[Plaid 2014] pwnable : tenement & sass 본문
[Plaid 2014] pwnable : tenement & sassZero Day 2016.08.27 16:38
These write ups don't include any exploit codes but just EIP control.
Given binary 'tenement' is x86 stripped elf file, too.
zero@ubuntu:~/Desktop/ctf/plaid2014$ file tenement
tenement: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, stripped
And applied memory protections are...
zero@ubuntu:~/Desktop/ctf/plaid2014$ gdb -q ./tenement
Reading symbols from ./tenement...(no debugging symbols found)...done.
CANARY : disabled
FORTIFY : disabled
NX : disabled
PIE : disabled
RELRO : disabled
But when i just execute binary, following error appears..
./tenement: error while loading shared libraries: libseccomp.so.2: cannot open shared object file: No such file or directory
Above lib error could be resolved with installing...
- libseccomp : libseccomp2_2.1.0+dfsg-1_i386.deb
- libjansson : libjansson4_2.2.1-1_386.deb
After installing all of them, we can see the following message when trying to run it.
Does It mean 'CONFIG' file is needed?
After some inspections, i can find about CONFIG and kind of AUTH.
First, Load a CONFIG file and it needs to be 'json' type.
Second, parsing elements string 'key's value and integer 'addrs's value.
Especially, 'addrs's value is used when allocating memory with mmap(). ( size is 0x4000 )
And we could see the flag format from above ( pppp:'flag' )
Then all we have to do is making a shellcode which works as finding 'pppp' in memory,
There is stack overflow bug at 0x8048dc1. just simply found..
We have 128 bytes to write on stdin.
Final exploit is..
1. making a shellcode finding 'pppp' on memory. Of course its size has to smaler than 128 bytes.
-> The reason finding 'pppp' on memory is next to string 'pppp', there is 'FLAG'
2. just send it...
------------ Skip below progress because i don't know exact server environment,,,
Given file is x86 elf binary.
zero@ubuntu:~/Desktop/ctf/plaid2014$ file ./sass
./sass: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, not stripped
Applied memory protections are..
zero@ubuntu:~/Desktop/ctf/plaid2014$ gdb -q ./sass
Reading symbols from ./sass...(no debugging symbols found)...done.
CANARY : disabled
FORTIFY : ENABLED
NX : ENABLED
PIE : ENABLED
RELRO : Partial
There are PIE, NX, FORTIFY but canary. Also ASLR is full on my env.
This binary only has 2 functions, main() and read_numbers().
read numbers from stdin with read_numbers(). then, qsort() ( qucik sort ) and print all of them.
In read_numbers func(),
Just works as really reading number. if number is hex format, chagne to dec type.
The problem is... i think there is no leaking verctor. Even as i know, specific libc version isn't given too.
which means, this chal may be solved on server's local env and ALSR would be partialy(?) disabled.
Anyway, let's find exploit vector to overwrite ret with system() for ROP or RTL, etc..
Then i found there is buffer overflow at 40s input and control EIP successfully.
But my env ( ubuntu 16.04 ) is ASLR-FULL and i can't find any leaking vector on binary.
Which means exploit would be proceeded unless ALSR is disabled. ( i can disable ASLR but i didn't do it :) for my laziness ...)
Despite disabling ASLR, kind of brute-force is needed because libc base address is changed by PIE.
Anyway, after disabling ASLR, RTL would be worked. Try it yourself!
'CTFs > Plaid 2014' 카테고리의 다른 글
|[Plaid 2014] pwnable : tenement & sass (0)||2016.08.27|
|[Plaid 2014] pwnable : kappa (0)||2016.08.27|
|[Plaid 2014] pwnable : ezhp (0)||2016.08.27|
|[Plaid 2014] reversing : hudak (0)||2016.08.27|
|[Plaid 2014] forensic : zfs (0)||2016.08.27|
|[Plaid 2014] forensic : rsa (0)||2016.08.27|