def put(*args): addr = args[0] flag_id = args[1] flag = args[2] vuln = args[3] flag_id = ''.join(random.choice(string.hexdigits) for i in range(32)).upper() url = 'http://%s:1678%s/add_unit?uuid=%s&mind=%s' % (addr, int(vuln) - 1, flag_id, flag) headers = {'User-Agent': UserAgents.get()} try: r = requests.post(url, headers=headers) if r.status_code == 502: close(DOWN, "Service is down", "Nginx 502") if r.status_code != 200: close( MUMBLE, "Submit error", "Invalid status code: %s %d %s" % (url, r.status_code, r.text)) except Exception as e: close(DOWN, "HTTP Error", "HTTP error: %s" % e) close(OK, flag_id)
def get(*args): addr = args[0] flag_id = args[1] flag = args[2] vuln = args[3] url = 'http://%s:1678%s/get?uuid=%s' % (addr, int(vuln) - 1, flag_id) headers = {'User-Agent': UserAgents.get()} try: r = requests.get(url, headers=headers) if r.status_code == 502: close(DOWN, "Service is down", "Nginx 502") if r.status_code != 200: close( MUMBLE, "Submit error", "Invalid status code: %s %d %s" % (url, r.status_code, r.text)) j = json.loads(r.text) if 'mind' in j.keys(): if j['mind'] != flag: close(CORRUPT, "Service corrupted", "Invalid flag: %s" % j['mind']) else: close(CORRUPT, "Service corrupted", "Invalid response: %s" % r.text) except Exception as e: close(DOWN, "HTTP Error", "HTTP error: %s" % e) close(OK)
def get(*args): addr = args[0] flag_id = args[1] flag = args[2] params = json.loads( flag_id ) guid = params[ 'guid' ] COLOR_R = params[ 'COLOR_R' ] COLOR_G = params[ 'COLOR_G' ] COLOR_B = params[ 'COLOR_B' ] COLOR = ( COLOR_R, COLOR_G, COLOR_B, 0xff) L0 = params[ 'L0' ] L1 = params[ 'L1' ] ANGLE = params[ 'ANGLE' ] WIDTH = params[ 'WIDTH' ] HEIGHT = params[ 'HEIGHT' ] image = stars.generate_image( WIDTH, HEIGHT, COLOR, L0, L1, ANGLE, TENTACLES_NUM ) url = 'http://%s/detectors/%s/check' % ( addr, guid ) try: headers = { 'User-Agent' : UserAgents.get() } files = { 'image' : image } r = requests.post( url, files=files, headers=headers ) if r.status_code == 502: close(DOWN, "Service is down", "Nginx 502") if r.status_code != 200: close( MUMBLE, "Invalid HTTP response", "Invalid status code: %s %d" % ( url, r.status_code ) ) except Exception as e: close(DOWN, "HTTP Error", "HTTP error: %s" % e) if flag != r.text: close( CORRUPT, "Service corrupted", "Flag does not match: %s" % r.text ) close( OK )
def __init__(self, hostname, port=None): self.hostname = hostname self.port = '' if port is None else ':' + str(port) self.session = aiohttp.ClientSession(headers={ 'Referer': self.get_url(''), 'User-Agent': UserAgents.get() }) self.signer = Signer()
def __init__(self, hostname, port=None, name='', user=None, password=None): self.hostname = hostname self.name = name self.port = '' if port is None else ':' + str(port) self.useragent = UserAgents.get() self.session = None if user is not None and password is not None: self.create_session(user, password)
def put(*args): addr = args[0] flag_id = args[1] flag = args[2] COLOR_R = int( random.random() * 255 ) COLOR_G = int( random.random() * 255 ) COLOR_B = int( random.random() * 255 ) L0 = random.uniform( 10.0, 30.0 ) L1 = random.uniform( 10.0, 30.0 ) ANGLE = random.uniform( 30.0, 90.0 ) flag_defs = "" for i in range( len( flag ) ): s = flag[ i : ] byte = ord( s[:1] ) flag_defs = flag_defs + ("-D F%d=%d " % ( i, byte ) ) output_file = "/tmp/%s.bin" % flag_id defines = "-D COLOR_R=%s -D COLOR_G=%s -D COLOR_B=%s -D L0=%s -D L1=%s -D ANGLE=%s -D WIDTH=%s -D HEIGHT=%s -D TENTACLES_NUM=%s %s" % ( COLOR_R, COLOR_G, COLOR_B, L0, L1, ANGLE, WIDTH, HEIGHT, TENTACLES_NUM, flag_defs ) driver = "Mali-400_r4p0-00rel1" core = "Mali-400" rev = "r0p0" cmd = "./malisc --fragment -d %s -c %s -r %s %s flag.frag -o %s > /dev/null 2> /dev/null" % ( driver, core, rev, defines, output_file ) os.system( cmd ) os.remove( output_file + ".prerotate" ) shader_file_name = output_file + ".non-prerotate" shader_file = open( shader_file_name, 'rb' ) shader_file.seek( 0, os.SEEK_END ) shader_size = shader_file.tell() shader_file.seek( 0, os.SEEK_SET ) detector = pack( 'i', shader_size ) + shader_file.read() + pack( 'ii', 8, 1 ) flag_id = "" # reset flag id, we will build new, based on service response url = 'http://%s/detectors/add' % addr files = { 'detector': detector } headers = { 'User-Agent' : UserAgents.get() } try: r = requests.post(url, files=files, headers=headers ) if r.status_code == 502: close(DOWN, "Service is down", "Nginx 502", shader_file_name) if r.status_code != 200: close( MUMBLE, "Submit error", "Invalid status code: %s %d" % ( url, r.status_code ), shader_file_name ) if not guid_regex.match( r.text ): close( CORRUPT, "Service corrupted", "Invalid guid received" ) try: flag_id = json.dumps( { 'guid' : r.text[:-1], 'COLOR_R' : COLOR_R, 'COLOR_G' : COLOR_G, 'COLOR_B' : COLOR_B, 'L0' : L0, 'L1' : L1, 'ANGLE' : ANGLE, 'WIDTH' : WIDTH, 'HEIGHT' : HEIGHT } ) except Exception as e: close(CORRUPT, "Service corrupted", "Service returns invalid guid: %s" % e, shader_file_name) except Exception as e: close(DOWN, "HTTP Error", "HTTP error: %s" % e, fileToRemove=shader_file_name) close(OK, flag_id, fileToRemove=shader_file_name)
def __init__(self, hostname, port=None, name=''): self.hostname = hostname self.name = name self.port = '' if port is None else ':' + str(port) cookie_jar = aiohttp.CookieJar(unsafe=True) self.session = aiohttp.ClientSession(cookie_jar=cookie_jar, headers={ 'Referer': self.get_url(''), 'User-Agent': UserAgents.get(), })
def get_objects(addr, agentKey): url = 'http://%s:9007/objects?AgentKey=%s' % (addr, agentKey) headers = {'User-Agent': UserAgents.get()} try: r = requests.get(url, headers=headers) if r.status_code != 200: close(MUMBLE, "Submit error", "Invalid status code: %s %d" % (url, r.status_code)) str = r.content.decode("UTF-8") return json.loads(str) except Exception as e: close(DOWN, "HTTP Error", "HTTP error: %s" % e)
def upload_object(addr, tobject): url = 'http://%s:9007/object' % (addr) headers = {'User-Agent': UserAgents.get()} try: r = requests.put(url, headers=headers, json=tobject) if r.status_code != 200: close(MUMBLE, "Submit error", "Invalid status code: %s %d" % (url, r.status_code)) return r.content.decode("UTF-8") except Exception as e: close(DOWN, "HTTP Error", "HTTP error: %s" % e)
def register_agent(addr): url = 'http://%s:9007/agent' % (addr) headers = {'User-Agent': UserAgents.get()} agent = {"AgentName": "TestName"} try: r = requests.post(url, headers=headers, json=agent) if r.status_code != 200: close(MUMBLE, "Submit error", "Invalid status code: %s %d" % (url, r.status_code)) str = r.content.decode("UTF-8") return json.loads(str) except Exception as e: close(DOWN, "HTTP Error", "HTTP error: %s" % e)
def put(*args): addr = args[0] flag_id = args[1] flag = args[2] minidumpFilePath = "/tmp/" + flag_id + ".dmp" # crash the binary and generate minidump os.system('./%s %s %s' % (SERVICE_NAME, flag, minidumpFilePath)) # zip minidump file inMemoryZip = BytesIO() zf = zipfile.ZipFile(inMemoryZip, mode='w') try: zf.write(minidumpFilePath, arcname='%s.dmp' % flag_id) except Exception as e: close(CHECKER_ERROR, "ZIP error", "Unknown error: %s" % e, minidumpFilePath) zf.close() inMemoryZip.seek(0) # submit report url = 'http://%s/submit' % addr files = {'dump_zip_file': inMemoryZip.read()} headers = { 'User-Agent': UserAgents.get(), 'Service-Name': SERVICE_NAME, 'GUID': flag_id } try: r = requests.post(url, files=files, headers=headers) if r.status_code == 502: close(DOWN, "Service is down", "Nginx 502", minidumpFilePath) if r.status_code != 200: close(MUMBLE, "Submit error", "Invalid status code: %s %d" % (url, r.status_code), minidumpFilePath) try: r_json = r.json() if r_json['status'] != 'ok': close(MUMBLE, "Submit error", "Can not put flag", minidumpFilePath) except Exception as e: close(CORRUPT, "Service corrupted", "Service returns invalid json: %s" % e, minidumpFilePath) except Exception as e: close(DOWN, "HTTP Error", "HTTP error: %s" % e, minidumpFilePath) close(OK, minidumpFilePath=minidumpFilePath)
def request(self, method, relative_url, fun, **kwargs): data = None headers = {"User-Agent": UserAgents.get()} if "data" in kwargs: headers["Content-Type"] = 'application/octet-stream' data = kwargs["data"] elif "json" in kwargs: headers["Content-Type"] = 'application/json; charset=utf8' data = kwargs["json"] url = "http://%s/%s" % (self.addr, relative_url) request = Request(url, method=method, data=data, headers=headers) with urlopen(request) as response: if (response.status != 200): raise CheckerException("Recieved status %d on request %s" % (response.status, url)) return fun(response.read())
def add_ship(addr, bin_file): pos_x = int(random.uniform(-2000000, 2000000)) pos_z = int(random.uniform(-2000000, 2000000)) rot_y = 0 #random.uniform( 0, 3.1415926 ); url = 'http://%s:8080/add_ship?pos_x=%f&pos_z=%f&rot_y=%f' % (addr, pos_x, pos_z, rot_y) files = {'flag_shader': open(bin_file, 'rb').read()} headers = {'User-Agent': UserAgents.get()} try: r = requests.post(url, files=files, headers=headers) if r.status_code == 502: close(DOWN, "Service is down", "Nginx 502", bin_file) if r.status_code != 200: close(MUMBLE, "Submit error", "Invalid status code: %s %d" % (url, r.status_code), bin_file) if not guid_regex.match(r.text): close(CORRUPT, "Service corrupted", "Invalid guid received") except Exception as e: close(DOWN, "HTTP Error", "HTTP error: %s" % e, fileToRemove=bin_file) return json.dumps({'x': pos_x, 'z': pos_z, 'ry': rot_y})
def get(*args): addr = args[0] flag_id = args[1] flag = args[2] url = 'http://%s/%s/get' % (addr, flag_id) try: headers = {'User-Agent': UserAgents.get()} r = requests.get(url, headers=headers) if r.status_code == 502: close(DOWN, "Service is down", "Nginx 502") if r.status_code != 200: close(MUMBLE, "Invalid HTTP response", "Invalid status code: %s %d" % (url, r.status_code)) except Exception as e: close(DOWN, "HTTP Error", "HTTP error: %s" % e) try: if int(r.headers['Content-Length']) > 50000: # tested close(CORRUPT, "Service corrupted", "Content is too big") except Exception as e: close(CORRUPT, "Service corrupted", "Something wrong with content length: %s" % e) # tested try: zf = zipfile.ZipFile(BytesIO(r.content)) except Exception as e: close(CORRUPT, "Service corrupted", "Invalid zip file: %s" % e) if len(zf.namelist()) > 1: # tested close(CORRUPT, "Service corrupted", "Invalid content, more than one file in zip") dmp_name = "%s.dmp" % flag_id dmp_path = "/tmp/%s" % dmp_name if not dmp_name in zf.namelist(): # tested close(CORRUPT, "Service corrupted", "Invalid content, there is no minidump file in zip") try: dmp = zf.read(dmp_name) open(dmp_path, 'wb').write(dmp) except Exception as e: close(CHECKER_ERROR, "Evil checker", "INTERNAL ERROR: %s" % e, dmp_path) # tested try: stackwalk = subprocess.check_output( './minidump_stackwalk -m %s symbols/ 2>/dev/null' % dmp_path, shell=True) except subprocess.CalledProcessError as e: close(CORRUPT, "Service corrupted", "Invalid minidump file: %s" % e, dmp_path) parser = StackWalkParser() parser.parse(stackwalk.decode()) if len(parser.crash_thread_stack) < 17: # not tested close( CORRUPT, "Service corrupted", "Invalid minidump file, callstack is too short %s" % parser.crash_thread_stack, dmp_path) if len(parser.crash_thread_stack) > 32: # not tested close(CORRUPT, "Service corrupted", "Invalid minidump file, callstack is too long", dmp_path) if parser.crash_thread_stack[16][ "signature"] != 'StartFlagProcessing()': # tested close( CORRUPT, "Service corrupted", "Invalid minidump file, invalid callstack %s" % parser.crash_thread_stack, dmp_path) first_part_flag = '' for i in reversed(range(0, 16)): signature = parser.crash_thread_stack[i]["signature"] result = re.match(r"_(\w)\(\)", signature) if not result: # tested close( CORRUPT, "Service corrupted", "Invalid minidump file, invalid signature in callstack %s" % signature, dmp_path) first_part_flag = first_part_flag + result.group(1) prefix = b'HERE IS THE REST OF YOUR FLAG' prefixPos = dmp.find(prefix) if prefixPos == -1: close(CORRUPT, "Service corrupted", "Invalid minidump file, cant find second part of the flag", dmp_path) flagPos = prefixPos + len(prefix) + 1 try: # tested second_part_flag = (dmp[flagPos:flagPos + 16]).decode() except Exception as e: close(CORRUPT, "Service corrupted", "Can not get second part of the flag: %s" % e, dmp_path) restored_flag = first_part_flag + second_part_flag if flag != restored_flag: # tested close(CORRUPT, "Service corrupted", "Flag does not match: %s" % restored_flag, dmp_path) close(OK, minidumpFilePath=dmp_path)
def draw(addr, pos_json): params = json.loads(pos_json) pos_x = params['x'] + 0.4 pos_y = 1.6 pos_z = params['z'] - 0.3 aimpos_x = pos_x aimpos_y = pos_y aimpos_z = params['z'] url = 'http://%s:8080/draw?pos_x=%f&pos_y=%f&pos_z=%f&aimpos_x=%f&aimpos_y=%f&aimpos_z=%f' % ( addr, pos_x, pos_y, pos_z, aimpos_x, aimpos_y, aimpos_z) #print( url ) try: headers = {'User-Agent': UserAgents.get()} r = requests.get(url, headers=headers) if r.status_code == 502: close(DOWN, "Service is down", "Nginx 502") if r.status_code != 200: close(MUMBLE, "Invalid HTTP response", "Invalid status code: %s %d" % (url, r.status_code)) except Exception as e: close(DOWN, "HTTP Error", "HTTP error: %s" % e) try: stream = io.BytesIO(r.content) img = Image.open(stream) if img.size[0] != 128 or img.size[0] != 128: close(CORRUPT, "Service corrupted", "Invalid image size %ux%u" % (img.size[0], img.size[1])) left = -1 right = -1 pixels = img.load() RED = (255, 0, 0, 255) for y in range(1, 127): for x in range(1, 127): if pixels[x, y] != RED and pixels[x + 1, y] == RED and left == -1: #print( "left", x, y, pixels[ x, y ], pixels[ x + 1, y ] ) left = x if pixels[x, y] == RED and pixels[x + 1, y] != RED and right == -1: #print( "right", x, y, pixels[ x, y ], pixels[ x + 1, y ] ) right = x top = -1 bottom = -1 for x in range(1, 127): for y in range(1, 127): if pixels[x, y] != RED and pixels[x, y + 1] == RED and top == -1: #print( "top", x, y, pixels[ x, y ], pixels[ x, y + 1 ] ) top = y if pixels[x, y] == RED and pixels[x, y + 1] != RED and bottom == -1: #print( "bottom", x, y, pixels[ x, y ], pixels[ x, y + 1 ] ) bottom = y width = right - left height = bottom - top stepX = width / 6 stepY = height / 4 startX = left + stepX * 1.5 startY = top + stepY * 1.5 x = startX y = startY payload = [] for iy in range(0, 2): for ix in range(0, 4): p = pixels[int(x), int(y)] payload.append(p) x += stepX y += stepY x = startX return payload except Exception as e: close(CORRUPT, "Service corrupted", "Invalid response: %s" % e)
