MattAndreko.com

"hostess is a code-slaying dragon found deep within the core of the earth, unearthing magma and vulnerabilities single handedly while using the other hand to pet his cat"

Exploit Exercises - Protostar Net 1

| Comments

Continuing with the “Net” series of Protostar, is Net 1.

We are given the following code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
#include "../common/common.c"

#define NAME "net1"
#define UID 998
#define GID 998
#define PORT 2998

void run()
{
 char buf[12];
 char fub[12];
 char *q;

 unsigned int wanted;

 wanted = random();

 sprintf(fub, "%d", wanted);

 if(write(0, &wanted, sizeof(wanted)) != sizeof(wanted)) { 
  errx(1, ":(\n");
 }

 if(fgets(buf, sizeof(buf)-1, stdin) == NULL) {
  errx(1, ":(\n");
 }

 q = strchr(buf, '\r'); if(q) *q = 0;
 q = strchr(buf, '\n'); if(q) *q = 0;

 if(strcmp(fub, buf) == 0) {
  printf("you correctly sent the data\n");
 } else {
  printf("you didn't send the data properly\n");
 }
}

int main(int argc, char **argv, char **envp)
{
 int fd;
 char *username;

 /* Run the process as a daemon */
 background_process(NAME, UID, GID); 

 /* Wait for socket activity and return */
 fd = serve_forever(PORT);

 /* Set the client socket to STDIN, STDOUT, and STDERR */
 set_io(fd);

 /* Don't do this :> */
 srandom(time(NULL));

 run();
}

Similar to Net 0, it looks like this is another network daemon, this time running on port 2998. It creates a random number (“wanted”). It then outputs that in little-endian format, which it then expects to be returned to it in an ASCII string.

I wrote up the following code to do exactly that:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#!/usr/bin/env python

# Protostar Net 1
# http://exploit-exercises.com/protostar/net1
# Matt Andreko
# twitter: @mandreko
# contact: matt [at] mattandreko.com

from socket import *
from struct import *
from optparse import OptionParser

def main(host, port):

    s = socket(AF_INET, SOCK_STREAM)
    s.connect((host, port))

    # Read in the data
    data = s.recv(1024)
    print "[*] Data: " + data

    # Convert it from little-endian to an unsigned integer
    num = unpack("<I", data)[0]
    print "[*] Unpacked: " + str(num)

    #Send the ASCII representation back
    s.send(str(num))

    # Read response from server
    print s.recv(1024)
    s.close()

if __name__ == "__main__":
    parser = OptionParser("usage: %prog [options]")
    parser.add_option("-H", "--host", dest="hostname", default="127.0.0.1", 
        type="string", help="Target to run against")
    parser.add_option("-p", "--port", dest="portnum", default=2998, 
        type="int", help="Target port")

    (options, args) = parser.parse_args()
    
    main(options.hostname, options.portnum)

The output from the program looks like:

1
2
3
4
5

C:\Protostar>net1.py -H 192.168.1.132
[*] Data: H<Çy
[*] Unpacked: 2038447176
you correctly sent the data

Comments