8 & 0x000000FF # 16 bits | |
three = a >> 8 & 0x000000FF # 8 bits | |
fourth = a & 0x000000FF # 0 bits | |
# make this in reverse order because of LE | |
pattern += chr(fourth) | |
pattern += chr(three) | |
pattern += chr(two) | |
pattern += chr(one) | |
if len(pattern) != 20: | |
print("[!] Pattern length is not 20 bytes") | |
return | |
print("[*] Pattern found in string: {}".format(pattern)) | |
pattern_hex = "\\x".join("{:02x}".format(ord(c)) for c in pattern) | |
pattern_hex = "\\x" + pattern_hex | |
print("[*] Pattern found in hex format " + pattern_hex) | |
exploit = "$(python2.7 -c \"print '{}'\")".format(pattern_hex) | |
print("[*] Exploiting string {}".format(exploit)) | |
subprocess.call('/home/col/col '+exploit, shell=True) | |
if __name__ == "__main__": | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment