project sekai 2023

2023-08-27 15:42:44 +02:00
commit 62ab804867
23 changed files with 539 additions and 0 deletions
--- a/Exploitation/Algorithm
+++ b/Exploitation/Algorithm
@@ -0,0 +1,7 @@
+C++20 introduced coroutines, I cant wait to abuse them!
+
+
+
+    1. To get a leak, look into c++ Small String Optimization.
+    2. Lambda capture variable is stored in the stack, you can overwrite it somehow. if you figure out what its overwritten with, solving this is straightforward.
+
--- a/Multitool/multitool.zip
+++ b/Multitool/multitool.zip
--- a/Exploitation/Cosmic
+++ b/Exploitation/Cosmic
--- a/Exploitation/Hibana/README.md
+++ b/Exploitation/Hibana/README.md
@@ -0,0 +1,13 @@
+Just text chatting is boring, so we made a plugin to introduce sticker communication to GoldSrc. Server owners can put their .bmp files in svencoop/headicons directory, and the plugin will automatically convert it to in-game format. When the game detects a chat message that corresponds to a sticker, it will be visible above that player's head. Our test server has a yay.bmp file, which will show up when a player types yay in chat.
+
+This plugin can also run on Counter-Strike 1.6 and Half-Life, but to avoid copyright issues, we decided to use a free-to-play game. You can download the game client here. Please make sure that your exploit works locally with the provided setup, as remote server access may be slow for distant users. If you cannot move your character around when connecting to remote, try lowering your fps_max value to 100.
+
+Note: If you are running the challenge using WSL, make sure that the files are in your WSL disk, not under mounted Windows folders. The server is using Intel CPU, so some of you who use AMD CPU would run another executable in the container, which will prevent you from solving the challenge. To overcome this, you can try replacing svends_amd binary with svends_i686 binary in the game folder. If this doesn't work, you should try build a VM or use an Intel CPU machine.
+
+
+
+    1. Why is engine_i686.so provided seperately?
+    2. The server turned off anti-cheat, so I think maybe can remove some client-side obstacles. Maybe can even call something normally not accessible from console?
+    3. The file transfer code of client and server are the same.
+    4. Try to understand GoldSrc filesystem a bit. Observe where the downloaded files are stored to. Also it doesn't use any pack file like .vpk, every file is stored directly on disk.
+
--- a/Exploitation/Hibana/dist.zip
+++ b/Exploitation/Hibana/dist.zip
--- a/Exploitation/Network
+++ b/Exploitation/Network
@@ -0,0 +1,149 @@
+use std::io::{self, Write, Read};
+use dns_lookup::{lookup_host, lookup_addr};
+use std::net::Ipv4Addr;
+use std::process::Command;
+use std::str;
+use std::string::String;
+
+static mut CHOICE: i32 = 0;
+
+fn read(arr: &mut[u8], size: isize) -> isize{
+    let arr_ptr = &mut arr[0] as *mut u8;
+    let mut count = 0;
+    unsafe{
+        let mut input: [u8;1] = [0;1];
+        for i in 0..size {
+            io::stdin().read_exact(&mut input).expect("msg");
+            if input[0] == 0xa {
+                break;
+            }
+            *arr_ptr.offset(i) = input[0];
+        }
+
+        while *arr_ptr.offset(count) != 0{
+            count+=1;
+        }
+    }
+    count
+}
+
+fn menu(){
+    println!("1. ping");
+    println!("2. traceroute");
+    println!("3. IP lookup");
+    println!("4. Reverse IP lookup");
+    println!("5. Exit");
+    print!("> ");
+    io::stdout().flush().unwrap();
+}
+
+fn ping(){
+    let mut input: String = String::new();
+    print!("IPv4: ");
+    io::stdout().flush().unwrap();
+    io::stdin().read_line(&mut input).expect("Failed to read IP");
+    match input.trim().parse::<Ipv4Addr>() {
+        Ok(ip) => {
+            let cmd = format!("ping {} -w 4", ip.to_string());
