codezen.fr code hacking, zen coding

3Mar/13Off

Codegate 2013 Quals – Vuln 300 Write-up

This binary asks for a number and a string and outputs it. While playing with value, we notice a negative number for the number will crash the program.

$ nc 58.229.122.22 6666
Input Num : 32
Input Msg : TOTO
Reply :
ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`TOTO

$ nc 58.229.122.22 6666
Input Num : 2048
Input Msg : TOTO
Reply :
TOTO

$ nc 58.229.122.22 6666
Input Num : -1
Input Msg : TOTO

The reverse engineered main part of the program is as follow:

- We create a new objet myClass
- Set the virtual function pointer for the do_reply function.
- Get inputs from user
- Copy user data to myClass
- Call myClass->do_reply

int __cdecl handler()
{
  int myClass; // ebx@1
  int size; // ST10_4@1

  myClass = operator new();
  set_do_reply_ptr(myClass);
  printf("Input Num : ");
  fflush(stdout);
  sleep(2u);
  fgets(buffer, 2048, stdin);
  size = atoi(buffer);
  memset(buffer, 0, 2048u);
  printf("Input Msg : ");
  fflush(stdout);
  sleep(2u)