Commit af43e35d authored by GovanifY's avatar GovanifY
Browse files

snake_oil_2 done

parent 1e4fb55c
......@@ -12,9 +12,9 @@ challenges done:
* simple_rop_2
* web_server
* snake_oil
* snake_oil_2
TODO:
* web_server_2
* snake_oil_2
* access_security
* modern_rop
......@@ -32,6 +32,8 @@ replace_text("main.c", "VERIF_C", verif_c)
replace_text("main.c", "FLAG_ENC_C", flag_enc_c)
# junk code generation
# we help a bit the rng since it is a reverse chal
set_junk_min(5)
write_junk_calls("main.c", 57, 4)
write_junk_calls("main.c", 50, 4)
write_junk_calls("main.c", 42, 4)
......
all:
gcc -w main.c -o snake_oil_2
strip snake_oil_2
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdbool.h>
#include <stdint.h>
#define FLAG_ENCRYPTED "FLAG_ENC_C"
#define RANDOM_VAL RANDOM_C
//--JUNK CODE--
//--JUNK CODE--
void snake_oil_crypto(char **argv) {
char flag_encrypted[68] = FLAG_ENCRYPTED;
const char* pos = argv[1];
unsigned char val[4];
/* WARNING: no sanitization or error-checking whatsoever */
for (size_t count = 0; count < sizeof val/sizeof *val; count++) {
sscanf(pos, "%2hhx", &val[count]);
pos += 2;
}
for(int i=0; i<sizeof flag_encrypted/sizeof *flag_encrypted; i+=4){
flag_encrypted[i]=(char)((unsigned int)flag_encrypted[i]^(val[0]^(unsigned char)RANDOM_VAL));
//--JUNK CODE--
//--JUNK CODE--
flag_encrypted[i+1]=(char)((unsigned int)flag_encrypted[i+1]^(val[1]^(unsigned char)RANDOM_VAL));
//--JUNK CODE--
//--JUNK CODE--
flag_encrypted[i+2]=(char)((unsigned int)flag_encrypted[i+2]^(val[2]^(unsigned char)RANDOM_VAL));
//--JUNK CODE--
//--JUNK CODE--
flag_encrypted[i+3]=(char)((unsigned int)flag_encrypted[i+3]^(val[3]^(unsigned char)RANDOM_VAL));
}
printf("Gagné! Voici le flag:\n");
//--JUNK CODE--
//--JUNK CODE--
printf(flag_encrypted);
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
// Set the gid to the effective gid
// this prevents /bin/sh from dropping the privileges
gid_t gid = getegid();
setresgid(gid, gid, gid);
snake_oil_crypto(argv);
}
# in theory they can guess the 3 first chars of the key thanks to GY{ but they
# have to bruteforce the 4th
import subprocess
import os
import sys
from colorama import Fore, Back, Style
# chals_out/chal_name/team_name so 3
sys.path.insert(1, os.path.join(sys.path[0], '../../..'))
from libchals import *
FNULL = open(os.devnull, 'w')
f = open("flag.txt", "r")
verif=[]
flag_enc=[]
flag=f.readline()
key=[rng(7), rng(9), rng(21), rng(12)]
i=0
for c in flag:
flag_enc.append(ord(c)^(key[(i%4)]^rng(18)))
i+=1
s=bytes(flag_enc).hex()
flag_enc_c="\\x" + "\\x".join(a+b for a,b in zip(s[::2], s[1::2]))
replace_text("main.c", "FLAG_ENC_C", flag_enc_c)
replace_text("main.c", "RANDOM_C", str(rng(18)))
# junk code generation
# we help a bit the rng since it is a reverse chal
set_junk_min(5)
write_junk_calls("main.c", 47, 4)
write_junk_calls("main.c", 41, 4)
write_junk_calls("main.c", 37, 4)
write_junk_calls("main.c", 33)
write_junk_body("main.c", 15)
subprocess.call("make", stdout=FNULL, stderr=FNULL)
# TESTING BINARY
try:
output = subprocess.check_output("./snake_oil_2 " + bytes(key).hex(), shell=True, stderr=subprocess.STDOUT)
except Exception as e:
output = str(e.output)
if not flag.encode("utf-8") in output:
fail_test()
os.remove("main.c")
os.remove("Makefile")
os.remove("setup.py")
os.remove("flag.txt")
......@@ -231,13 +231,17 @@ VAR_NAME=(VAR_NAME/VAR_NAME)*2;
fun_names=[]
junk_called=0
junk_min=0
def write_junk_body(fd, line):
global junk_called
global fun_names
global HASH_ROUND
# junk generator!!
dont_gen_name=False
global junk_min
junk_count=rng(0)%len(junk)
if(junk_count<=junk_min):
junk_count=junk_min
if(fun_names!=[]):
dont_gen_name=True
else:
......@@ -255,7 +259,10 @@ def write_junk_calls(fd, line, count=-1):
global junk_called
global fun_names
global HASH_ROUND
global junk_min
junk_count=rng(0)%len(junk)
if(junk_count<=junk_min):
junk_count=junk_min
if(count==-1):
count=junk_count+1
else:
......@@ -270,9 +277,16 @@ def write_junk_calls(fd, line, count=-1):
write_line(fd, line, tmp.replace("VAR_NAME", random_name()))
junk_called+=1
def set_junk_min(m):
global junk_min
junk_min=m
def gen_fun_names():
# junk generator!!
global junk_min
junk_count=rng(0)%len(junk)
if(junk_count<=junk_min):
junk_count=junk_min
for i in range(0, junk_count+1):
junk_to_add=rng(i%len(junk))%len(junk)
# use this
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment