MattAndreko.com

"hostess is a code-slaying dragon found deep within the core of the earth, unearthing magma and vulnerabilities single handedly while using the other hand to pet his cat"

Exploit Exercises - Protostar Net 2

| Comments

So far, these Net challenges in Protostar have been pretty easy. This challenge, Net 2 got a small bit tougher.

We are given the following code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#include "../common/common.c"

#define NAME "net2"
#define UID 997
#define GID 997
#define PORT 2997

void run()
{
 unsigned int quad[4];
 int i;
 unsigned int result, wanted;

 result = 0;
 for(i = 0; i < 4; i++) {
  quad[i] = random();
  result += quad[i];

  if(write(0, &(quad[i]), sizeof(result)) != sizeof(result)) { 
   errx(1, ":(\n");
  }
 }

 if(read(0, &wanted, sizeof(result)) != sizeof(result)) {
  errx(1, ":<\n");
 }


 if(result == wanted) {
  printf("you added them correctly\n");
 } else {
  printf("sorry, try again. invalid\n");
 }
}

int main(int argc, char **argv, char **envp)
{
 int fd;
 char *username;

 /* Run the process as a daemon */
 background_process(NAME, UID, GID); 

 /* Wait for socket activity and return */
 fd = serve_forever(PORT);

 /* Set the client socket to STDIN, STDOUT, and STDERR */
 set_io(fd);

 /* Don't do this :> */
 srandom(time(NULL));

 run();
}

From this code, we can see a daemon is listening on port 2997. It is going to output 4 random unsigned integers in little-endian format. It then will expect the sum of all 4 of those integers to be returned in little-endian format.

I was able to solve this with the following code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/usr/bin/env python

# Protostar Net 2
# http://exploit-exercises.com/protostar/net2
# Matt Andreko
# twitter: @mandreko
# contact: matt [at] mattandreko.com

from socket import *
from struct import *
from optparse import OptionParser

def main(host, port):

 s = socket(AF_INET, SOCK_STREAM)
 s.connect((host, port))

 sum = 0

 # Loop over the 4 unsigned integers being read in, and them to "sum"
 for x in range(4):
  data = s.recv(4)
  little_endian = int(unpack("<I", data)[0])
  print "[*] integer " + str(x) + ": " + str(little_endian)
  sum += little_endian

 print "[*] Sum: " + str(sum)

 # Handle integer overflow by doing a logical AND with 0xffffffff
 sum &= 0xffffffff

 # Convert the sum back to little-endian, to send back over the wire
 sum_packed = pack("<I", sum)

 s.send(sum_packed)
 print s.recv(1024)

 s.close()

if __name__ == "__main__":
    parser = OptionParser("usage: %prog [options]")
    parser.add_option("-H", "--host", dest="hostname", default="127.0.0.1", 
     type="string", help="Target to run against")
    parser.add_option("-p", "--port", dest="portnum", default=2997, 
     type="int", help="Target port")

    (options, args) = parser.parse_args()
    
    main(options.hostname, options.portnum)

When I run that code, I get the following output:

C:\Protostar>net2.py -H 192.168.1.132
[] integer 0: 1724850170
[] integer 1: 692469090
[] integer 2: 630776982
[] integer 3: 1691529294
[*] Sum: 4739625536
you added them correctly
```

Comments