[Vuln-dev Challenge] nonexec stack&heap solution (encrypted)

From: Jose Ronnick (matrixat_private)
Date: Fri May 23 2003 - 20:48:27 PDT

Next message: Joel Eriksson: "Re: [Vuln-dev Challenge] Challenge #2 (SPOILER)"

Previous message: Joel Eriksson: "Re: [Vuln-dev Challenge] Challenge #2 (SPOILER)"
In reply to: Dave McKinney: "[Vuln-dev Challenge] Challenge #2"
Next in thread: anon: "Re: [Vuln-dev Challenge] Challenge #2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

So here's a solution, assuming nonexec stack and heap...  it was a little tricky..  I took the liberty of whipping up a 2048-bit version of RC4 and encrypting the solution with it.. cooler than rot13  =)  If you don't wanna see it, don't compile the decoder and decrypt it... or just forget the key..  guh.. I hope I'm not breaking any export restrictions.. =b..

matrix@phiral dev $ cat vulndev2.crypt
1098d7d1001b7144844bd50702e049eb211289f3f3fb5a3c12ecd43ab7bde364a3666c6ae52f65e1df6a0de4838f500d277b00cad2c53c81f19390389b7964bc2769752dff5067d0a5668d125858720f34be6e3454c04a496d9e57aebd362378cefbcd1771247c29bb82b1c938a3334f9d022daab176acef1d4d6d06f36e9e6d64998a4950c2d5c2d718e3243cb4b5664faa627145c284ed545d3dc7c935925a3cc43fac86a7aedba18ff6e3a28c1d0d11dbe3d080a5a26c84035967ffdfa5a3cbc230e11cfda1d6adc4bf409e8afb8f3560e49e3d9766a5cd72eda4b58e1d4d1412349fe27629dca9b4d2167da140285c8185d73e4781886ffb2e8d58a6bb972f9968c97c52519336a051a78d687ac7b82bcae84e9d322733dbd4bdc57907f5999884ed6233ff30fd3885289d3733a60f8fa261e98b3f05414e050a38aaf7a671565cc9b0e4796d5876b0fb0421442eac48a6e431360045180522f122667b522572f620ba87716d19b0a1d0fc0201029c4fab59904551e70c78b73a347e09144ab4f23e99a35092b56ca0e6cbff12adf6f96542e4e79005685e7db0a7ba20f33881ec325bd9fceff67a54fa7057a56b488636de7ebc318d5eed8f81279fc21f4f56f55451937e873b5042ff9c55d87dd394f8fce42a5beffe489dcfe989f6fc9255d2176afec3a4f2ab5f878fafa0
 4a119b6bc88f0394f7eb94287b81b5c7fc8a9d132019a271aaeec281110d3e98f9862a37fa32f698c9fee292faaa4bb47ec4054c1cebffdb74f83d81424e67adf854dccb738608b36fce0b4d35370cad86f99e284caf5a1f42910ef49c8e8d080e4dfc7bd16b9cf0740f6dbbc5a454b377cdd9a535d1de15cb0750666c9b00eea4ceef5c6497e07fe3a797e2fbecb2cbeebd85ee533a9cc04287466721205ef4218ba071c6950a216d40b403c7f4009929202f662c7ba00f6b6598d7a177bedb0591df3126e1417f5ef50e2774660b6f93f04f9d7ee84eddf6649c451b047abacb6525912cb079b642366f996c47341137393153127ee7cc3e6207f640cb0beb123a250b3679ff7a40db768702231070d74e054e294e778da498944c44095dd1632640207d420e2f287bb6dd13d45adfe6ddb1292d50953631a58c061698ab24e588ab84b7147b657f95466f60889e19a45f9604aaf71bc2f41c170e0c72bb144668a24896706283ba66b7a34046d4663bcba354d63607327d020c5934233053d61ce3a2955b72b2f75b4ddb35a4aa31d28422ccd2d556e01537781a5f4c9c79b9c4871424e186ede9adb3d48d0db715a56e3cf910dc2f07a90f04957b9f6caa2bf7b55df77c07ff0b760b2933e32623055413a2de03a557af026eda1b7cb75e1f4e3976908b8abc03120c91c9d85
 1403f98b7a0c3f96d43c454da1d6149f199b4ec900a6fc2c13d8e4c3cbfc5c2299a8cd5245cf7366ae2e066e92f89cce6707d67264e8f150dfbb53467b80d92dfc302727de68ed55446309bc6ebc6fac9ec41a4624acb13f69b4552d5d0766abfddd78a6020a7b57bad042206661d837e33d7af31bfca6141c36367d7bfdc8adf2256a493ce57b7b48d18b6bfc28e6f4103a993b75bb35bb72dc0aa8eaa990cac18073a759090c1c4f7ca9e352b40fd079b35bdedb99c14450b7557555b78e3b2175641975f473bb484ab80563c19d5d496c24d727e0ba3dbcf3d24bff7156baace0639c8594b66556847a938a1b808ef12e1ee07bac89e7d0a3d1faf15cfcba381550702aa0448efb2746cc5a2df3c11f287f9aa
matrix@phiral dev $ cat vulndev2.key
bcd8beabf4e1451f3bf5fb38d5c364ac2dc23f37374350c93be2dcb33f938afc6b49a7602aed8066e37b9fb93e03656cc6a4a3fde8f4c624d7a3d717366213a1abbb02d6a9823d8dfddc463ce0aba8a6504ba439406b5d180e352f459843e744ffe91aa86b583568347ca414274cbb78985fb1d9cb0ff1da45211fdd64062163ef3c0c5a9442c3c9be68dde6b5995e4df91027c41f199e643abe429fc46403b3a00f0e3552d1fe1039dcf6ee75543c6f646334847dd2e9b8912b57558f5a08306a1665bce863cd213fc30fb5184b257daf59012d2ceae5bd163c12a6971bd602323cbf1a9f8c3bdf4f4b956797bae44713e67440d059fde7960f8d2d2b64305d
matrix@phiral dev $ cat rc4decode.c 
#include <stdio.h>
#include <stdlib.h>

