Skip to content

Instantly share code, notes, and snippets.

@hhc0null

hhc0null/kendall.c

Last active August 29, 2015 14:16
Show Gist options
  • Save hhc0null/2d1b63fc40e5aaf626f5 to your computer and use it in GitHub Desktop.
Save hhc0null/2d1b63fc40e5aaf626f5 to your computer and use it in GitHub Desktop.
Download ZIP
BkpCTF 2015 Kendall
Raw
kendall.c
// .data section
char data_602800[] = "192.168.000.100";
char data_602810[] = "192.168.000.200";
char data_602820[] = "255.255.255.000";
char data_602830[] = "8.8.8.8";
// .bss section
char bss_602880[128]; // buffer
bool bss_602900; // flag: is_not_authenticated
int bss_602904; // sockfd
size_t sub_400ea6(int arg)
{
int rbp_14h = arg;
int rbp_04h = 0;
if(rbp_14h > 0x80) {
rbp_14h = 0x80;
}
for(; rbp_04h < 0x80; rbp_04h++) {
bss_602880[rbp_04h] = '\0';
}
for(rbp_04h = 0; true; rbp_04h++) {
bss_602880[rbp_04h] = fgetc(stdin);
if(bss_602880[rbp_04h] == '\n') {
bss_602880[rbp_04h] = '\0';
break;
}
if(rbp_04h >= rbp_14h) {
bss_602880[rbp_04h-1] = '\0';
break;
}
}
return strlen(bss_602880);
}
bool sub_400f44()
{
bool *rbp_08h = &bss_602900;
if(*rbp_08h != false) {
fwrite("You are not authenticated!\n", 1, 27, stdout);
fflush(stdout);
return false;
} else {
return true;
}
}
void sub_400f9a(char *arg)
{
char *rbp_18h = arg;
int rbp_04h;
size_t rbp_08h;
fprintf(stdout, "Current Value: %s\n", rbp_18h);
fwrite("New Value: ", 1, 11, stdout);
fflush(stdout);
rbp_08h = sub_400ea6(17);
if(rbp_08h > 16) {
fprintf(stdout, "Your input is too long!", bss_602880);
fflush(stdout);
return;
}
for(rbp_04h = 0; rbp_04h < 16; rbp_04h++) {
rdx = *__ctype_b_loc(); // refs: https://github.com/evanphx/ulysses-libc/blob/master/src/ctype/__ctype_b_loc.c
// ---- this code might be wrong.
// if((*(2*(long long)((unsigned int)bss_602880[rbp_04h]&0xff) + rdx)&0xffff)&0x800 == 0)
if(*(2*(long long)bss_602880[rbp_04h] + rdx) & 0x800 == 0) {
if(bss_602880[rbp_04h] != '.' && bss_602880[rbp_04h] != '\0') {
fprintf(stdout, "Your input %s cointains invalid characters. Only digits and dots allowed!", bss_602880);
fflush(stdout);
return;
}
}
// ----
}
fprintf(stdout, "Setting to %s [%d]\n", bss_602880, rbp_08h);
fflush(stdout);
strncpy(rbp_18h, bss_602880, rbp_08h);
rbp_18h[rbp_08h] = '\0';
}
void sub_401120()
{
// authenticated?
if(sub_400f44()) {
snprintf(bss_602880, 128, "./renew lease '%s' '%s' '%s' '%s'", "192.168.000.100", "192.168.000.200", "255.255.255.000", "8.8.8.8");
// we can use system() ;)
system(bss_602880);
}
}
void sub_401177()
{
puts("#####################################################");
fflush(stdout);
}
void sub_401196()
{
puts("\n h show this help\n l list keys/values\n s change start ip\n e change end ip\n k change netmask ip\n n change nameserver ip\n m return to main menu");
fflush(stdout);
}
void sub_4011b5()
{
fprintf(stdout, "DHCP Configuration: \n\tStart IP: %s\n\tEnd IP: %s\n\tNetmask: %s\n\tNameserver: %s\n", data_602800, data_602810, data_602820, data_602830);
fflush(stdout);
}
void sub_4011f9(char *arg)
{
char *rbp_08h = arg;
// authenticated?
if(sub_400f44()) {
sub_400f9a(rbp_08h);
}
}
int sub_401221()
{
switch(bss_602880[0]) {
default:
break;
case 'h':
sub_401196();
break;
case 'l':
sub_4011b5();
break;
case 's':
sub_4011f9(data_602800);
break;
case 'e':
sub_4011f9(data_602810);
break;
case 'k':
sub_4011f9(data_602820);
break;
case 'n':
sub_4011f9(data_602830);
break;
case 'm':
return 'm';
}
return 'c';
}
void sub_401299()
{
puts("\n h show this help\n a add value\n c change value\n m return to main screen");
