-
-
Save dnet/00c1e0f9197bce7c0615 to your computer and use it in GitHub Desktop.
DEFCON CTF 2012 /urandom 300
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdint.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #include <sys/socket.h> | |
| #include <sys/types.h> | |
| #include <netinet/in.h> | |
| #include <netdb.h> | |
| #include <unistd.h> | |
| #include <errno.h> | |
| #include <arpa/inet.h> | |
| #define NUMBERS 100000 | |
| #define MAXNUM 65535 | |
| #define PW "d0d2ac189db36e15\n" | |
| #define BUFLEN 4096 | |
| #define PWPROMPTLEN 10 | |
| #define MSGLEN 504 | |
| typedef struct numpos { | |
| int pos; | |
| struct numpos *next; | |
| } numpos_t; | |
| int main() { | |
| uint16_t nums[NUMBERS], n, tmp; | |
| numpos_t *positions[MAXNUM], *cur, *cur2; | |
| int i, j, sockfd; | |
| struct sockaddr_in serv_addr; | |
| char buf[BUFLEN]; | |
| sockfd = socket(AF_INET, SOCK_STREAM, 0); | |
| memset(&serv_addr, '0', sizeof(serv_addr)); | |
| serv_addr.sin_family = AF_INET; | |
| serv_addr.sin_port = htons(5601); | |
| inet_pton(AF_INET, "127.0.0.1", &serv_addr.sin_addr); | |
| connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)); | |
| for (i = 0; i < PWPROMPTLEN; i += read(sockfd, buf, BUFLEN)); | |
| printf("got pw prompt, sending pw..."); | |
| write(sockfd, PW, strlen(PW)); | |
| printf(" done\n"); | |
| for (i = 0; i < MSGLEN; i += read(sockfd, buf, MSGLEN - i)); | |
| printf("got help message\n"); | |
| for (i = 0; i < NUMBERS * sizeof(uint16_t); | |
| i += read(sockfd, ((char*)nums) + i, NUMBERS * sizeof(uint16_t) - i)); | |
| printf("got numbers\n"); | |
| memset(positions, 0, MAXNUM * sizeof(void*)); | |
| for (i = 0; i < NUMBERS; i++) { | |
| numpos_t *newpos = malloc(sizeof(numpos_t)); | |
| newpos->next = positions[nums[i]]; | |
| newpos->pos = i; | |
| positions[nums[i]] = newpos; | |
| } | |
| j = 0; | |
| for (n = 0; n < MAXNUM; n++) { | |
| for (cur = positions[n]; cur != NULL; cur = cur->next) { | |
| if (cur->pos != j) { | |
| sprintf(buf, "%d:%d\n", cur->pos, j); | |
| write(sockfd, buf, strlen(buf)); | |
| tmp = nums[j]; | |
| nums[j] = n; | |
| for (cur2 = positions[tmp]; cur2 != NULL; cur2 = cur2->next) { | |
| if (cur2->pos == j) { | |
| cur2->pos = cur->pos; | |
| break; | |
| } | |
| } | |
| nums[cur->pos] = tmp; | |
| } | |
| j++; | |
| } | |
| } | |
| write(sockfd, "\n", 1); | |
| printf("sent last newline\n"); | |
| while (1) { | |
| if ((i = read(sockfd, buf, BUFLEN))) { | |
| buf[i] = '\0'; | |
| printf("Got %d bytes of response: %s\n", i, buf); | |
| } | |
| } | |
| close(sockfd); | |
| printf("closed socket\n"); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment