def put(*args):
addr = args[0]
flag_id = args[1]
flag = args[2]
vuln = args[3]
flag_id = ''.join(random.choice(string.hexdigits)
for i in range(32)).upper()
url = 'http://%s:1678%s/add_unit?uuid=%s&mind=%s' % (addr, int(vuln) - 1,
flag_id, flag)
headers = {'User-Agent': UserAgents.get()}
try:
r = requests.post(url, headers=headers)
if r.status_code == 502:
close(DOWN, "Service is down", "Nginx 502")
if r.status_code != 200:
close(
MUMBLE, "Submit error",
"Invalid status code: %s %d %s" % (url, r.status_code, r.text))
except Exception as e:
close(DOWN, "HTTP Error", "HTTP error: %s" % e)
close(OK, flag_id)
def get(*args):
addr = args[0]
flag_id = args[1]
flag = args[2]
vuln = args[3]
url = 'http://%s:1678%s/get?uuid=%s' % (addr, int(vuln) - 1, flag_id)
headers = {'User-Agent': UserAgents.get()}
try:
r = requests.get(url, headers=headers)
if r.status_code == 502:
close(DOWN, "Service is down", "Nginx 502")
if r.status_code != 200:
close(
MUMBLE, "Submit error",
"Invalid status code: %s %d %s" % (url, r.status_code, r.text))
j = json.loads(r.text)
if 'mind' in j.keys():
if j['mind'] != flag:
close(CORRUPT, "Service corrupted",
"Invalid flag: %s" % j['mind'])
else:
close(CORRUPT, "Service corrupted",
"Invalid response: %s" % r.text)
except Exception as e:
close(DOWN, "HTTP Error", "HTTP error: %s" % e)
close(OK)
def get(*args):
addr = args[0]
flag_id = args[1]
flag = args[2]
params = json.loads( flag_id )
guid = params[ 'guid' ]
COLOR_R = params[ 'COLOR_R' ]
COLOR_G = params[ 'COLOR_G' ]
COLOR_B = params[ 'COLOR_B' ]
COLOR = ( COLOR_R, COLOR_G, COLOR_B, 0xff)
L0 = params[ 'L0' ]
L1 = params[ 'L1' ]
ANGLE = params[ 'ANGLE' ]
WIDTH = params[ 'WIDTH' ]
HEIGHT = params[ 'HEIGHT' ]
image = stars.generate_image( WIDTH, HEIGHT, COLOR, L0, L1, ANGLE, TENTACLES_NUM )
url = 'http://%s/detectors/%s/check' % ( addr, guid )
try:
headers = { 'User-Agent' : UserAgents.get() }
files = { 'image' : image }
r = requests.post( url, files=files, headers=headers )
if r.status_code == 502:
close(DOWN, "Service is down", "Nginx 502")
if r.status_code != 200:
close( MUMBLE, "Invalid HTTP response", "Invalid status code: %s %d" % ( url, r.status_code ) )
except Exception as e:
close(DOWN, "HTTP Error", "HTTP error: %s" % e)
if flag != r.text:
close( CORRUPT, "Service corrupted", "Flag does not match: %s" % r.text )
close( OK )
def __init__(self, hostname, port=None):
self.hostname = hostname
self.port = '' if port is None else ':' + str(port)
self.session = aiohttp.ClientSession(headers={
'Referer': self.get_url(''),
'User-Agent': UserAgents.get()
})
self.signer = Signer()
def __init__(self, hostname, port=None, name='', user=None, password=None):
self.hostname = hostname
self.name = name
self.port = '' if port is None else ':' + str(port)
self.useragent = UserAgents.get()
self.session = None
if user is not None and password is not None:
self.create_session(user, password)
def put(*args):
addr = args[0]
flag_id = args[1]
flag = args[2]
COLOR_R = int( random.random() * 255 )
COLOR_G = int( random.random() * 255 )
COLOR_B = int( random.random() * 255 )
L0 = random.uniform( 10.0, 30.0 )
L1 = random.uniform( 10.0, 30.0 )
ANGLE = random.uniform( 30.0, 90.0 )
flag_defs = ""
for i in range( len( flag ) ):
s = flag[ i : ]
byte = ord( s[:1] )
flag_defs = flag_defs + ("-D F%d=%d " % ( i, byte ) )
output_file = "/tmp/%s.bin" % flag_id
defines = "-D COLOR_R=%s -D COLOR_G=%s -D COLOR_B=%s -D L0=%s -D L1=%s -D ANGLE=%s -D WIDTH=%s -D HEIGHT=%s -D TENTACLES_NUM=%s %s" % ( COLOR_R, COLOR_G, COLOR_B, L0, L1, ANGLE, WIDTH, HEIGHT, TENTACLES_NUM, flag_defs )
driver = "Mali-400_r4p0-00rel1"
core = "Mali-400"
rev = "r0p0"
cmd = "./malisc --fragment -d %s -c %s -r %s %s flag.frag -o %s > /dev/null 2> /dev/null" % ( driver, core, rev, defines, output_file )
os.system( cmd )
os.remove( output_file + ".prerotate" )
shader_file_name = output_file + ".non-prerotate"
shader_file = open( shader_file_name, 'rb' )
shader_file.seek( 0, os.SEEK_END )
shader_size = shader_file.tell()
shader_file.seek( 0, os.SEEK_SET )
detector = pack( 'i', shader_size ) + shader_file.read() + pack( 'ii', 8, 1 )
flag_id = "" # reset flag id, we will build new, based on service response
url = 'http://%s/detectors/add' % addr
files = { 'detector': detector }
headers = { 'User-Agent' : UserAgents.get() }
try:
r = requests.post(url, files=files, headers=headers )
if r.status_code == 502:
close(DOWN, "Service is down", "Nginx 502", shader_file_name)
if r.status_code != 200:
close( MUMBLE, "Submit error", "Invalid status code: %s %d" % ( url, r.status_code ), shader_file_name )
if not guid_regex.match( r.text ):
close( CORRUPT, "Service corrupted", "Invalid guid received" )
try:
flag_id = json.dumps( { 'guid' : r.text[:-1], 'COLOR_R' : COLOR_R, 'COLOR_G' : COLOR_G, 'COLOR_B' : COLOR_B, 'L0' : L0, 'L1' : L1, 'ANGLE' : ANGLE, 'WIDTH' : WIDTH, 'HEIGHT' : HEIGHT } )
except Exception as e:
close(CORRUPT, "Service corrupted", "Service returns invalid guid: %s" % e, shader_file_name)
except Exception as e:
close(DOWN, "HTTP Error", "HTTP error: %s" % e, fileToRemove=shader_file_name)
close(OK, flag_id, fileToRemove=shader_file_name)
def __init__(self, hostname, port=None, name=''):
self.hostname = hostname
self.name = name
self.port = '' if port is None else ':' + str(port)
cookie_jar = aiohttp.CookieJar(unsafe=True)
self.session = aiohttp.ClientSession(cookie_jar=cookie_jar,
headers={
'Referer': self.get_url(''),
'User-Agent':
UserAgents.get(),
})
def get_objects(addr, agentKey):
url = 'http://%s:9007/objects?AgentKey=%s' % (addr, agentKey)
headers = {'User-Agent': UserAgents.get()}
try:
r = requests.get(url, headers=headers)
if r.status_code != 200:
close(MUMBLE, "Submit error",
"Invalid status code: %s %d" % (url, r.status_code))
str = r.content.decode("UTF-8")
return json.loads(str)
except Exception as e:
close(DOWN, "HTTP Error", "HTTP error: %s" % e)
def upload_object(addr, tobject):
url = 'http://%s:9007/object' % (addr)
headers = {'User-Agent': UserAgents.get()}
try:
r = requests.put(url, headers=headers, json=tobject)
if r.status_code != 200:
close(MUMBLE, "Submit error",
"Invalid status code: %s %d" % (url, r.status_code))
return r.content.decode("UTF-8")
except Exception as e:
close(DOWN, "HTTP Error", "HTTP error: %s" % e)
def register_agent(addr):
url = 'http://%s:9007/agent' % (addr)
headers = {'User-Agent': UserAgents.get()}
agent = {"AgentName": "TestName"}
try:
r = requests.post(url, headers=headers, json=agent)
if r.status_code != 200:
close(MUMBLE, "Submit error",
"Invalid status code: %s %d" % (url, r.status_code))
str = r.content.decode("UTF-8")
return json.loads(str)
except Exception as e:
close(DOWN, "HTTP Error", "HTTP error: %s" % e)
def put(*args):
addr = args[0]
flag_id = args[1]
flag = args[2]
minidumpFilePath = "/tmp/" + flag_id + ".dmp"
# crash the binary and generate minidump
os.system('./%s %s %s' % (SERVICE_NAME, flag, minidumpFilePath))
# zip minidump file
inMemoryZip = BytesIO()
zf = zipfile.ZipFile(inMemoryZip, mode='w')
try:
zf.write(minidumpFilePath, arcname='%s.dmp' % flag_id)
except Exception as e:
close(CHECKER_ERROR, "ZIP error", "Unknown error: %s" % e,
minidumpFilePath)
zf.close()
inMemoryZip.seek(0)
# submit report
url = 'http://%s/submit' % addr
files = {'dump_zip_file': inMemoryZip.read()}
headers = {
'User-Agent': UserAgents.get(),
'Service-Name': SERVICE_NAME,
'GUID': flag_id
}
try:
r = requests.post(url, files=files, headers=headers)
if r.status_code == 502:
close(DOWN, "Service is down", "Nginx 502", minidumpFilePath)
if r.status_code != 200:
close(MUMBLE, "Submit error",
"Invalid status code: %s %d" % (url, r.status_code),
minidumpFilePath)
try:
r_json = r.json()
if r_json['status'] != 'ok':
close(MUMBLE, "Submit error", "Can not put flag",
minidumpFilePath)
except Exception as e:
close(CORRUPT, "Service corrupted",
"Service returns invalid json: %s" % e, minidumpFilePath)
except Exception as e:
close(DOWN, "HTTP Error", "HTTP error: %s" % e, minidumpFilePath)
close(OK, minidumpFilePath=minidumpFilePath)
def request(self, method, relative_url, fun, **kwargs):
data = None
headers = {"User-Agent": UserAgents.get()}
if "data" in kwargs:
headers["Content-Type"] = 'application/octet-stream'
data = kwargs["data"]
elif "json" in kwargs:
headers["Content-Type"] = 'application/json; charset=utf8'
data = kwargs["json"]
url = "http://%s/%s" % (self.addr, relative_url)
request = Request(url, method=method, data=data, headers=headers)
with urlopen(request) as response:
if (response.status != 200):
raise CheckerException("Recieved status %d on request %s" %
(response.status, url))
return fun(response.read())
def add_ship(addr, bin_file):
pos_x = int(random.uniform(-2000000, 2000000))
pos_z = int(random.uniform(-2000000, 2000000))
rot_y = 0 #random.uniform( 0, 3.1415926 );
url = 'http://%s:8080/add_ship?pos_x=%f&pos_z=%f&rot_y=%f' % (addr, pos_x,
pos_z, rot_y)
files = {'flag_shader': open(bin_file, 'rb').read()}
headers = {'User-Agent': UserAgents.get()}
try:
r = requests.post(url, files=files, headers=headers)
if r.status_code == 502:
close(DOWN, "Service is down", "Nginx 502", bin_file)
if r.status_code != 200:
close(MUMBLE, "Submit error",
"Invalid status code: %s %d" % (url, r.status_code),
bin_file)
if not guid_regex.match(r.text):
close(CORRUPT, "Service corrupted", "Invalid guid received")
except Exception as e:
close(DOWN, "HTTP Error", "HTTP error: %s" % e, fileToRemove=bin_file)
return json.dumps({'x': pos_x, 'z': pos_z, 'ry': rot_y})
def get(*args):
addr = args[0]
flag_id = args[1]
flag = args[2]
url = 'http://%s/%s/get' % (addr, flag_id)
try:
headers = {'User-Agent': UserAgents.get()}
r = requests.get(url, headers=headers)
if r.status_code == 502:
close(DOWN, "Service is down", "Nginx 502")
if r.status_code != 200:
close(MUMBLE, "Invalid HTTP response",
"Invalid status code: %s %d" % (url, r.status_code))
except Exception as e:
close(DOWN, "HTTP Error", "HTTP error: %s" % e)
try:
if int(r.headers['Content-Length']) > 50000: # tested
close(CORRUPT, "Service corrupted", "Content is too big")
except Exception as e:
close(CORRUPT, "Service corrupted",
"Something wrong with content length: %s" % e)
# tested
try:
zf = zipfile.ZipFile(BytesIO(r.content))
except Exception as e:
close(CORRUPT, "Service corrupted", "Invalid zip file: %s" % e)
if len(zf.namelist()) > 1: # tested
close(CORRUPT, "Service corrupted",
"Invalid content, more than one file in zip")
dmp_name = "%s.dmp" % flag_id
dmp_path = "/tmp/%s" % dmp_name
if not dmp_name in zf.namelist(): # tested
close(CORRUPT, "Service corrupted",
"Invalid content, there is no minidump file in zip")
try:
dmp = zf.read(dmp_name)
open(dmp_path, 'wb').write(dmp)
except Exception as e:
close(CHECKER_ERROR, "Evil checker", "INTERNAL ERROR: %s" % e,
dmp_path)
# tested
try:
stackwalk = subprocess.check_output(
'./minidump_stackwalk -m %s symbols/ 2>/dev/null' % dmp_path,
shell=True)
except subprocess.CalledProcessError as e:
close(CORRUPT, "Service corrupted", "Invalid minidump file: %s" % e,
dmp_path)
parser = StackWalkParser()
parser.parse(stackwalk.decode())
if len(parser.crash_thread_stack) < 17: # not tested
close(
CORRUPT, "Service corrupted",
"Invalid minidump file, callstack is too short %s" %
parser.crash_thread_stack, dmp_path)
if len(parser.crash_thread_stack) > 32: # not tested
close(CORRUPT, "Service corrupted",
"Invalid minidump file, callstack is too long", dmp_path)
if parser.crash_thread_stack[16][
"signature"] != 'StartFlagProcessing()': # tested
close(
CORRUPT, "Service corrupted",
"Invalid minidump file, invalid callstack %s" %
parser.crash_thread_stack, dmp_path)
first_part_flag = ''
for i in reversed(range(0, 16)):
signature = parser.crash_thread_stack[i]["signature"]
result = re.match(r"_(\w)\(\)", signature)
if not result: # tested
close(
CORRUPT, "Service corrupted",
"Invalid minidump file, invalid signature in callstack %s" %
signature, dmp_path)
first_part_flag = first_part_flag + result.group(1)
prefix = b'HERE IS THE REST OF YOUR FLAG'
prefixPos = dmp.find(prefix)
if prefixPos == -1:
close(CORRUPT, "Service corrupted",
"Invalid minidump file, cant find second part of the flag",
dmp_path)
flagPos = prefixPos + len(prefix) + 1
try: # tested
second_part_flag = (dmp[flagPos:flagPos + 16]).decode()
except Exception as e:
close(CORRUPT, "Service corrupted",
"Can not get second part of the flag: %s" % e, dmp_path)
restored_flag = first_part_flag + second_part_flag
if flag != restored_flag: # tested
close(CORRUPT, "Service corrupted",
"Flag does not match: %s" % restored_flag, dmp_path)
close(OK, minidumpFilePath=dmp_path)
def draw(addr, pos_json):
params = json.loads(pos_json)
pos_x = params['x'] + 0.4
pos_y = 1.6
pos_z = params['z'] - 0.3
aimpos_x = pos_x
aimpos_y = pos_y
aimpos_z = params['z']
url = 'http://%s:8080/draw?pos_x=%f&pos_y=%f&pos_z=%f&aimpos_x=%f&aimpos_y=%f&aimpos_z=%f' % (
addr, pos_x, pos_y, pos_z, aimpos_x, aimpos_y, aimpos_z)
#print( url )
try:
headers = {'User-Agent': UserAgents.get()}
r = requests.get(url, headers=headers)
if r.status_code == 502:
close(DOWN, "Service is down", "Nginx 502")
if r.status_code != 200:
close(MUMBLE, "Invalid HTTP response",
"Invalid status code: %s %d" % (url, r.status_code))
except Exception as e:
close(DOWN, "HTTP Error", "HTTP error: %s" % e)
try:
stream = io.BytesIO(r.content)
img = Image.open(stream)
if img.size[0] != 128 or img.size[0] != 128:
close(CORRUPT, "Service corrupted",
"Invalid image size %ux%u" % (img.size[0], img.size[1]))
left = -1
right = -1
pixels = img.load()
RED = (255, 0, 0, 255)
for y in range(1, 127):
for x in range(1, 127):
if pixels[x, y] != RED and pixels[x + 1,
y] == RED and left == -1:
#print( "left", x, y, pixels[ x, y ], pixels[ x + 1, y ] )
left = x
if pixels[x, y] == RED and pixels[x + 1,
y] != RED and right == -1:
#print( "right", x, y, pixels[ x, y ], pixels[ x + 1, y ] )
right = x
top = -1
bottom = -1
for x in range(1, 127):
for y in range(1, 127):
if pixels[x, y] != RED and pixels[x,
y + 1] == RED and top == -1:
#print( "top", x, y, pixels[ x, y ], pixels[ x, y + 1 ] )
top = y
if pixels[x, y] == RED and pixels[x, y +
1] != RED and bottom == -1:
#print( "bottom", x, y, pixels[ x, y ], pixels[ x, y + 1 ] )
bottom = y
width = right - left
height = bottom - top
stepX = width / 6
stepY = height / 4
startX = left + stepX * 1.5
startY = top + stepY * 1.5
x = startX
y = startY
payload = []
for iy in range(0, 2):
for ix in range(0, 4):
p = pixels[int(x), int(y)]
payload.append(p)
x += stepX
y += stepY
x = startX
return payload
except Exception as e:
close(CORRUPT, "Service corrupted", "Invalid response: %s" % e)
def check(*args):
addr = args[0]
random.seed()
X_GR = random.uniform( 2.0, 10.0 )
Y_GR = random.uniform( 2.0, 10.0 )
X_LS = random.uniform( -10.0, -2.0 )
Y_LS = random.uniform( -10.0, -2.0 )
A_X_GR = random.uniform( 2.0, 10.0 )
A_Y_GR = random.uniform( 2.0, 10.0 )
A_X_LS = random.uniform( -10.0, -2.0 )
A_Y_LS = random.uniform( -10.0, -2.0 )
B_X_GR = random.uniform( 2.0, 10.0 )
B_Y_GR = random.uniform( 2.0, 10.0 )
B_X_LS = random.uniform( -10.0, -2.0 )
B_Y_LS = random.uniform( -10.0, -2.0 )
VARIANT0 = random.randint( 0, 1 )
VARIANT1 = random.randint( 0, 1 )
