Files: airplane.tar(deobfuscated) spl.py
The service allows us to control aircrafts. It listens TCP/7331 port and has a text-based protocol.
CODE=LIST
A_0006=FLIGHT "A_0006": pos=[516,733] orig="Tokyo"([612,434]) dest="Antananarivo"([476,859])
A_0010=FLIGHT "A_0010": pos=[676,390] orig="Belgrade"([737,357]) dest="Berlin"([337,583])
A_0028=FLIGHT "A_0028": pos=[596,704] orig="Singapore"([683,650]) dest="Kabul"([236,930])
A_0037=FLIGHT "A_0037": pos=[820,850] orig="Hanoi"([963,663]) dest="Tripoli"([737,960])
A_0041=FLIGHT "A_0041": pos=[716,521] orig="Phoenix"([984,538]) dest="Philadelphia"([150,487])
A_0051=FLIGHT "A_0051": pos=[337,851] orig="Jakarta"([355,886]) dest="Philadelphia"([150,487])
A_0069=FLIGHT "A_0069": pos=[427,168] orig="Bangkok"([978,167]) dest="Tehran"([183,169])
A_0079=FLIGHT "A_0079": pos=[725,709] orig="Chicago"([105,832]) dest="Hanoi"([963,663])
A_0087=FLIGHT "A_0087": pos=[618,806] orig="Vienna"([449,109]) dest="Ankara"([624,828])
A_0098=FLIGHT "A_0098": pos=[345,668] orig="Beijing"([191,745]) dest="Rome"([865,410])
A_0109=FLIGHT "A_0109": pos=[537,472] orig="Vienna"([449,109]) dest="Ankara"([624,828])
A_0112=FLIGHT "A_0112": pos=[597,257] orig="Algiers"([688,211]) dest="Philadelphia"([150,487])
A_0129=FLIGHT "A_0129": pos=[345,924] orig="London"([475,943]) dest="Bucharest"([43,880])
A_0136=FLIGHT "A_0136": pos=[303,463] orig="Kiev"([341,556]) dest="Tehran"([183,169])
CODE=OK
FLAG=FLGRdmu34U5iPkS5
CODE=LIST
ID=A_0006
CODE=ERROR
RAND=�i�e���
SIGN=059956cd
CODE=SETPOS
ID=A_0006
RAND=IIIIIIII
SIGN=11111111
POSX=520
POSY=730
CODE=ERROR
RAND=�0H�9Y��
SIGN=3a8f5fc2
FLAG from answer - just
a random string, not a real flag. SIGN from an answer is a:
crc32(CODE:ERROR;RAND:<8 random bytes>;<unknown string>)
When we do SETPOS, we have to tell a valid SIGN from string:
crc32(CODE:SETPOS;ID:<id>;POSX:<newx>;POSY:<newy>;RAND:<random string>;<unknown string(the same as previous)>)
RAND is not a part of protocol, we just can any strings to our request.
Each plane has a position, If the signature is valid, we can move the plane(not more than on 100 pixels a time). Our goal is to move it to make the angle between plane and orig-dest vector of that plane > 0.1 radians. After this we can ask for flag.
To exploit the service we should be able to sign our SETPOS request. We don't know <unknown string> from first example, but we do know the crc32(<some known data>;<unknown string>"). So, if we compose another string with crc32(<anther_data>")=crc32(<some_known_data>"), then the crc32 of whole string won't change. For crc32 this can be done relatively simply(see spl.py for details), four bytes is enough for this.
After that we send 20 SETPOS requests to move a plane 2000 points away from its position and
send a request:
CODE=LIST
FGID=A_0006
to get a flag.
If you have questions, or want to correct errors, mail me at bay@hackerdom.ru