+            let process = Command::new("/bin/sh")
+                                .arg("-c")
+                                .arg(cmd)
+                                .output()
+                                .expect("Failed");
+            println!("{}", String::from_utf8_lossy(&process.stdout));
+        }
+        _ => {
+            println!("Invalid IPv4 format!");
+            return;
+        },
+    };
+}
+
+fn traceroute(){
+    let mut input: String = String::new();
+    print!("IPv4: ");
+    io::stdout().flush().unwrap();
+    io::stdin().read_line(&mut input).expect("Failed to read IP");
+    match input.trim().parse::<Ipv4Addr>() {
+        Ok(ip) => {
+            let cmd = format!("traceroute {}", ip.to_string());
+            let process = Command::new("/bin/sh")
+                                .arg("-c")
+                                .arg(cmd)
+                                .output()
+                                .expect("Failed");
+            println!("{}", String::from_utf8_lossy(&process.stdout));
+        }
+        _ => {
+            println!("Invalid IPv4 format!");
+            return;
+        },
+    };
+}
+
+fn ip_lookup(){
+    let mut input: [u8; 400] = [0; 400];
+
+    print!("Hostname: ");
+    io::stdout().flush().unwrap();
+    let size = read(&mut input, 0x400);
+    let (hostname, _) = input.split_at(size as usize);
+    let hostname = str::from_utf8(hostname).expect("msg").to_string();
+    // println!("{:?}", hostname.trim());
+    match lookup_host(hostname.trim()) {
+        Ok(ip) => println!("{:?}", ip),
+        _ => println!("Invalid domain name!")
+    }
+}
+
+fn reverse_ip_lookup(){
+    let mut ip_str: String = String::new();
+
+    print!("IP: ");
+    io::stdout().flush().unwrap();
+    io::stdin().read_line(&mut ip_str).expect("Failed to read IP");
+    
+    match ip_str.trim().parse::<std::net::IpAddr>() {
+        Ok(ip) => {
+            match lookup_addr(&ip) {
+                Ok(hostname) => println!("{}", hostname),
+                _ => println!("Invalid IP!")
+            }
+        },
+        _ => {
+            println!("Invalid IP format!");
+            return;
+        }
+    }
+}
+
+fn main(){
+    unsafe {
+        let mut input = String::new();
+
+        println!("**************************");
+        println!("*                        *");
+        println!("*     Network Tools      *");
+        println!("*                        *");
+        println!("**************************");
+        println!("Opss! Something is leaked: {:p}", &CHOICE);
+        loop {
+            menu();
+
+            input.clear();
+            io::stdin().read_line(&mut input).expect("Failed to readline!");
+            CHOICE = match input.trim().parse() {
+                Ok(num) => num,
+                _ => 0
+            };
+            match CHOICE {
+                1 => ping(),
+                2 => traceroute(),
+                3 => ip_lookup(),
+                4 => reverse_ip_lookup(),
+                5 => break,
+                _ => println!("Invalid choice!")
+            }
+        }
+    }
+}
--- a/Exploitation/Network
+++ b/Exploitation/Network
--- a/Exploitation/Notification/README.md
+++ b/Exploitation/Notification/README.md
@@ -0,0 +1,3 @@
+Terrible programmer like me cannot avoid making bugs using language without memory-safety. So to avoid making my program insecure I shall use a different heap implementation making heap-related bug unexploitable. Or is it exploitable?
+
+libzone_source: https://github.com/peternguyen93/libzone
--- a/Exploitation/Notification/dist-updated.zip
+++ b/Exploitation/Notification/dist-updated.zip
--- a/Sender/textsender.zip
+++ b/Sender/textsender.zip
--- a/Exploitation/[Blockchain]
+++ b/Exploitation/[Blockchain]