CSAW 2013 Exploit 300

Exploit 300 CSAW 2013

Credit to Ryan

The first thing we did for this challenge was to look at the program headers: 

From the headers we can see that the stack is given read, write, and execute permission therefore assuming the stack has enough space and we can overflow the buffer we should be able to place and execute shell code on the stack. Looking at the assembly in IDA pro we see a few interesting lines.

From the assembly we can also calculate what the stack will look like at run time:

We learned from reverse engineering the assembly the program is going to do the following:

1.  Prompt for username and password
2. Compare the received username and password against “csaw2013” and “S1mplePWD”
3.  Prompt for entry number
4. Verify that entry number is not zero
5. Verify the entry number + 1 is less than or equal to 1024
6.  Prompt for dairy input (using entry number as the number of bytes to receive)
7. Create a dairy file
8. Save the input bytes into diary file
9. Delete the dairy file
10.  Return

It appears that the program is reading 1024 bytes in to a 1024 byte buffer, however if we input a negative value for the entry number we will pass the less than 1024 byte check and force the program to read in enough bytes to overflow the buffer and change the return address.

From here we wrote a script to send the shellcode that opens a bind shell on the remote server. To connect to the server and cat the key.

Flag = signness_oh_what_a_world_we_live_in

Link to solution code: https://github.com/IAryan/CTFSolutions/tree/master/CSAW/2013/Exploit_300