I recently started looking at the “Net” problems in Protostar, and found them to be quite a fun change in pace.
Starting with Net 0, we are given the following code:
#include "../common/common.c"
#define NAME "net0"
#define UID 999
#define GID 999
#define PORT 2999
void run()
{
unsigned int i;
unsigned int wanted;
wanted = random();
printf("Please send '%d' as a little endian 32bit int\n", wanted);
if(fread(&i, sizeof(i), 1, stdin) == NULL) {
errx(1, ":(\n");
}
if(i == wanted) {
printf("Thank you sir/madam\n");
} else {
printf("I'm sorry, you sent %d instead\n", i);
}
}
int main(int argc, char **argv, char **envp)
{
int fd;
char *username;
/* Run the process as a daemon */
background_process(NAME, UID, GID);
/* Wait for socket activity and return */
fd = serve_forever(PORT);
/* Set the client socket to STDIN, STDOUT, and STDERR */
set_io(fd);
/* Don't do this :> */
srandom(time(NULL));
run();
}
I started to analyze this program, to figure out what I was even supposed to do. It looks like it’s a daemon that runs on port 2999. When a connection is established, it will send a number, asking for it to be returned in little endian format. It will either then display “Thank you sir/madam” or “I’m sorry, you send X instead”. My goal was the prior.
I ended up creating the following code to convert the number to little endian and send it back:
#!/usr/bin/env python
# Protostar Net 0
# http://exploit-exercises.com/protostar/net0
# Matt Andreko
# twitter: @mandreko
# contact: matt [at] mattandreko.com
from socket import *
from struct import *
from optparse import OptionParser
def main(host, port):
# Open a connection and read
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
data = s.recv(1024)
print "[*] Data: " + data
# Find the numeric string.
# Note it can be variable length, so search between quotes
start = data.find("'") + 1
end = data.find("'", start)
num = int(data[start:end])
print "[*] Num: " + str(num)
# Convert the number to little endian format and send it back
little = pack("<I", num)
s.send(little)
# Read response from server
print s.recv(1024)
s.close()
if __name__ == "__main__":
parser = OptionParser("usage: %prog [options]")
parser.add_option("-H", "--host", dest="hostname", default="127.0.0.1",
type="string", help="Target to run against")
parser.add_option("-p", "--port", dest="portnum", default=2999,
type="int", help="Target port")
(options, args) = parser.parse_args()
main(options.hostname, options.portnum)
When ran, that program produced the following output:
C:\Protostar>net0.py -H 192.168.1.132
[*] Data: Please send '634513062' as a little endian 32bit int
[*] Num: 634513062
Thank you sir/madam