Zenk - Security

Outils d'utilisateurs

Outils du Site

Piste: net3
exploit_exercises_protostar:net3

Net 3

#include "../common/common.c"
 
#define NAME "net3"
#define UID 996
#define GID 996
#define PORT 2996
 
/*
* Extract a null terminated string from the buffer 
*/
 
    int get_string(char **result, unsigned char *buffer, u_int16_t len)
{
    unsigned char byte;
 
    byte = *buffer;
 
    if(byte > len) errx(1, "badly formed packet");
    *result = malloc(byte);
    strcpy(*result, buffer + 1);
 
    return byte + 1;
}
 
/*
* Check to see if we can log into the host
*/
 
    int login(unsigned char *buffer, u_int16_t len)
{
    char *resource, *username, *password;
    int deduct;
    int success;
 
    if(len < 3) errx(1, "invalid login packet length");
 
    resource = username = password = NULL;
 
    deduct = get_string(&resource, buffer, len);
    deduct += get_string(&username, buffer+deduct, len-deduct);
    deduct += get_string(&password, buffer+deduct, len-deduct);
 
    success = 0;
    success |= strcmp(resource, "net3");
    success |= strcmp(username, "awesomesauce");
    success |= strcmp(password, "password");
 
    free(resource);
    free(username);
    free(password);
 
    return ! success;
}
 
void send_string(int fd, unsigned char byte, char *string)
{
    struct iovec v[3];
    u_int16_t len;
    int expected;
 
    len = ntohs(1 + strlen(string));
 
    v[0].iov_base = &len;
    v[0].iov_len = sizeof(len);
 
    v[1].iov_base = &byte;
    v[1].iov_len = 1;
 
    v[2].iov_base = string;
    v[2].iov_len = strlen(string);
 
    expected = sizeof(len) + 1 + strlen(string);
 
    if(writev(fd, v, 3) != expected) errx(1, "failed to write correct amount of bytes");
 
}
 
void run(int fd)
{
    u_int16_t len;
    unsigned char *buffer;
    int loggedin;
 
    while(1) {
        nread(fd, &len, sizeof(len));
        len = ntohs(len);
        buffer = malloc(len);
 
        if(! buffer) errx(1, "malloc failure for %d bytes", len);
 
        nread(fd, buffer, len);
 
        switch(buffer[0]) {
            case 23: 
            loggedin = login(buffer + 1, len - 1);
            send_string(fd, 33, loggedin ? "successful" : "failed");
            break;
 
            default:
            send_string(fd, 58, "what you talkin about willis?");
            break;
        }
    }
}
 
int main(int argc, char **argv, char **envp)
{
    int fd;
    char *username;
 
    /* Run the process as a daemon */
    background_process(NAME, UID, GID);  
 
    /* Wait for socket activity and return */
    fd = serve_forever(PORT);
 
    /* Set the client socket to STDIN, STDOUT, and STDERR */
    set_io(fd);
 
    /* Don't do this :> */
    srandom(time(NULL));
 
    run(fd);
}

Le but est d'envoyer un message sous le bon format pour que le programme nous affiche successful. 

#!/usr/bin/env python
# encoding: utf-8
 
import telnetlib
 
ressource = "net3"
username = "awesomesauce"
password = "password"
 
HOST = "192.168.1.29"
PORT = 2996
 
t = telnetlib.Telnet(HOST, PORT)
 
strSend  = "\x17"
strSend += "%c%s\x00" % (chr(len(ressource)+1), ressource)
strSend += "%c%s\x00" % (chr(len(username)+1), username)
strSend += "%c%s\x00" % (chr(len(password)+1), password)
 
strSend = "\x00" + chr(len(strSend)) + strSend
 
print "Send : %s" % repr(strSend)
 
t.write(strSend)
print t.read_some()
 
t.close()
exploit_exercises_protostar/net3.txt · Dernière modification: 2017/04/09 15:33 (modification externe)

Outils de la Page

Sauf mention contraire, le contenu de ce wiki est placé sous la licence suivante : CC Attribution-Share Alike 3.0 Unported
CC Attribution-Share Alike 3.0 Unported Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki