Friday, February 10, 2012

Home exploit-exercises hacking linux net Protostar wargames Exploit Exercises - Protostar Net 2

Exploit Exercises - Protostar Net 2

, , , , ,
So far, these Net challenges in Protostar have been pretty easy. This challenge, Net 2, got a small bit tougher.

We are given the following code: 
#include "../common/common.c"

#define NAME "net2"
#define UID 997
#define GID 997
#define PORT 2997

void run()
{
 unsigned int quad[4];
 int i;
 unsigned int result, wanted;

 result = 0;
 for(i = 0; i < 4; i++) {
  quad[i] = random();
  result += quad[i];

  if(write(0, &(quad[i]), sizeof(result)) != sizeof(result)) { 
   errx(1, ":(\n");
  }
 }

 if(read(0, &wanted, sizeof(result)) != sizeof(result)) {
  errx(1, ":<\n");
 }


 if(result == wanted) {
  printf("you added them correctly\n");
 } else {
  printf("sorry, try again. invalid\n");
 }
}

int main(int argc, char **argv, char **envp)
{
 int fd;
 char *username;

 /* Run the process as a daemon */
 background_process(NAME, UID, GID); 

 /* Wait for socket activity and return */
 fd = serve_forever(PORT);

 /* Set the client socket to STDIN, STDOUT, and STDERR */
 set_io(fd);

 /* Don't do this :> */
 srandom(time(NULL));

 run();
}
From this code, we can see a daemon is listening on port 2997. It is going to output 4 random unsigned integers in little-endian format. It then will expect the sum of all 4 of those integers to be returned in little-endian format.

I was able to solve this with the following code: 
#!/usr/bin/env python

# Protostar Net 2
# http://exploit-exercises.com/protostar/net2
# Matt Andreko
# twitter: @mandreko
# contact: matt [at] mattandreko.com

from socket import *
from struct import *
from optparse import OptionParser

def main(host, port):

 s = socket(AF_INET, SOCK_STREAM)
 s.connect((host, port))

 sum = 0

 # Loop over the 4 unsigned integers being read in, and them to "sum"
 for x in range(4):
  data = s.recv(4)
  little_endian = int(unpack("<I", data)[0])
  print "[*] integer " + str(x) + ": " + str(little_endian)
  sum += little_endian

 print "[*] Sum: " + str(sum)

 # Handle integer overflow by doing a logical AND with 0xffffffff
 sum &= 0xffffffff

 # Convert the sum back to little-endian, to send back over the wire
 sum_packed = pack("<I", sum)

 s.send(sum_packed)
 print s.recv(1024)

 s.close()

if __name__ == "__main__":
    parser = OptionParser("usage: %prog [options]")
    parser.add_option("-H", "--host", dest="hostname", default="127.0.0.1", 
     type="string", help="Target to run against")
    parser.add_option("-p", "--port", dest="portnum", default=2997, 
     type="int", help="Target port")

    (options, args) = parser.parse_args()
    
    main(options.hostname, options.portnum)
When I run that code, I get the following output: 
C:\Protostar>net2.py -H 192.168.1.132
[*] integer 0: 1724850170
[*] integer 1: 692469090
[*] integer 2: 630776982
[*] integer 3: 1691529294
[*] Sum: 4739625536
you added them correctly
Labels:
Author Image

Author: Unknown
Waythemes is a blogger resources site is a provider of high quality blogger template with premium looking layout and robust design

Follow The Author
Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Popular

  • Using .net to bypass AV
    Using .net to bypass AV
    I've read a ton of articles on bypassing Antivirus software when trying to run shellcode on machines. There's just a ton available....
  • Buffer Overflow in HexChat 2.9.4
    Buffer Overflow in HexChat 2.9.4
    A buddy of mine, Mulitia , and I were talking about 0-days, and he mentioned finding one in Hex-Chat, a popular IRC client. It was super low...
  • Exploit Exercises - Nebula 01
    Continuing from my previous post, I started tinkering with the next Nebula wargame: Nebula 01 .  This one gives you some C code, which has ...
  • Sysax 5.64 HTTP Remote Buffer Overflow
    Sysax 5.64 HTTP Remote Buffer Overflow
    I have discovered a bug in the Sysax Multi-Server application .  More specifically, it's in the HTTP File Server service, which is not e...
  • Exploit Exercises - Protostar Stack 5
    Wow, this challenge was a tough one for me. I ran into some huge problems that I had to work out. Considering this is a "standard buf...
  • PWB Conclusions and the Future
    PWB Conclusions and the Future
    The results As I posted previously , I was taking the PWB course from Offensive Security . I am happy to report that I passed with ...
  • Exploit Exercises - Nebula 02
    In this challenge, we're again provided with the source code to the vulnerable program. Only this time, they're not loading the ...
  • Sysax Multi Server 6.10 SSH DoS
    Sysax Multi Server 6.10 SSH DoS
    I was recently fuzzing a bunch of SSH servers, hoping to find some remote code execution in a non-mainstream server. I ended up finding no c...
  • OverTheWire Natas Level 5
    OverTheWire Natas Level 5
    Now that we're about 1/3 through to the end of the OverTheWire Natas wargame, I'm hoping that they start to get a little more trick...
  • Origin of the name "Pentium"
    I was reading about x86 assembly, and stumbled upon the origin of the name "Pentium". I never knew it was due to course disallowi...

Recent

Comments