Yesterday and today, I joined in 20170701_SECUINSIDECTF. There were many difficult problems, and unsolved one.
Fortunately, I could solve 2problem, OHCE and SNAKE. I wrote my solution below.
This is Stack base overflow chall. This process as below.
– First print menu, and I can choose 1. echo 2, reverse echo, 3.exit
– if choose 1, I can type something, and return echo
– if choose 2, I can type something, and return reverse string I typed
– if choose 3, exit program
Let’s analyze it. And realize that this don’t have any protection,
Next, I continue to execute it, several minutes, I find out that there is Null Byte Termination Vulnerability.
If I input 31+32*n chars in echo mode, next data is leaked. And when I input it in reverse echo, program is halted.
What’s happened? Below picuture show that stack information when input 31+32*n chars.
(In this picture unfortunately data of 0x7fffffffdae0 is 00, so this leak don’t occurred…)
Then reverse echo, because of Null Byte Termination Vulnerability, I can overwrite next address.
Finally overwritten address become esp in [0x400268 mov rsp,rbp], I can got rip.
Exploitation is below.
– First leak stack address to write 31 chars in echo
– Next write many chars and stack address to go to shellscript (address in red rectangle) in echo
– Write shellscript and stack address to go to below address (address in light blue rectangle) in reverse echo.
This is the old snake game program.
Several hours investigation, I recognize that this algorithm is as below. (function name is named by me.)
This program calculate enc_flag and xor-ed another data in clear_game function.
At first, I tried to make script to make those data, but I can’t do this. So I change my direction as below.
– I patch program to return true on if(judge_goal) statement.
– I patch program not to change time_duration.
Then execute it, After several minutes, I can get flag. (You must control snake not to crash to wall until getting flag.)