Instantly share code, notes, and snippets.

@dnet /u300.c Secret
Created Jun 3, 2012

Embed
What would you like to do?
DEFCON CTF 2012 /urandom 300
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#include <errno.h>
#include <arpa/inet.h>
#define NUMBERS 100000
#define MAXNUM 65535
#define PW "d0d2ac189db36e15\n"
#define BUFLEN 4096
#define PWPROMPTLEN 10
#define MSGLEN 504
typedef struct numpos {
int pos;
struct numpos *next;
} numpos_t;
int main() {
uint16_t nums[NUMBERS], n, tmp;
numpos_t *positions[MAXNUM], *cur, *cur2;
int i, j, sockfd;
struct sockaddr_in serv_addr;
char buf[BUFLEN];
sockfd = socket(AF_INET, SOCK_STREAM, 0);
memset(&serv_addr, '0', sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(5601);
inet_pton(AF_INET, "127.0.0.1", &serv_addr.sin_addr);
connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr));
for (i = 0; i < PWPROMPTLEN; i += read(sockfd, buf, BUFLEN));
printf("got pw prompt, sending pw...");
write(sockfd, PW, strlen(PW));
printf(" done\n");
for (i = 0; i < MSGLEN; i += read(sockfd, buf, MSGLEN - i));
printf("got help message\n");
for (i = 0; i < NUMBERS * sizeof(uint16_t);
i += read(sockfd, ((char*)nums) + i, NUMBERS * sizeof(uint16_t) - i));
printf("got numbers\n");
memset(positions, 0, MAXNUM * sizeof(void*));
for (i = 0; i < NUMBERS; i++) {
numpos_t *newpos = malloc(sizeof(numpos_t));
newpos->next = positions[nums[i]];
newpos->pos = i;
positions[nums[i]] = newpos;
}
j = 0;
for (n = 0; n < MAXNUM; n++) {
for (cur = positions[n]; cur != NULL; cur = cur->next) {
if (cur->pos != j) {
sprintf(buf, "%d:%d\n", cur->pos, j);
write(sockfd, buf, strlen(buf));
tmp = nums[j];
nums[j] = n;
for (cur2 = positions[tmp]; cur2 != NULL; cur2 = cur2->next) {
if (cur2->pos == j) {
cur2->pos = cur->pos;
break;
}
}
nums[cur->pos] = tmp;
}
j++;
}
}
write(sockfd, "\n", 1);
printf("sent last newline\n");
while (1) {
if ((i = read(sockfd, buf, BUFLEN))) {
buf[i] = '\0';
printf("Got %d bytes of response: %s\n", i, buf);
}
}
close(sockfd);
printf("closed socket\n");
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment