snake_oil done

1e4fb55c · GovanifY · f4070c10 · 1e4fb55c · 1e4fb55c · 1e4fb55c
Commit 1e4fb55c authored Apr 21, 2020 by GovanifY
--- a/README.md
+++ b/README.md
@@ -11,8 +11,10 @@ challenges done:
 * simple_rop
 * simple_rop_2
 * web_server
+* snake_oil 

 TODO:
+* web_server_2
+* snake_oil_2
+* access_security
 * modern_rop
-* reverse
-* misc format_string(?)
--- a/chals/snake_oil/Makefile
+++ b/chals/snake_oil/Makefile
 all:
 	gcc -w main.c -o snake_oil
+	strip snake_oil
--- a/chals/snake_oil/main.c
+++ b/chals/snake_oil/main.c
@@ -30,28 +30,36 @@ void snake_oil_crypto(char **argv) {
    for(int i=0; i<sizeof verif_string/sizeof *verif_string; i+=4){
        verif_string[i]=(char)((unsigned int)verif_string[i]^val[0]);
        verif_string[i+1]=(char)((unsigned int)verif_string[i+1]^val[1]);
+//--JUNK CODE--
+
+//--JUNK CODE--
        verif_string[i+2]=(char)((unsigned int)verif_string[i+2]^val[2]);
        verif_string[i+3]=(char)((unsigned int)verif_string[i+3]^val[3]);

        if(!(verif_string[i] == 0x00 && verif_string[i+1] == 0x00 &&
                verif_string[i+2] == 0x00 && verif_string[i+3] == 0x00)) {
+//--JUNK CODE--
+
+//--JUNK CODE--
            printf("Raté!\n");
            return;
        }
        flag_encrypted[i]=(char)((unsigned int)flag_encrypted[i]^val[0]);
        flag_encrypted[i+1]=(char)((unsigned int)flag_encrypted[i+1]^val[1]);
+//--JUNK CODE--
+
+//--JUNK CODE--
        flag_encrypted[i+2]=(char)((unsigned int)flag_encrypted[i+2]^val[2]);
        flag_encrypted[i+3]=(char)((unsigned int)flag_encrypted[i+3]^val[3]);
    }
    printf("Gagné! Voici le flag:\n");
-    printf(flag_encrypted);
-}
-
-int main(int argc, char **argv){
 //--JUNK CODE--

 //--JUNK CODE--
+    printf(flag_encrypted);
+}

+int main(int argc, char **argv){
  setvbuf(stdout, NULL, _IONBF, 0);

  // Set the gid to the effective gid

--- a/chals/snake_oil/setup.py
+++ b/chals/snake_oil/setup.py
@@ -21,83 +21,34 @@ for c in flag:
    flag_enc.append(ord(c)^key[(i%4)])
    verif.append(key[(i%4)])
    i+=1
-flag_enc_c=str(bytes(flag_enc))[2:-1]
-verif_c=str(bytes(verif))[2:-1]
-print(flag_enc_c)
-print(verif_c)
+
+s=bytes(flag_enc).hex()
+flag_enc_c="\\x" + "\\x".join(a+b for a,b in zip(s[::2], s[1::2]))
+s=bytes(verif).hex()
+verif_c="\\x" + "\\x".join(a+b for a,b in zip(s[::2], s[1::2]))


 replace_text("main.c", "VERIF_C", verif_c)
 replace_text("main.c", "FLAG_ENC_C", flag_enc_c)
-print(bytes(key).hex())
-subprocess.call("make", stdout=FNULL, stderr=FNULL)

-"""
 # junk code generation
-write_junk_calls("main.c", 134, 2)
-write_junk_calls("main.c", 62)
+write_junk_calls("main.c", 57, 4)
+write_junk_calls("main.c", 50, 4)
+write_junk_calls("main.c", 42, 4)
+write_junk_calls("main.c", 34)
 write_junk_body("main.c", 14)

-# replace flags in source file
-f = open("flag.txt", "r")
-flag=f.readline()
-flag1=flag[:10]
-flag2=flag[10:20]  
-flag3=flag[30:40]  
-flag4=flag[40:50]  
-flag5=flag[50:60]  
-flag6=flag[60:]  
-replace_text("main.c", "FLAG_PART_1", flag1)
-replace_text("main.c", "FLAG_PART_2", flag2)
-replace_text("main.c", "FLAG_PART_3", flag3)
-replace_text("main.c", "FLAG_PART_4", flag4)
-replace_text("main.c", "FLAG_PART_5", flag5)
-replace_text("main.c", "FLAG_PART_6", flag6)
-replace_text_random_hash("main.c", "FLAG_WRONG")
-
-
-
 subprocess.call("make", stdout=FNULL, stderr=FNULL)

-# we generate the rop
-elf = ELF("reverse_rop")
-rop = ROP(elf)
-FLAG1 = elf.symbols['flag1']
-FLAG2 = elf.symbols['flag2']
-FLAG3 = elf.symbols['flag3']
-FLAG6 = elf.symbols['flag6']
-XOR = elf.symbols['xor']
-XOR2 = elf.symbols['xor2']
-XOR3 = elf.symbols['xor3']
-POP_ONCE = (rop.find_gadget(['pop ebx', 'ret']))[0] 
-
-padding = b'A' * 28
-
-exploit = padding + p32(FLAG1) + p32(FLAG2) + p32(POP_ONCE) + p32(0xAABBCCD2)
-exploit += p32(XOR) + p32(FLAG3) + p32(POP_ONCE) + p32(0xAABBCCD1) + p32(FLAG3) 
-exploit += p32(POP_ONCE) + p32(0xAABBCCD2) + p32(XOR2) + p32(FLAG3) +p32(POP_ONCE) 
-exploit += p32(0xAABBCCD5) + p32(XOR3) + p32(FLAG6) + p32(POP_ONCE) + p32(0xBBCCDDE9) + p32(0xBBCCDDE3)
-
-# rop is saved as input
-f = open("input", "wb")
-f.write(exploit)
-f.close()
-
-# strip it after the ropchain building so they don't have the symbols but we do
-subprocess.call(["strip", "reverse_rop"], stdout=FNULL, stderr=FNULL)
-
-
-os.remove("main.c")
-os.remove("Makefile")
-os.remove("setup.py")
-os.remove("flag.txt")
-
-
 # TESTING BINARY
 try:
-    output = subprocess.check_output("gdb -ex 'run < input' -ex 'print $eip' -ex quit ./reverse_rop | tail -n 1", shell=True, stderr=subprocess.STDOUT)
+    output = subprocess.check_output("./snake_oil " + bytes(key).hex(), shell=True, stderr=subprocess.STDOUT)
 except Exception as e:
    output = str(e.output)
-if not b"0xbbccdde3" in output:
+if not flag.encode("utf-8") in output:
    fail_test()
-"""
+
+os.remove("main.c")
+os.remove("Makefile")
+os.remove("setup.py")
+os.remove("flag.txt")
--- a/chals/snake_oil/snake_oil
+++ b/chals/snake_oil/snake_oil