Monday, September 23, 2013

CSAW 2013 Exploit 100

Credit to Ryan

For this challenge we are given two files exploit1 and exploit1.c (code snip it from program). Exploit1.c code snip it is as follows:
[snip]

void handle(int newsock) {
        int backdoor = 0;
        char buffer[1016];
        memset(buffer, 0, 1016);

        send(newsock, "Welcome to CSAW CTF.", 21, 0);
        recv(newsock, buffer, 1020, 0);
        buffer[1015] = 0;

        if ( backdoor ) {
               fd = fopen("./key", "r");
               fscanf(fd, "%s\n", buffer);
               send(newsock, buffer, 512, 0);
        }
        close(newsock);
}

[snip]

From the code snip it we can clearly tell the program allocates 1016 bytes for the buffer but reads in 1020 bytes. This can be confirmed in Ida Pro:




As the screen shot from Ida Pro shows the code will read in four more bytes then what is allocated for buf. This will cause the program to overwrite the values in var_D and var_C. The diagram of the stack is as follows:





To make the program print the key we need to make the value of var_C not equal zero. To do this we simply need to give the program an input string that is at least 1020 bytes long. This will overwrite var_C and force the program to run the logic that prints the key.



 We've lost the key since yesterday, will edit if we find it

No comments:

Post a Comment