Defcon CTF Quals 2014 – byhd | zepvn
6/13/2014
Search MAY 18, 2014
Defcon CTF Quals 2014 – byhd By admin
Challenge description:
Who hath lived like hacker’s life and refused the normalness must be rewarded with straw, sticks and bricks. http://services.2014.shallweplayaga.me/byhd_147e0accdae13428910e909704b21b11 byhd_147e0accdae13428910e909704b21b11.2014.shallweplayaga.me On this challenge we need to connect to a service at byhd_147e0accdae13428910e909704b21b11.2014.shallweplayaga.me:9730 . The binary file is given here The main handler function is at 0x401a15 which could be described by this pseudo code:
sub_401a15(): Read content of running binary file, store to (char*) binary_buffer Read 4 bytes from client, store to (int) N if N < 256: Read N bytes from client, store to (char*) input_buffer Call function at 0x40173b: (char*) new_buffer_1 = sub_40173b(binary_buffer, sizeof(binary_buffer)) Call function at 0x401f6b: (char*) new_buffer_2 = sub_401f6b(new_buffer_1) Call function at 0x402233: sub_402233(new_buffer_2) Call function at 0x40185a: (char*) transformed_input_buffer = sub_40185a(new_buffer_2, input_buffer)t (void*) mem = mmap(0, sizeof(transformed_input_buffer), READ|WRITE|EXEC, 0x22, -1, 0) memcpy(mem, transformed_input_buffer, sizeof(transformed_input_buffer)) (mem)() munmap(mem, sizeof(transformed_input_buffer))
Basically the service allows client to send up to 255 bytes as raw input, then transforms it by the function at 0x40185a before executing it. So what we could do is to send a input_buffer that makes transformed_input_buffer a valid shellcode. We don't need to understand what it does in sub_40173b , sub_401f6b , and sub_402233 as their inputs are all derrived from the content of the running binary (which is static), that means the output is static regardless of our input. We will try to grab it later on. We use Hopper to decompile the function at 0x40185a that receives our original input and transform it. Hopper doesn't do well with looping so we have to touch up the code a bit, the final code looks like:
function sub_40185a(char* new_buffer_2, char* input_buffer, int size) { char* output_buffer = null; char next_byte = 0x0; int index = 0x0; var_44 = 0x0; var_56 = 0x0; if ((new_buffer_2 != 0x0) && (input_buffer != 0x0) && (size != 0)) { var_44 = size * 4; output_buffer = _malloc(var_44); if (output_buffer != 0x0) { // loc_4018f5; memset(output_buffer, 0x0, var_44) != -1) // loc_4018f6; while (next_byte != -1) { next_byte = (byte) sub_40127c(new_buffer_2, input_buffer); if (next_byte != -1) { output_buffer[index] = var_36; index += 1;
http://zepvn.com/blog/defcon-ctf-quals-2014-byhd.php
1/6