def check(*args): addr = args[0] random.seed() X_GR = random.uniform( 2.0, 10.0 ) Y_GR = random.uniform( 2.0, 10.0 ) X_LS = random.uniform( -10.0, -2.0 ) Y_LS = random.uniform( -10.0, -2.0 ) A_X_GR = random.uniform( 2.0, 10.0 ) A_Y_GR = random.uniform( 2.0, 10.0 ) A_X_LS = random.uniform( -10.0, -2.0 ) A_Y_LS = random.uniform( -10.0, -2.0 ) B_X_GR = random.uniform( 2.0, 10.0 ) B_Y_GR = random.uniform( 2.0, 10.0 ) B_X_LS = random.uniform( -10.0, -2.0 ) B_Y_LS = random.uniform( -10.0, -2.0 ) VARIANT0 = random.randint( 0, 1 ) VARIANT1 = random.randint( 0, 1 ) VARIANT2 = random.randint( 0, 1 ) R = random.randint( 48, 90 ) G = random.randint( 48, 90 ) B = random.randint( 48, 90 ) A = random.randint( 48, 90 ) WH = [ 8, 16, 32, 64, 128 ] W = WH[ random.randint( 0, 4 ) ] H = WH[ random.randint( 0, 4 ) ] m = hashlib.md5() m.update( ("%f" % time.time() ).encode() ) output_file = "/tmp/%s" % m.hexdigest() defines = "-D X_GR=%f -D Y_GR=%f -D X_LS=%f -D Y_LS=%f " % ( X_GR, Y_GR, X_LS, Y_LS ) defines = defines + "-D A_X_GR=%f -D A_Y_GR=%f -D A_X_LS=%f -D A_Y_LS=%f " % (A_X_GR, A_Y_GR, A_X_LS, A_Y_LS ) defines = defines + "-D B_X_GR=%f -D B_Y_GR=%f -D B_X_LS=%f -D B_Y_LS=%f " % (B_X_GR, B_Y_GR, B_X_LS, B_Y_LS ) defines = defines + "-D VARIANT0=%d -D VARIANT1=%d -D VARIANT2=%d " % ( VARIANT0, VARIANT1, VARIANT2 ) defines = defines + "-D R=%d -D G=%d -D B=%d -D A=%d -D WIDTH=%d -D HEIGHT=%d " %( R, G, B, A, W, H ) driver = "Mali-400_r4p0-00rel1" core = "Mali-400" rev = "r0p0" cmd = "./malisc --fragment -d %s -c %s -r %s %s check.frag -o %s > /dev/null 2> /dev/null" % ( driver, core, rev, defines, output_file ) os.system( cmd ) os.remove( output_file + ".prerotate" ) shader_file_name = output_file + ".non-prerotate" shader_file = open( shader_file_name, 'rb' ) shader_file.seek( 0, os.SEEK_END ) shader_size = shader_file.tell() shader_file.seek( 0, os.SEEK_SET ) detector = pack( 'i', shader_size ) + shader_file.read() + pack( 'ii', W, H ) guid = "" url = 'http://%s/detectors/add' % addr files = { 'detector': detector } headers = { 'User-Agent' : UserAgents.get() } try: r = requests.post(url, files=files, headers=headers ) if r.status_code == 502: close(DOWN, "Service is down", "Nginx 502", shader_file_name) if r.status_code != 200: close( MUMBLE, "Submit error", "Invalid status code: %s %d" % ( url, r.status_code ), shader_file_name ) if not guid_regex.match( r.text ): close( CORRUPT, "Service corrupted", "Invalid guid received" ) guid = r.text[:-1] except Exception as e: close(DOWN, "HTTP Error", "HTTP error: %s" % e, fileToRemove=shader_file_name) os.remove( shader_file_name ) # WH = [ 64, 128, 256 ] W = WH[ random.randint( 0, 2 ) ] H = WH[ random.randint( 0, 2 ) ] image = stars.generate_image( W, H, ( 0xfe, 0xae, 0xda, 0xff), 10.0, 10.0, 50, random.randint( 2, 5 ) ) url = 'http://%s/detectors/%s/check' % ( addr, guid ) try: headers = { 'User-Agent' : UserAgents.get() } files = { 'image' : image } r = requests.post( url, files=files, headers=headers ) if r.status_code == 502: close(DOWN, "Service is down", "Nginx 502") if r.status_code != 200: close( MUMBLE, "Invalid HTTP response", "Invalid status code: %s %d" % ( url, r.status_code ) ) except Exception as e: close(DOWN, "HTTP Error", "HTTP error: %s" % e) if len( r.content ) < 4: close( CORRUPT, "Service corrupted" ) for i in range( 0, len(r.content), 4 ): cr = r.content[ i + 0 ] cg = r.content[ i + 1 ] cb = r.content[ i + 2 ] ca = r.content[ i + 3 ] if( abs( cr - R ) > 2 or abs( cg - G ) > 2 or abs( cb - B ) > 2 or abs( ca - A ) > 2 ): close( CORRUPT, "Service corrupted" ) close(OK)