Fixed bug, added functionality

dfd1be33 · Lukas Kotschi · dex · 88b98432 · dfd1be33
Commit dfd1be33 authored 4 years ago by Lukas Kotschi Committed by dex 4 years ago
--- a/utils/connect.py
+++ b/utils/connect.py
 #!/usr/bin/env python
 import sys
 import os
-from pwn import *
+from pwn import context, log, remote
 from base64 import b64encode

 HOST = "10.0.23.24"
@@ -11,13 +11,17 @@ PORT = 31337
 context.log_level = 'info'
 #context.log_level = 'debug'

+filename        = "x"
+remote_filename = "x"
+is_executable   = True
+
 ### SPLOIT ###
 CHUNKSIZE = 64

 def connect():
    log.info(p.recvuntil("$ "))

-    with open("./x", "rb") as f:
+    with open(filename, "rb") as f:
        data = f.read()

    data = b64encode(data).decode()
@@ -26,15 +30,28 @@ def connect():
    nchunks = ldata // CHUNKSIZE
    rchunks = ldata % CHUNKSIZE

+    progress = log.progress("Transmitting {}".format(filename))
+
    import IPython; IPython.embed()
    assert nchunks * CHUNKSIZE + rchunks == ldata
    for idx in range(0,nchunks):
-        p.sendline("echo -n \"{}\" >> x.b64".format(data[(idx*CHUNKSIZE):(idx+1)*CHUNKSIZE]))
+        progress.status(str(idx * CHUNKSIZE) + " / " + str(ldata))
+        p.sendline("echo -n \"{}\" >> {}.b64".format(data[(idx*CHUNKSIZE):(idx+1)*CHUNKSIZE], remote_filename))
+        p.recvuntil("$ ")
+
+    if rchunks:
+        p.sendline("echo -n \"{}\" >> {}.b64".format(data[(-1)*rchunks:], remote_filename))
        p.recvuntil("$ ")

-    p.sendline("echo -n \"{}\" >> x.b64".format(data[(-1)*rchunks:]))
+    progress.success("Finished.")
+
+    p.sendline("cat {}.b64 | base64 -d > {}".format(remote_filename, remote_filename))
+    log.info(p.recvuntil("$ "))
+
+    if is_executable:
+        p.sendline("chmod +x {}".format(remote_filename))
+        log.info(p.recvuntil("$ "))

-    log.info("ldata: {}".format(ldata))
    p.interactive()
    return