Added files from Austin2600 2012 April competition.

12 files changed, 238 insertions, 0 deletions

diff --git a/flags/Makefile b/flags/Makefile
new file mode 100644
index 0000000..17fd13d
--- /dev/null
+++ b/flags/Makefile
@@ -0,0 +1,21 @@
+all: exec format rsa-runner simple
+
+exec: exec.c
+	gcc -o exec exec.c
+	chown root:exec exec
+	chmod 2755 exec
+
+format: format.c
+	gcc -o format format.c
+	chown root:format format
+	chmod 2755 format
+
+rsa-runner: rsa-runner.c
+	gcc -o rsa-runner rsa-runner.c
+	chown root:rsa rsa-runner
+	chmod 2755 rsa-runner
+
+simple: simple.c
+	gcc -o simple simple.c
+	chown root:simple simple
+	chmod 2755 simple
diff --git a/flags/exec b/flags/exec
new file mode 100755
index 0000000..9e35dbc
--- /dev/null
+++ b/flags/exec
diff --git a/flags/exec.c b/flags/exec.c
new file mode 100644
index 0000000..24daf7d
--- /dev/null
+++ b/flags/exec.c
@@ -0,0 +1,41 @@
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <stdio.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+char flag[32];
+
+int main(int argc, char **argv) {
+  int fd;
+  pid_t pid;
+  int status;
+
+  fprintf(stderr, "real %d:%d effective %d:%d\n",
+          getuid(), getgid(), geteuid(), getegid());
+
+  fd = open("exec.flag", O_RDONLY);
+  if(-1 != fd) {
+    // load flag into memory where nobody will ever find it
+    read(fd, flag, sizeof(flag));
+  }
+  // we'll even run something for you!
+  if(argc != 2) {
+    fprintf(stderr, "give me something to run\n");
+    return -1;
+  }
+  pid = fork();
+  if(pid < 0) {
+    perror("fork failed");
+  }
+  if(0 == pid) {
+    // drop privs
+    seteuid(getuid());
+    setegid(getgid());
+    // exec tears down the address space, goodbye flag!
+    execlp(argv[1], argv[1], NULL);
+    perror("exec failed");
+  }
+  waitpid(pid, &status, 0);
+  return 0;
+}
diff --git a/flags/format b/flags/format
new file mode 100755
index 0000000..e0f5d4e
--- /dev/null
+++ b/flags/format
diff --git a/flags/format.c b/flags/format.c
new file mode 100644
index 0000000..4fc30fd
--- /dev/null
+++ b/flags/format.c
@@ -0,0 +1,36 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+void hax(char *shellcode) {
+	int stack;
+	printf(shellcode, &stack);
+}
+
+int main(int argc, char **argv) {
+	char *buf, *p;
+	int i;
+
+	if(argc != 2) {
+		printf("What? Are you chicken?\n");
+		return -1;
+	}
+	// remove %n from format string, we're not *that* stupid
+	buf = strdup(argv[1]);
+	for(p = argv[1], i = 0; p[0]; ++p) {
+		if(p[0] == '%' && p[1] == 'n') {
+			++p;
+			if(p[0]) {
+				continue;
+			} else {
+				break;
+			}
+		}
+		buf[i++] = p[0];
+	}
+	buf[i] = '\0';
+	hax(buf);
+	free(buf);
+	putchar('\n');
+	return 0;
+}
diff --git a/flags/make-keys.rsa b/flags/make-keys.rsa
new file mode 100755
index 0000000..e6fba64
--- /dev/null
+++ b/flags/make-keys.rsa
@@ -0,0 +1,11 @@
+#!/usr/bin/env python
+
+from Crypto.PublicKey import RSA
+import pickle
+
+keys = {}
+keys['Alice'] = RSA.generate(1024)
+keys['Bob'] = RSA.generate(1024).publickey()
+
+with open('rsa.keys', 'w') as f:
+	pickle.dump(keys, f)
diff --git a/flags/rsa-runner b/flags/rsa-runner
new file mode 100755
index 0000000..a6069f7
--- /dev/null
+++ b/flags/rsa-runner
diff --git a/flags/rsa-runner.c b/flags/rsa-runner.c
new file mode 100644
index 0000000..2b8c9d2
--- /dev/null
+++ b/flags/rsa-runner.c
@@ -0,0 +1,24 @@
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <stdio.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+int main(int argc, char **argv) {
+  pid_t pid;
+  int status;
+
+  fprintf(stderr, "real %d:%d effective %d:%d\n",
+          getuid(), getgid(), geteuid(), getegid());
+
+  pid = fork();
+  if(pid < 0) {
+    perror("fork failed");
+  }
+  if(0 == pid) {
+    execlp("/flags/rsa.py", "rsa.py", NULL);
+    perror("exec failed");
+  }
+  waitpid(pid, &status, 0);
+  return 0;
+}
diff --git a/flags/rsa.py b/flags/rsa.py
new file mode 100755
index 0000000..96fc947
--- /dev/null
+++ b/flags/rsa.py
@@ -0,0 +1,81 @@
+#!/usr/bin/env python
+
+# Load up the goods.
