code hacking, zen coding


SIGINT 2013 CTF – Pwning 300 – tr0llsex Write-up (SCTP challenge)

Posted by aXs

server: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x66661e417e6b4037e552b904c755f2e4a7ecf934, stripped

tr0llsex was a Linux ELF 64-bit binary from the SIGINT 2013 CTF's Pwning category. It's a fun little easy challenge with a twist: it's using SCTP protocol for the network transport layer instead of TCP or UDP.

One of SCTP's features is the ability to have separate ordered data streams inside the same SCTP connection. This challenge uses this feature.

$ socat - 'sctp-connect:'
stream 0: md4, stream 1: md5, stream 2: sha1, stream 3: random

After connection, you send your data to a specific stream number and depending on the stream number, your data will get a specific transform (MD4, MD5, SHA1, random bytes) and then get echoed back to you.

Let see how the binary is choosing which transform to use based on the stream number.

We have a table that is constructed on the stack, this table is mapping stream number with handlers:

-0000000000000860 md4_off         dq ?
-0000000000000858 md5_off         dq ?
-0000000000000850 sha1_off        dq ?
-0000000000000848 random_off      dq ?

.text:00000000004015BE                 mov     rax, ds:md4_off
.text:00000000004015C6                 mov     [rbp+md4_off], rax
.text:00000000004015CD                 mov     rax, ds:md5_off
.text:00000000004015D5                 mov     [rbp+md5_off], rax
.text:00000000004015DC                 mov     rax, ds:sha1_off
.text:00000000004015E4                 mov     [rbp+sha1_off], rax
.text:00000000004015EB                 mov     rax, ds:random_off
.text:00000000004015F3                 mov     [rbp+random_off], rax

.rodata:0000000000401960 md4_off         dq offset md4_handler   ; DATA XREF: do_menu+4Er
.rodata:0000000000401968 md5_off         dq offset md5_handler   ; DATA XREF: do_menu+5Dr