Merge branch 'master' into pomo/service-ark

Author: pomo-mondreganto

checkers/aquarius/aquarius_assembler.py

@@ -0,0 +1,170 @@
+import struct
+
+OP_NOP = 0
+OP_ADD = 1
+OP_SUB = 2
+OP_MUL = 3
+OP_DIV = 4
+OP_MOD = 5
+OP_XOR = 6
+OP_AND = 7
+OP_OR = 8
+OP_RSH = 9
+OP_LSH = 10
+OP_MOV = 11
+OP_NEG = 12
+OP_INV = 13
+OP_CMP = 14
+OP_JMP = 15
+OP_RJMP = 16
+OP_LDR8 = 17
+OP_LDR16 = 18
+OP_LDR32 = 19
+OP_LDR64 = 20
+OP_STR8 = 21
+OP_STR16 = 22
+OP_STR32 = 23
+OP_STR64 = 24
+OP_SYSCALL = 25
+OP_HLT = 26
+
+
+CMP_EQ = 0
+CMP_NEQ = 1
+CMP_ULT = 2
+CMP_UGT = 3
+CMP_ULEQ = 4
+CMP_UGEQ = 5
+CMP_SLT = 6
+CMP_SGT = 7
+CMP_SLEQ = 8
+CMP_SGEQ = 9
+
+SYSCALL_READ = 0
+SYSCALL_WRITE = 1
+
+
+def parse_reg(reg):
+    reg = int(reg[1:])
+    assert 0 <= reg <= 255
+    return bytes([reg])
+
+
+def parse_value(val):
+    if isinstance(val, str):
+        return parse_reg(val)
+    if isinstance(val, int):
+        if val <= 0:
+            return bytes([0xFF]) + struct.pack("q", val)
+        return bytes([0xFF]) + struct.pack("Q", val)
+    raise ValueError(f"unkown operand type {type(val)}")
+
+
+def nop():
+    return bytes([OP_NOP])
+
+
+def add(r, arg):
+    return bytes([OP_ADD]) + parse_reg(r) + parse_value(arg)
+
+
+def sub(r, arg):
+    return bytes([OP_SUB]) + parse_reg(r) + parse_value(arg)
+
+
+def mul(r, arg):
+    return bytes([OP_MUL]) + parse_reg(r) + parse_value(arg)
+
+
+def div(r, arg):
+    return bytes([OP_DIV]) + parse_reg(r) + parse_value(arg)
+
+
+def mod(r, arg):
+    return bytes([OP_MOD]) + parse_reg(r) + parse_value(arg)
+
+
+def xor(r, arg):
+    return bytes([OP_XOR]) + parse_reg(r) + parse_value(arg)
+
+
+def band(r, arg):
+    return bytes([OP_AND]) + parse_reg(r) + parse_value(arg)
+
+
+def bor(r, arg):
+    return bytes([OP_OR]) + parse_reg(r) + parse_value(arg)
+
+
+def rsh(r, arg):
+    return bytes([OP_RSH]) + parse_reg(r) + parse_value(arg)
+
+
+def lsh(r, arg):
+    return bytes([OP_LSH]) + parse_reg(r) + parse_value(arg)
+
+
+def mov(r, arg):
+    return bytes([OP_MOV]) + parse_reg(r) + parse_value(arg)
+
+
+def neg(r):
+    return bytes([OP_NEG]) + parse_reg(r)
+
+
+def inv(r):
+    return bytes([OP_INV]) + parse_reg(r)
+
+
+def ldr8(r, arg):
+    return bytes([OP_LDR8]) + parse_value(r) + parse_value(arg)
+
+
+def ldr16(r, arg):
+    return bytes([OP_LDR16]) + parse_value(r) + parse_value(arg)
+
+
+def ldr32(r, arg):
+    return bytes([OP_LDR32]) + parse_value(r) + parse_value(arg)
+
+
+def ldr64(r, arg):
+    return bytes([OP_LDR64]) + parse_value(r) + parse_value(arg)
+
+
+def str8(r, arg):
+    return bytes([OP_STR8]) + parse_value(r) + parse_value(arg)
+
+
+def str16(r, arg):
+    return bytes([OP_STR16]) + parse_value(r) + parse_value(arg)
+
+
+def str32(r, arg):
+    return bytes([OP_STR32]) + parse_value(r) + parse_value(arg)
+
+
+def str64(r, arg):
+    return bytes([OP_STR64]) + parse_value(r) + parse_value(arg)
+
+
+def syscall():
+    return bytes([OP_SYSCALL])
+
+
+def hlt():
+    return bytes([OP_HLT])
+
+
+def cmp(r, tp, a, b):
+    return (
+        bytes([OP_CMP]) + parse_reg(r) + bytes([tp]) + parse_value(a) + parse_value(b)
+    )
+
+
+def jmp(cond, val):
+    return bytes([OP_JMP]) + parse_value(cond) + parse_value(val)
+
+
+def rjmp(cond, val):
+    return bytes([OP_RJMP]) + parse_value(cond) + parse_value(val)

