Tuesday, April 26, 2011

pCTF 2011 #26 Hashcalc2

Challenge #26 "Hashcalc2" was very similar to Hashcalc1.

Again, a good write-up is already available on sleepya's blog. He made an exploit bypassing any ASLR/NX using ROP.

Again since NX was not enabled, I used a similar exploitation with a few adjustements.

Context

26 - hashcalc2 - 300 pts

Description
Category: pwnables

Download

nc a9.amalgamated.biz 10241
download file

Analysis

Quickly reverse it and notice the following differences with hashcalc1:
  • it no longer uses sockets
  • hash calculation no longer relies on libc's strlen() and uses its own version (repne scasb), so we cannot overwrite its GOT
And that's all!

No worries for strlen(), we just find the next libc function being called: it's vsprintf(), called when the program formats the message with the hash for the user. Its address in the GOT is 0x08049108.

By the way, this time no need for a socket reuse: we can directly use a /bin/sh shellcode because server normally runs with its stdin/stdout, network functionality being assured by a superserver like inetd. By the way if you just want to run the binary locally you do not need to install and configure inetd. You can merely use socat:
$ socat TCP-LISTEN:10241,reuseaddr,fork EXEC:./bin

Exploitation

So the only difference with hashcalc1 lies in the address: vsprintf's GOT instead of strlen's. However, a small difficulty: we cannot use 2 write2 to modify vsprintf's GOT because the second write would be at address 0x08049108+2=0x0804910a, and 0a=\n breaks our input buffer :(

A simple solution is to use three writes: a write1 (%hhn) at 0x08049108, a write2 (%hn) at 0x08049109 and another write1 (%hhn) at 0x0804910b. This way, we skip the 0a! :)

Full exploit here: colored syntax or plain .py

Just run it with nc for the network part, and cat to keep stdin opened:
$ { python exploit.py; cat; } | nc a9.amalgamated.biz 10241
** Welcome to the online hash calculator **
$ id
uid=1008(hashcalc2) gid=1009(hashcalc2) groups=1009(hashcalc2)
Again, quick & reliable, but remember that this exploit would not have worked if NX had been present, unlike sleepya's and surely others.
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)