Category Archives: CTF

ROP Primer Level1

Hey guys!

Here’s my try at Level1 from Bas’ ROP-Primer box.
You can download it on http://www.vulnhub.com. They also have great educational materials related to infosec.

It’s a remote service that is a simple file storage system. It has a handle_conn() function that is vulnerable to an overflow.

I’ve made a two staged exploit that reads in input, the command we want to execute, then stack-pivots to the vulnerable function. After that we send our second stage that executes system() with our previously sent command.
In order to build this exploit I used Peda, a good Plugin for GDB especially for exploit development. But you could also use ropshell.com or the python version.

So with this exploit we can easily execute any command under the owners privileges.

I think the directory ‘/home/level1’ on the remote machine is supposed to have the privileges ‘rwxrwx–x’, so we have to manually change it, otherwise we cannot execute anything.
I think he has fixed this issue in the version 0.2 from Vulnhub.

Since the netcat version installed on the box is the openbsd version, we do not have the “-e” option.
Because of this, we have to pipe the flag into netcat and let it listen for any incoming connections.
Then we just connect with our machine and redirect the output into a file.

The command we execute is ‘cat flag |nc -l 9191’

Then at our own machine we execute ‘nc XX.XX.XX.XX 9191 > flag’

My exploit code does this automatically so you don’t have to change anything, except the IP of the remote machine.

I’ve thoroughly commented the code, so with some experience you should be able to understand what’s happening.
If you don’t have any experience, I would recommend this Primer on return-oriented-programming. Otherwise you can always read corelans tutorials on his webpage.

The Exploit code itself is here.

I created a page where I recommend some books which will give you a good introduction into Software Security, so you can also have a look at that if you want to.

Cheers!
Carl Smith

Dragon write-up

I will go through all steps needed to exploit the dragon challenge on pwnable.kr.

This is a remote challenge, so first we need the provided binary for analysis.

after downloading we check the filetype and run it a couple of times.
Also let it create a core dump if it crashes.

After some manual fuzzing we get the desired result; a crash. This looks like we got control.
So let’s open up GDB and check were we would’ve returned.
Don’t forget to load the core.
And look closely….

So upon closer examination we see that our return address consists of our last Input.
AAAA = 0x41414141 ( when thinking in hex )

Now we’ve got control over eip, but what can we do with it ?
We can’t do ret2stack because we just control the eip and nothing valueable would be there.
ROP is not possible because we can’t fake stack frames.
writing to dtors or got is not an option either…

Well then let’s see if we can reuse code of the binary.
Let’s check for the symbols in the binary.

Ah at the end we see the magic call “system()”.
So, the last thing we need is a string to “/bin/sh”.
Let’s check the binary in GDB for the call “system()”.

We see a call to a strange “SecretLevel”, so let us check that.

Wow, there is the system() call.
And just above the system() call something is moved to the stack…
I wonder what that could be….

Jackpot. This is our return address:

RET = 0x08048dbf

so now we’re going to develop our exploit code in python…

Finally test the exploit code and launch it against pwnable.kr’s server.
Don’t forget “cat” to keep our freshly spawned shell alive.

Wohoo, so our exploit works perfectly :-)

Lets launch it against their server and get that flag!

this will spawn the desired shell, so you’re able to view the flag :-)

I hope you liked this write-up!
A pretty simple challenge from pwnable.kr, which gives you 75 pts.
Feel free to write a comment or even contact me if you want to talk about security related stuff.

Carl Smith