Protostar Exploit Challenges Net0 Solution

Introduction

This is probably the simplest challenge so far. The program sends you a number and you have to convert that number to little endian. There’s really not much more to it then that.

Checking Things Out

I started by just using netcat to see what the output looked like:

user@protostar:~$ nc 127.0.0.1 2999
Please send ‘1116830087’ as a little endian 32bit int
555555
I’m sorry, you sent 892679477 instead

Exploiting… Solving More Like?

 

#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>


void main() {
        // code for a client connecting to a server
        // namely a stream socket to www.example.com on port 80 (http)
        // either IPv4 or IPv6

        int sockfd;
        unsigned int received_int;
        struct addrinfo hints, *servinfo, *p;
        int rv;
        char buffer [1024];
        int n;

        memset(&hints, 0, sizeof hints);
        hints.ai_family = AF_UNSPEC;
        hints.ai_socktype = SOCK_STREAM;

        if ((rv = getaddrinfo("127.0.0.1", "2999", &hints, &servinfo)) != 0) {
            fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(rv));
            exit(1);
        }

        // loop through all the results and connect to the first we can
        for(p = servinfo; p != NULL; p = p->ai_next) {
            if ((sockfd = socket(p->ai_family, p->ai_socktype,
                    p->ai_protocol)) == -1) {
                perror("socket");
                continue;
            }

            if (connect(sockfd, p->ai_addr, p->ai_addrlen) == -1) {
                close(sockfd);
                perror("connect");
                continue;
            }

            read(sockfd, buffer, sizeof(buffer));

            printf("%s", buffer);

            n = sscanf(buffer,
                       "Please send '%d' as a little endian 32bit int",
                       &received_int);

            printf("%u\r\n", received_int);

            send(sockfd, &received_int, sizeof(received_int), 0);

            read(sockfd, buffer, sizeof(buffer));

            printf("%s", buffer);

            break; // if we get here, we must have connected successfully
        }

        if (p == NULL) {
            // looped off the end of the list with no connection
            fprintf(stderr, "failed to connect\n");
            exit(2);
        }

        freeaddrinfo(servinfo); // all done with this structure
}

There’s really not much to say about the code. It creates a socket, reads the information and responds. The only thing of note that was fairly humorous was how frustrated I was when I originally wrote the program. I flipped the bytes into reverse order just like I was supposed to only to discover the program didn’t work. That’s when I realized that C already was sending in little endian byte order… so I didn’t have to do anything other then send the number right back from whence it came.

victory

Leave a Reply