u_char K[256], S[256], gi=0, gj=0;

u_char KSA()
{
  u_char t, j=0;
  int i;
  for(i=0; i<256; i++)
    S[i] = i;
  for(i=0; i<256; i++)
  {
    j = j + S[i] + K[i];
    t=S[i]; S[i]=S[j]; S[j]=t;
  }
}

u_char PRNG()
{
  u_char t, k;
  gi = gi + 1;
  gj = gj + S[gi];
  t=S[gi]; S[gi]=S[gj]; S[gj]=t;
  k = S[gi] + S[gj];
  return S[k];
}

int main(int argc, char *argv[])
{
  int i;
  u_char ch;
  FILE *kd;
  if(argc < 2)
  {
    fprintf(stderr, "Usage: cat inputfile | %s keyfile > outputfile\n", argv[0])
;
    exit(0);
  }
  else
  {
    fprintf(stderr, "[&] Reading 2048-bit key from file '%s'...\n", argv[1]);
    kd = fopen(argv[1], "r");
    for(i=0; i < 256; i++)
      fscanf(kd, "%02x", &K[i]);
    fclose(kd);
  }
  KSA();
  while(scanf("%02x", &ch) != EOF)
    putchar(ch ^  PRNG());
}
matrix@phiral dev $ gcc -o rc4dec rc4decode.c 
matrix@phiral dev $ cat vulndev2.crypt | ./rc4dec vulndev2.key 

-- 
%JOSE_RONNICK%50,:-dddd-0EEb-pVVyP\-1111-jjjj-yNNN-_4HUP-qq0q-02%r-_Z%JP-%Iwp-5kyyP-n5nn-aTTa-1271P-4ttt-/888-3tSMP-bbnb-L8wL-kMwgP-3Hy3-rqzWP-m%m8-h4x--v%r5P-S7S7-g7g7-F2u2PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP

application/pgp-signature attachment: stored

Next message: Joel Eriksson: "Re: [Vuln-dev Challenge] Challenge #2 (SPOILER)"
Previous message: Joel Eriksson: "Re: [Vuln-dev Challenge] Challenge #2 (SPOILER)"
In reply to: Dave McKinney: "[Vuln-dev Challenge] Challenge #2"
Next in thread: anon: "Re: [Vuln-dev Challenge] Challenge #2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat May 24 2003 - 14:03:28 PDT