MattAndreko.com

"hostess is a code-slaying dragon found deep within the core of the earth, unearthing magma and vulnerabilities single handedly while using the other hand to pet his cat"

Exploit Exercises - Protostar Net 0

| Comments

I recently started looking at the “Net” problems in Protostar, and found them to be quite a fun change in pace.

Starting with Net 0, we are given the following code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#include "../common/common.c"

#define NAME "net0"
#define UID 999
#define GID 999
#define PORT 2999

void run()
{
 unsigned int i;
 unsigned int wanted;

 wanted = random();

 printf("Please send '%d' as a little endian 32bit int\n", wanted);

 if(fread(&i, sizeof(i), 1, stdin) == NULL) {
  errx(1, ":(\n");
 }

 if(i == wanted) {
  printf("Thank you sir/madam\n");
 } else {
  printf("I'm sorry, you sent %d instead\n", i);
 }
}

int main(int argc, char **argv, char **envp)
{
 int fd;
 char *username;

 /* Run the process as a daemon */
 background_process(NAME, UID, GID); 

 /* Wait for socket activity and return */
 fd = serve_forever(PORT);

 /* Set the client socket to STDIN, STDOUT, and STDERR */
 set_io(fd);

 /* Don't do this :> */
 srandom(time(NULL));

 run();
}

I started to analyze this program, to figure out what I was even supposed to do. It looks like it’s a daemon that runs on port 2999. When a connection is established, it will send a number, asking for it to be returned in little endian format. It will either then display “Thank you sir/madam” or “I’m sorry, you send X instead”. My goal was the prior.

I ended up creating the following code to convert the number to little endian and send it back:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#!/usr/bin/env python

# Protostar Net 0
# http://exploit-exercises.com/protostar/net0
# Matt Andreko
# twitter: @mandreko
# contact: matt [at] mattandreko.com

from socket import *
from struct import *
from optparse import OptionParser

def main(host, port):

 # Open a connection and read
 s = socket(AF_INET, SOCK_STREAM)
 s.connect((host, port))

 data = s.recv(1024)
 print "[*] Data: " + data

 # Find the numeric string.
 # Note it can be variable length, so search between quotes
 start = data.find("'") + 1
 end = data.find("'", start)

 num = int(data[start:end])
 print "[*] Num: " + str(num)

 # Convert the number to little endian format and send it back
 little = pack("<I", num)
 s.send(little)

 # Read response from server
 print s.recv(1024)
 s.close()

if __name__ == "__main__":
    parser = OptionParser("usage: %prog [options]")
    parser.add_option("-H", "--host", dest="hostname", default="127.0.0.1", 
     type="string", help="Target to run against")
    parser.add_option("-p", "--port", dest="portnum", default=2999, 
     type="int", help="Target port")

    (options, args) = parser.parse_args()
    
    main(options.hostname, options.portnum)

When ran, that program produced the following output:

1
2
3
4
5
C:\Protostar>net0.py -H 192.168.1.132
[*] Data: Please send '634513062' as a little endian 32bit int

[*] Num: 634513062
Thank you sir/madam

Comments