Monday, September 23, 2013

CSAW 2013 Exploit 400

Credit to Ryan

The first thing we did for this challenge was to look at the program headers:

From the headers we can see that the stack is given read, write, and execute permission therefore assuming the stack has enough space and we can overflow the buffer we should be able to place and execute shell code on the stack. By looking at the assembly in IDA pro we discovered that the executable does not contain linking information. Rather than finding the function that reads in user input we found the length to return address through trial and error. The input length to return address is 417 bytes as shown in the screenshot below.

Now that we have control of EIP we need to return to our shell luckily upon further inspection of the stack addresses we noticed that the stack is using memory addresses from the executable. This means the STACK ADDRESSES ARE STATIC. From here we wrote a script to send the shellcode that opens a bind shell on the remote server, connect to the server and cat the key.
Flag = key{And_all_I_got_was_this_stupid_key}

No comments:

Post a Comment