Thursday, February 9, 2012

Home exploit-exercises hacking linux net Protostar wargames Exploit Exercises - Protostar Net 1

Exploit Exercises - Protostar Net 1

, , , , ,
Continuing with the "Net" series of Protostar, is Net 1.

We are given the following code: 
#include "../common/common.c"

#define NAME "net1"
#define UID 998
#define GID 998
#define PORT 2998

void run()
{
 char buf[12];
 char fub[12];
 char *q;

 unsigned int wanted;

 wanted = random();

 sprintf(fub, "%d", wanted);

 if(write(0, &wanted, sizeof(wanted)) != sizeof(wanted)) { 
  errx(1, ":(\n");
 }

 if(fgets(buf, sizeof(buf)-1, stdin) == NULL) {
  errx(1, ":(\n");
 }

 q = strchr(buf, '\r'); if(q) *q = 0;
 q = strchr(buf, '\n'); if(q) *q = 0;

 if(strcmp(fub, buf) == 0) {
  printf("you correctly sent the data\n");
 } else {
  printf("you didn't send the data properly\n");
 }
}

int main(int argc, char **argv, char **envp)
{
 int fd;
 char *username;

 /* Run the process as a daemon */
 background_process(NAME, UID, GID); 

 /* Wait for socket activity and return */
 fd = serve_forever(PORT);

 /* Set the client socket to STDIN, STDOUT, and STDERR */
 set_io(fd);

 /* Don't do this :> */
 srandom(time(NULL));

 run();
}
Similar to Net 0, it looks like this is another network daemon, this time running on port 2998. It creates a random number ("wanted"). It then outputs that in little-endian format, which it then expects to be returned to it in an ASCII string.

I wrote up the following code to do exactly that: 
#!/usr/bin/env python

# Protostar Net 1
# http://exploit-exercises.com/protostar/net1
# Matt Andreko
# twitter: @mandreko
# contact: matt [at] mattandreko.com

from socket import *
from struct import *
from optparse import OptionParser

def main(host, port):

    s = socket(AF_INET, SOCK_STREAM)
    s.connect((host, port))

    # Read in the data
    data = s.recv(1024)
    print "[*] Data: " + data

    # Convert it from little-endian to an unsigned integer
    num = unpack("<I", data)[0]
    print "[*] Unpacked: " + str(num)

    #Send the ASCII representation back
    s.send(str(num))

    # Read response from server
    print s.recv(1024)
    s.close()

if __name__ == "__main__":
    parser = OptionParser("usage: %prog [options]")
    parser.add_option("-H", "--host", dest="hostname", default="127.0.0.1", 
        type="string", help="Target to run against")
    parser.add_option("-p", "--port", dest="portnum", default=2998, 
        type="int", help="Target port")

    (options, args) = parser.parse_args()
    
    main(options.hostname, options.portnum)
The output from the program looks like: 

C:\Protostar>net1.py -H 192.168.1.132
[*] Data: H<Çy
[*] Unpacked: 2038447176
you correctly sent the data
Labels:
Author Image

Author: Unknown
Waythemes is a blogger resources site is a provider of high quality blogger template with premium looking layout and robust design

Follow The Author
Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Popular

  • Using .net to bypass AV
    Using .net to bypass AV
    I've read a ton of articles on bypassing Antivirus software when trying to run shellcode on machines. There's just a ton available....
  • Buffer Overflow in HexChat 2.9.4
    Buffer Overflow in HexChat 2.9.4
    A buddy of mine, Mulitia , and I were talking about 0-days, and he mentioned finding one in Hex-Chat, a popular IRC client. It was super low...
  • Exploit Exercises - Nebula 01
    Continuing from my previous post, I started tinkering with the next Nebula wargame: Nebula 01 .  This one gives you some C code, which has ...
  • Sysax 5.64 HTTP Remote Buffer Overflow
    Sysax 5.64 HTTP Remote Buffer Overflow
    I have discovered a bug in the Sysax Multi-Server application .  More specifically, it's in the HTTP File Server service, which is not e...
  • Exploit Exercises - Protostar Stack 5
    Wow, this challenge was a tough one for me. I ran into some huge problems that I had to work out. Considering this is a "standard buf...
  • PWB Conclusions and the Future
    PWB Conclusions and the Future
    The results As I posted previously , I was taking the PWB course from Offensive Security . I am happy to report that I passed with ...
  • Exploit Exercises - Nebula 02
    In this challenge, we're again provided with the source code to the vulnerable program. Only this time, they're not loading the ...
  • Sysax Multi Server 6.10 SSH DoS
    Sysax Multi Server 6.10 SSH DoS
    I was recently fuzzing a bunch of SSH servers, hoping to find some remote code execution in a non-mainstream server. I ended up finding no c...
  • OverTheWire Natas Level 5
    OverTheWire Natas Level 5
    Now that we're about 1/3 through to the end of the OverTheWire Natas wargame, I'm hoping that they start to get a little more trick...
  • Origin of the name "Pentium"
    I was reading about x86 assembly, and stumbled upon the origin of the name "Pentium". I never knew it was due to course disallowi...

Recent

Comments