+with open('rsa.flag', 'r') as f:
+	flag = f.read(32)
+
+from Crypto.PublicKey import RSA
+from Crypto.Hash import MD5
+from Crypto import Random
+from SocketServer import TCPServer, StreamRequestHandler
+import pickle
+
+# Load up our keystore.
+# This should be a dict of names (strings) to RSA keys.
+with open('/flags/rsa.keys', 'r') as f:
+	keys = pickle.load(f)
+
+def keyid(key):
+	return MD5.new(key.publickey().exportKey('DER')).digest()
+
+def getkey(by_id):
+	for key in keys.values():
+		if keyid(key) == by_id:
+			return key
+
+def digest(msg):
+	buf = MD5.new(msg.keyid + ':' + msg.request).digest()
+	print "Message digest is {0}".format(buf.encode('hex'))
+	return buf
+
+def sign(msg):
+	rng = Random.new().read
+	return getkey(msg.keyid).sign(digest(msg), rng)
+
+def verify(msg):
+	return getkey(msg.keyid).verify(digest(msg), msg.signature)
+
+class Request:
+	pass
+
+class Handler(StreamRequestHandler):
+	def start(self):
+		# Ask Bob for his flag, this should be fun.
+		msg = Request()
+		msg.name = 'Alice'
+		msg.request = 'get_flag'
+		msg.keyid = keyid(keys[msg.name])
+		msg.signature = sign(msg)
+		pickle.dump(msg, self.wfile)
+	
+	def get_flag(self, request):
+		# Make sure it's from someone we trust
+		if(request.name not in keys.keys()
+				or request.keyid not in
+				[keyid(key) for key in keys.values()]
+				or request.name == 'Alice'):
+			print "We don't trust this person"
+			return
+		# Verify the signature
+		if(not verify(request)):
+			print "This message was altered"
+			return
+		# Send the goods.
+		pickle.dump(flag, self.wfile)
+
+	def handle(self):
+		request = pickle.load(self.rfile)
+		print "we got: {0}".format(request)
+		if(request.request == 'start'):
+			self.start()
+		if(request.request == 'get_flag'):
+			self.get_flag(request)
+
+for port in range(6666, 6999):
+	try:
+		server = TCPServer(('localhost', port), Handler)
+		print 'server running at port {0}'.format(port)
+		break
+	except:
+		continue
+server.serve_forever()
diff --git a/flags/simple b/flags/simple
new file mode 100755
index 0000000..3a9efaf
--- /dev/null
+++ b/flags/simple
diff --git a/flags/simple.c b/flags/simple.c
new file mode 100644
index 0000000..e69e8e5
--- /dev/null
+++ b/flags/simple.c
@@ -0,0 +1,23 @@
+#include <fcntl.h>
+#include <stdio.h>
+
+// this one is really simple
+int main() {
+	int fd;
+	char buff[32];
+	int len;
+
+	fd = open("simple.not.the.flag", O_RDONLY);
+	if(-1 == fd) {
+		perror("open failed");
+		return -1;
+	}
+	len = read(fd, buff, sizeof(buff));
+	if(len < 0) {
+		perror("read failed");
+		return -1;
+	}
+	write(1, buff, len);
+	putchar('\n');
+	return 0;
+}
diff --git a/flags/simple.not.the.flag b/flags/simple.not.the.flag
new file mode 100644
index 0000000..73fe8ce
--- /dev/null
+++ b/flags/simple.not.the.flag
@@ -0,0 +1 @@
+7db61f4aafe27bd210359d445241587a