It's been a couple of days since I started learning about pwning, I guess it's time to test it by doing some CTF challenges.
the following CTF resources come from https://github.com/tamuctf/TAMUctf-2019
kudos to the author of the GitHub page
We are going to start at the first challenge and the next blog will be second and so on...
Let's run the binary to know what we are dealing with. As you can see it need some input
we are going to dissect the binary using radare2 and when I try to understand the flow of the program I found out that it has three string comparisons using strcmp.
the first two checks are completely straight forward. Our first string (s1) in the first check will be compared against ebx-0x159f and our second string (s1) in the second check will be compared against ebx-0x154d
But the third check is comparing us with hex decimal value (0xdea110c8). So what is var_10h, if we try to compare it with the actual source code you can see that it was a variable "secret" that holds the value of 0.
Now the big question is how do we change the secret variable into 0xdea110c8. This can be done by using buffer overflow, you may notice that the third input is using "gets" c function and according to the man page in Linux, it is not recommended to use it since it will stored character past the buffer causing a buffer overflow.
Now what we know our entry point to buffer overflow let's try to figure out what is the string in first and second check that is going to be compared.
Open again the binary but in debugging mode, put a breakpoint on each of the strcmp call functions and try to analyze the register using ps command.
yea we got the first and second string
let's switch to peda to craft our payload (i prefer to use radare2 when doing reverse engineering)
we need to put the breakpoint at the third check and fill it with some random pattern string so we know where we can put the hex value.
I use https://github.com/ickerwx/pattern tools to generate a random pattern
Once we hit the breakpoint, as you can see the stack of the program is filled with a random pattern. We need to find out what value overflows the var_10h (located at ebp-0x10)
so here is the 4 hex value that overflow var_10h, let's try to convert it into a string. But before you do it, you need to convert to the right order because it's in little-endian.
I use https://github.com/JohnTroony/Scriptology
It looks like we can overflow our var_10h after 43 bytes and we can place the hex decimal after that.
To make this more realistic we can map the binary to port so other machines can interact with it. So I put the binary to my virtual machine and run it along with socat.
I create bash script that looks like this and just runs it:
#!/bin/bash
echo "port 4321 is open"
su -c "exec socat TCP-LISTEN:4321,reuseaddr,fork EXEC:/home/tux/tamuctf/pwn1,stderr" - root;
Now, all we have to do is to create a python script that will overflow the var_10h with the desired value automatically. To do this I use pwntools library to make exploitation easy.
we did it because I don't have the flag.txt It only prints "Right. Off you go" when you successfully finish the challenge
Comments
Post a Comment