fflush(stdout);
}
void sub_4012b8()
{
rbp_08h = fopen("dhcp.log", "r");
if(rbp_08h == NULL) {
perror("Could not open dhcp log file\n");
exit(EXIT_FAILURE);
}
fwrite("Enter filter condition: ", 1, 24, stdout);
fflush(stdout);
sub_400ea6(128);
while(fgets(rbp_110h, 256, rbp_08h) != 0) {
rbp_10h = strstr(rbp_110h, bss_602880);
if(rbp_10h != NULL) {
fputs(rbp_110h, stdout);
fflush(stdout);
}
}
}
void sub_401390()
{
rbp_08h = fopen("dhcp.log", "r");
if(rbp_08h == NULL) {
perror("Could not open dhcp log file\n");
exit(EXIT_FAILURE);
}
while(fgets(rbp_110h, 256, rbp_08h) != 0) {
fputs(rbp_110h, stdout);
fflush(stdout);
}
}
void sub_401412()
{
puts("\n Command not recognized\n");
fflush(stdout);
}
void sub_401431()
{
puts("\n h show this help\n r renew leases\n l list leases\n f filter leases\n m return to main menu\n");
fflush(stdout);
}
int sub_401450()
{
switch(*bss_602880) {
case 'h':
sub_401431();
break;
case 'r':
sub_401120();
break;
case 'l':
sub_401390();
break;
case 'f':
sub_4012b8();
break;
case 'm':
return 'm';
default:
sub_401412();
break;
case '\n':
}
return 'd';
}
void sub_4014d0()
{
puts("\n h show this help\n a authenticate\n c config menu\n d dhcp lease menu\n e exit\n");
fflush(stdout);
}
void sub_4014ef()
{
char *rbp_40h[32];
int rbp_04h = 0;
bool *rbp_10h = &bss_602900;
FILE *rbp_18h;
fwrite("Password: ", 1, 10, stdout);
fflush(stdout);
sub_400ea6(32);
rbp_18h = fopen("password.txt", "r");
if(rbp_18h == NULL) {
perror("Could not open password file");
exit(EXIT_FAILURE);
}
if(fgets(rbp_40h, 32, rbp_18h) != NULL) {
rbp_04h = strlen(rbp_40h);
rbp_40h[rbp_04h] = '\0';
if(strcmp(rbp_40h, bss_602880) == 0) {
*rbp_10h = 0;
}
}
if(*rbp_10h == false) {
fwrite("Authentication succesfull\n", 1, 26, stdout);
} else {
fwrite("Authentication failed!\n", 1, 23, stdout);
}
fflush(stdout);
fclose(rbp_18h);
}
int sub_401624()
{
switch(bss_602880[0]) {
case 'h':
sub_4014d0();
return '\0';
case 'a':
sub_4014ef();
return '\0';
case 'c':
return 'c';
case 'd':
return 'd';
case 'e':
close(bss_602904);
exit(EXIT_SUCCESS);
default:
sub_401412();
break;
case '\n':
break;
}
return 'm';
}
void sub_4016a8()
{
char rbp_01h = 'm';
bool *rbp_10h;
rbp_10h = &bss_602900;
*rbp_10h = true;
sub_401177();
sub_4014d0();
while(true) {
if(*rbp_10h == false) {
fprintf(stdout, "[%c]$ ", rbp_01h);
} else {
fprintf(stdout, "[%c]# ", rbp_01h);
}
fflush(stdout);
rbp_14h = sub_400ea6(20);
switch((int)rbp_01h) {
case 'm':
rbp_01h = sub_401624();
break;
case 'c':
rbp_01h = sub_401221();
break;
case 'd':
rbp_01h = sub_401450();
break;
case 'e':
exit(EXIT_SUCCESS);
default:
rbp_01h = sub_401624();
break;
}
}
}
// create connection and listen
sub_4017a3()
{
}
int main(int argc, char *argv[])
{
int rbp_34h;
char *rbp_40h[];
int rbp_04h;
char rbp_30h[5];
rbp_34h = argc;
rbp_40h = argv;
rbp_04h = 0;
rbp_30h = "08888";
for(int rbp_08h = 0; (rbp_09h = getopt(rbp_34h, rbp_40h, "p:d:")) != 0xff;) {
switch(rbp_09h) {
case 'p':
strncpy(rbp_30h, optarg, 6);
break;
case 'd':
rbp_04h = 1;
break;
case '?':
puts("fail");
exit(EXIT_FAILURE);
default:
exit(EXIT_FAILURE);
}
}
sub_4017a3(&rbp_30h);
printf("Listening on port %s\n", rbp_30h);
fflush(stdout);
signal(SIGCHLD, 1);
while(true) {
// bss_602904 is sockfd.
rbp_10h = accept(bss_602904, &rbp_24h, &rbp_20h);
if(rbp_10h < 0) {
perror("accept");
} else {
if(fork() == 0) {
dup2(rbp_10h, STDIN_FILENO);
dup2(rbp_10h, STDOUT_FILENO);
sub_4016a8();
exit(EXIT_SUCCESS);
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment