ebeip90

Codegate 2013 Vuln 100 Writeup

Initial Investigation

Simple forking server listens on port 6666.

$ checksec.sh --file ./94dd6790cbf7ebfc5b28cc289c480e5e
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   No canary found   NX disabled   No PIE          No RPATH   No RUNPATH   ./94dd6790cbf7ebfc5b28cc289c480e5e

ebeip90

Codegate 2013 Vuln 200 Writeup

Initial Analysis

It's a 32-bit binary with no mitigations.

$ file ./94dd6790cbf7ebfc5b28cc289c480e5e
./94dd6790cbf7ebfc5b28cc289c480e5e: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xce5456409e1bfe207cd58c5b77ce99125d3b8d0f, stripped
$ checksec.sh --file 94dd6790cbf7ebfc5b28cc289c480e5e

RELRO STACK CANARY NX PIE RPATH RUNPATH FILE

ebeip90

Codegate 2013 Vuln 300 Writeup

Initial Analysis

The binary accepts data over stdin/stdout, and spits back at you a bunch of printable characters, appended with a number of your choosing.

$ checksec.sh --file 8ff953dd97c4405234a04291dee39e0b
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
No RELRO        No canary found   NX disabled   No PIE          No RPATH   No RUNPATH   8ff953dd97c4405234a04291dee39e0b

$ file 8ff953dd97c4405234a04291dee39e0b

ebeip90

Codegate 2013 Vuln 400 Writeup

Initial Investigation

Cool, we're actually getting to something with mitigations!

checksec.sh --file 7b80d4d56c282a310297336752c589b7
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   7b80d4d56c282a310297336752c589b7

ebeip90

29C3 CTF - ru1337

Looking for some things to keep me busy since we didn't qual for DEFCON this year :(.

This is an exploitation challenge from the Chaos Computer Conference 29. Let's take a look.

Initial Survey

checksec tells us that we don't have to worry about ASLR or stack canaries.

ebeip90

ll

Simple shellcoding challenge from a Raytheon SI hiring/meet-greet/CTF event.

Basically, you provide data four bytes at a time. This is stored in an 8-byte allocation. The second 4 bytes of the allocation are a pointer to the next allocation.

The challenge is less difficult than it first appears. Looking at the x86 opcodes, there's no way to do a direct JMP or CALL. However, because of the heap layout, you can just do 'jmp $+offset'.

The remaining difficulty is then doing stuff with 2-byte opcodes. I chose to rewrite the pwntools* pushstr method to do it with just 2-byte opcodes by INCing and SHIFTing and PUSHing eax.

ebeip90

gdb-peda$ telescope $sp 20
00:0000| esp 0xffffdef0 --> 0x4                                 argc
01:0004|     0xffffdef4 --> 0xffffdfd3 ("arg0")                 argv[]
02:0008|     0xffffdef8 --> 0xffffdfd8 ("arg1")
03:0012|     0xffffdefc --> 0xffffdfdd ("arg2")
04:0016|     0xffffdf00 --> 0xffffdfe2 ("arg3")
05:0020|     0xffffdf04 --> 0x0                                 end of argv[]
06:0024|     0xffffdf08 --> 0xffffdfe7 ("env0")                 envp[]
07:0028|     0xffffdf0c --> 0xffffdfec ("env1")

ebeip90

#!/usr/bin/env python2
#
# CVE-2014-6271 reverse shell
#
# Same as all the others, just showing off some pwntools.
#
# Usage:
#    python shell.py http://host/cgi-bin/script.sh
#    python shell.py http://host/cgi-bin/script.sh PORT=12345
#