checkers/aquarius/aquarius_lib.py

@@ -0,0 +1,42 @@
+from pwn import *
+import base64
+from typing import Optional, List, Tuple
+from checklib import *
+
+context.log_level = "CRITICAL"
+
+PORT = 7117
+
+DEFAULT_RECV_SIZE = 4096
+TCP_CONNECTION_TIMEOUT = 5
+TCP_OPERATIONS_TIMEOUT = 7
+
+
+class CheckMachine:
+
+    def __init__(self, checker: BaseChecker):
+        self.c = checker
+        self.port = PORT
+
+    def connect(self) -> remote:
+        io = remote(self.c.host, self.port, timeout=TCP_CONNECTION_TIMEOUT)
+        io.settimeout(TCP_OPERATIONS_TIMEOUT)
+        return io
+
+    def exit(self, io: remote) -> None:
+        io.sendlineafter(b"> ", b"3")
+
+    def upload_vm(
+        self,
+        io: remote,
+        rom: bytes,
+        status: Status,
+    ) -> str:
+        io.sendlineafter(b"> ", b"1")
+        io.sendlineafter(b"base64 encoded rom> ", base64.b64encode(rom))
+        io.recvuntil(b"id: ")
+        return io.recvline().strip().decode()
+
+    def run_vm(self, io: remote, id: string, status: Status) -> Tuple[int, bytes]:
+        io.sendlineafter(b"> ", b"2")
+        io.sendlineafter(b"id> ", id.encode("ascii"))

checkers/aquarius/checker.py

@@ -0,0 +1,111 @@
+#!/usr/bin/env python3
+
+import sys
+import time
+import copy
+
+from checklib import *
+
+argv = copy.deepcopy(sys.argv)
+
+from pwn import *
+from aquarius_lib import *
+import aquarius_assembler as asm
+
+
+def machine_with_known_output(output: bytes) -> bytes:
+    code = b""
+    for i, c in enumerate(output):
+        code += asm.str8(i, c)
+
+    code += asm.mov("r0", asm.SYSCALL_WRITE)
+    code += asm.mov("r1", 0)
+    code += asm.mov("r2", len(output))
+    code += asm.syscall()
+    return code
+
+
+def machine_with_password(output: bytes, password: bytes) -> bytes:
+    password_promt = machine_with_known_output(b"password: ")
+    wrong_password = machine_with_known_output(b"wrong password\n") + asm.hlt()
+    output_data = machine_with_known_output(output) + asm.hlt()
+    code = b""
+    code += password_promt
+    code += asm.mov("r0", asm.SYSCALL_READ)
+    code += asm.mov("r1", 0)
+    code += asm.mov("r2", len(password))
+    code += asm.syscall()
+    code += asm.mov("r1", 1)
+    for i, c in enumerate(password):
+        code += asm.ldr8("r3", i)
+        code += asm.cmp("r2", asm.CMP_EQ, "r3", c)
+        code += asm.band("r1", "r2")
+    code += asm.rjmp("r1", len(wrong_password))
+    code += wrong_password
+    code += output_data
+    return code
+
+
+class Checker(BaseChecker):
+    vulns: int = 1
+    timeout: int = 5
+    uses_attack_data: bool = True
+
+    def __init__(self, *args, **kwargs):
+        super(Checker, self).__init__(*args, **kwargs)
+        self.mch = CheckMachine(self)
+
+    def action(self, action, *args, **kwargs):
+        try:
+            super(Checker, self).action(action, *args, **kwargs)
+        except (pwnlib.exception.PwnlibException, EOFError):
+            self.cquit(Status.DOWN, "got connect error", "got pwntools connect error")
+        except UnicodeDecodeError:
+            self.cquit(Status.MUMBLE, "got unicode error", "got unicode error")
+
+    def check(self):
+        with self.mch.connect() as io:
+            output = rnd_string(32).encode()
+            rom = machine_with_known_output(output + b"\n") + asm.hlt()
+            machine_id = self.mch.upload_vm(io, rom, Status.MUMBLE)
+            self.mch.run_vm(io, machine_id, Status.MUMBLE)
+            res = io.recvline()
+            # raise ValueError(rom)
+            self.assert_eq(
+                res.strip(), output, f"invalid flag on {rom}", Status.CORRUPT
+            )
+            self.cquit(Status.OK)
+
+        self.cquit(Status.OK)
+
+    def put(self, flag_id: str, flag: str, vuln: str):
+        with self.mch.connect() as io:
+            password = rnd_string(32)
+            rom = machine_with_password(flag.encode() + b"\n", password.encode())
+            machine_id = self.mch.upload_vm(io, rom, Status.MUMBLE)
+            self.mch.exit(io)
+            self.cquit(Status.OK, f"{machine_id}", f"{machine_id}:{password}")
+
+    def get(self, flag_id: str, flag: str, vuln: str):
+        machine_id, password = flag_id.split(":")
+        with self.mch.connect() as io:
+            self.mch.run_vm(io, machine_id, Status.CORRUPT)
+            io.recvuntil(b"password: ")
+            io.send(password)
+            res = io.recvline()
+            self.assert_eq(res.strip(), flag.encode(), "invalid flag", Status.CORRUPT)
+            self.cquit(Status.OK)
+
+
+if __name__ == "__main__":
+    # import base64
+    #
+    # print(base64.b64encode(machine_with_password(b"kek", b"lol")))
+    # print(asm.cmp("r2", asm.CMP_EQ, "r3", 1337))
+    # exit(0)
+    c = Checker(argv[2])
+
+    try:
+        c.action(argv[1], *argv[3:])
+    except c.get_check_finished_exception():
+        cquit(Status(c.status), c.public, c.private)