This is a continuation of Reversing 300 challenge. The goal is to read the flag file. But the binary has a protection, if filename has 'f' character, then the request is considered invalid. This invalid character 'f' used for comparison is saved as part of bss memory, hence writeable.
There were few bugs in this binary
[*] Buffer overflow in password handling function @ 0x040159B. Input buffer is copied into stack till space character
There were few bugs in this binary
[*] Buffer overflow in password handling function @ 0x040159B. Input buffer is copied into stack till space character
password_sz = strlen(pass_command); for ( i = 0; *pass_command != ' ' && password_sz-1 >= i; ++i ) { c = pass_command++; command[i] = *c; }
USER blankwall Please send password for user blankwall AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA login with USER PASS
[0x4017c5] __stack_chk_fail(4, 0x403086, 21, -1*** stack smashing detected ***: ./ftp_0319deb1c1c033af28613c57da686aa7 terminated <no return ...> [pid 34300] [0x7ffff7a4bcc9] --- SIGABRT (Aborted) --- [pid 34300] [0xffffffffffffffff] +++ killed by SIGABRT +++[*] Buffer overflow in command handling function @ 0x00402673, same as password handling function
memset(command, 0, 128); command_sz = strlen(command_string); for ( i = 0; *command_string != ' ' && command_sz-1 >= i; ++i ) { c = command_string++; command[i] = *c; }[*] Arbitrary NUL write when handling STOR command @ 0x00401DF9. Amount of bytes received is not checked and used as index for string termination
while (1) { bytes_read = recv(socket, file_information, 10, 0); total_size += bytes_read; } file_information[total_size] = 0;file_information buffer resides above invalid character buffer, hence could be used to toggle off the invalid charcacter byte.
.bss:0000000000604408 invalid_character dd ?
RAX: 0x208 => 0x401ee0: mov BYTE PTR [rax+0x604200],0x0 gdb-peda$ x/x 0x604200+0x208 0x604408: 0x0000000000000066[*] The file_information buffer is used in couple of other functions like LIST and RETR, which could also overwrite the invalid character byte.
Direction Type Address Text --------- ---- ------- ---- o LIST:loc_401BAD mov [rbp+s], offset file_information Down o LIST+26F mov esi, offset file_information Down o STOR+8F mov esi, offset file_information; buf Down w STOR+E7 mov ds:file_information[rax], 0 Down o RETR+134 mov edi, offset file_information; ptr Down o RETR+158 lea rsi, file_information[rax]; bufFlag for the challenge is flag{exploiting_ftp_servers_in_2015}
No comments:
Post a Comment