VARIANT2 = random.randint( 0, 1 )
R = random.randint( 48, 90 )
G = random.randint( 48, 90 )
B = random.randint( 48, 90 )
A = random.randint( 48, 90 )
WH = [ 8, 16, 32, 64, 128 ]
W = WH[ random.randint( 0, 4 ) ]
H = WH[ random.randint( 0, 4 ) ]
m = hashlib.md5()
m.update( ("%f" % time.time() ).encode() )
output_file = "/tmp/%s" % m.hexdigest()
defines = "-D X_GR=%f -D Y_GR=%f -D X_LS=%f -D Y_LS=%f " % ( X_GR, Y_GR, X_LS, Y_LS )
defines = defines + "-D A_X_GR=%f -D A_Y_GR=%f -D A_X_LS=%f -D A_Y_LS=%f " % (A_X_GR, A_Y_GR, A_X_LS, A_Y_LS )
defines = defines + "-D B_X_GR=%f -D B_Y_GR=%f -D B_X_LS=%f -D B_Y_LS=%f " % (B_X_GR, B_Y_GR, B_X_LS, B_Y_LS )
defines = defines + "-D VARIANT0=%d -D VARIANT1=%d -D VARIANT2=%d " % ( VARIANT0, VARIANT1, VARIANT2 )
defines = defines + "-D R=%d -D G=%d -D B=%d -D A=%d -D WIDTH=%d -D HEIGHT=%d " %( R, G, B, A, W, H )
driver = "Mali-400_r4p0-00rel1"
core = "Mali-400"
rev = "r0p0"
cmd = "./malisc --fragment -d %s -c %s -r %s %s check.frag -o %s > /dev/null 2> /dev/null" % ( driver, core, rev, defines, output_file )
os.system( cmd )
os.remove( output_file + ".prerotate" )
shader_file_name = output_file + ".non-prerotate"
shader_file = open( shader_file_name, 'rb' )
shader_file.seek( 0, os.SEEK_END )
shader_size = shader_file.tell()
shader_file.seek( 0, os.SEEK_SET )
detector = pack( 'i', shader_size ) + shader_file.read() + pack( 'ii', W, H )
guid = ""
url = 'http://%s/detectors/add' % addr
files = { 'detector': detector }
headers = { 'User-Agent' : UserAgents.get() }
try:
r = requests.post(url, files=files, headers=headers )
if r.status_code == 502:
close(DOWN, "Service is down", "Nginx 502", shader_file_name)
if r.status_code != 200:
close( MUMBLE, "Submit error", "Invalid status code: %s %d" % ( url, r.status_code ), shader_file_name )
if not guid_regex.match( r.text ):
close( CORRUPT, "Service corrupted", "Invalid guid received" )
guid = r.text[:-1]
except Exception as e:
close(DOWN, "HTTP Error", "HTTP error: %s" % e, fileToRemove=shader_file_name)
os.remove( shader_file_name )
#
WH = [ 64, 128, 256 ]
W = WH[ random.randint( 0, 2 ) ]
H = WH[ random.randint( 0, 2 ) ]
image = stars.generate_image( W, H, ( 0xfe, 0xae, 0xda, 0xff), 10.0, 10.0, 50, random.randint( 2, 5 ) )
url = 'http://%s/detectors/%s/check' % ( addr, guid )
try:
headers = { 'User-Agent' : UserAgents.get() }
files = { 'image' : image }
r = requests.post( url, files=files, headers=headers )
if r.status_code == 502:
close(DOWN, "Service is down", "Nginx 502")
if r.status_code != 200:
close( MUMBLE, "Invalid HTTP response", "Invalid status code: %s %d" % ( url, r.status_code ) )
except Exception as e:
close(DOWN, "HTTP Error", "HTTP error: %s" % e)
if len( r.content ) < 4:
close( CORRUPT, "Service corrupted" )
for i in range( 0, len(r.content), 4 ):
cr = r.content[ i + 0 ]
cg = r.content[ i + 1 ]
cb = r.content[ i + 2 ]
ca = r.content[ i + 3 ]
if( abs( cr - R ) > 2 or abs( cg - G ) > 2 or abs( cb - B ) > 2 or abs( ca - A ) > 2 ):
close( CORRUPT, "Service corrupted" )
close(OK)