Embed Size (px)
Citation preview
Fl0ppyCODEGATE 2016 CTF Preliminary - pwnable 315pts
you0708@YOKARO-MON
I have 23 floppy disks for redhat 5.2!
nc 175.119.158.134 5559
Analysis
Surface Analysis
• file
• ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
• checksec
• CANARY : disabled
• FORTIFY : disabled
• NX : ENABLED
• PIE : ENABLED
• RELRO : disabled
Runtime Analysis
$ nc 175.119.158.134 5559 ====================================================================
1. Choose floppy
2. Write
3. Read
4. Modify
5. Exit
>
Runtime Analysis
• There are 2 floppy devices
• We have to choose which device to use
• We can write / read / modify data & its description
Static Analysis
• Reverse engineering using IDA
Static Analysis
• There is a structure to manage floppy devices
Static Analysis
• Struct used for floppy data management
Offset Size Name
0x00 4 flag_usable
0x04 4 *data
0x08 12 description
0x14 4 data_len
Static Analysis
• Struct used for floppy data management
Offset Size Name
0x00 4 flag_usable
0x04 4 *data
0x08 12 description
0x14 4 data_len
Static Analysis
• Stack variables in main function
Vulnerability
• Modify command
1. Check flag_usable
2. Choose “data” or “description”
3. Input new data (max 0x200 bytes)
4. Overwrite “data” or “description”
Vulnerability
• You can do buffer-overflow as below
Floppy2
flag_usable*data
descriptiondata_len
Current floppy
Floppy1
flag_usable*data
descriptiondata_len
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Vulnerability
• Or
Floppy2
flag_usable*data
descriptiondata_len
Current floppy
Floppy1
flag_usable*data
descriptiondata_len
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Exploit
Memory Leak: Floppy
• Use modify and read command
Floppy2
flag_usable*data
descriptiondata_len
Current floppy
Floppy1
flag_usable*data
descriptiondata_len“A” * 16
Current floppy
You can read address of Floppy1 by reading description of Floppy1
Memory Leak: Any Data
• Use modify and read command
Floppy2
flag_usable*data
descriptiondata_len
Current floppy
Floppy1
flag_usable*data
descriptiondata_len
“A” * 20
Any address
You can read any data by reading data of
Floppy1
Exploitation Process
1. Leak address of floppy structs
2. Leak image base of the program
• It can be leaked from start function address on stack
3. Leak address of libc functions
• puts, __libs_start_main
4. Calc address of “system”
5. Overwrite return address to “system”
6. Got shell
Libc Identifying
• Identify libc file from the distance between 2 functions, but libcdb.com doesn’t work well…
• __libc_start_main = 0xf75c2650
• puts = 0xf760bcd0
• It can be found using https://github.com/niklasb/libc-database
• It also doesn’t work well… But I could find
0x26fe0
0x26fe0
Calling system function
• Use modify and read command
Floppy2
flag_usable*data
descriptiondata_len
Current floppy
Return address
Floppy2
flag_usable*data
descriptiondata_len
Calling system function
• Use modify and read command
Floppy2
flag_usable*data
descriptiondata_len
Current floppy
“/bin/sh”
Return addressRET gadget
system
Floppy2.data
Floppy2
flag_usable*data
descriptiondata_len
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOptional
$ python floppy.py[*] initialized floppy 1[*] initialized floppy 2[*] got floppy 1 *data address: 0xffb1623c[*] got floppy 2 *data address: 0xffb16224[*] try to leak start function address from 0xffb16264[*] got start function address: 0x56640a10[*] got image base: 0x56640000[*] got puts address: 0xf760bcd0[*] got __libc_start_main address: 0xf75c2650[*] got system address: 0xf75e4cf0[*] wrote "/bin/sh" to 0x581ec210[*] got shell===========================================================================
cd /home/fl0ppyls1e77461abb8c903ded93de4573d55c2e_flagfl0ppycat 1e77461abb8c903ded93de4573d55c2e_flagHave_you_ever_seen_floppy_disk_kid?
Thank you!
