Credit to Ryan
The first thing we did for this challenge was to
look at the program headers:
From the headers we can see that the stack is given
read, write, and execute permission therefore assuming the stack has enough
space and we can overflow the buffer we should be able to place and execute
shell code on the stack. By looking at the assembly in IDA pro we discovered
that the executable does not contain linking information. Rather than finding
the function that reads in user input we found the length to return address
through trial and error. The input length to return address is 417 bytes as
shown in the screenshot below.
Now that we have control of EIP we need to return to
our shell luckily upon further inspection of the stack addresses we noticed
that the stack is using memory addresses from the executable. This means the STACK ADDRESSES ARE STATIC. From here
we wrote a script to send the shellcode that opens a bind shell on the remote
server, connect to the server and cat the key.
Flag = key{And_all_I_got_was_this_stupid_key}
Link to solution code: https://github.com/IAryan/CTFSolutions/tree/master/CSAW/2013/Exploit_400
No comments:
Post a Comment