Thursday, March 13, 2014

RUCTF Quals 2014 - Posts - Vuln 300 Write-up

Hi, writeups for this CTF have been delayed because of our absence of free time so let's start with something big :D

In this problem we were given a ssh server address and here it is:
ssh -p 2022 user:Ikiy7ei5
probably it will be closed when you are looking but don't worry we also gathered gadget instructions for better analysis.

It is basically a program for note inserting (taking a lot of input's from you), and then reading them back. Because we are on ssh server there is nothing much to do about disassembling the file but luckily(!) we've got gdb on the server so when we disassembled the file with it we got some interesting parts like this:

first of all it is the part how our name was inputted:
it is using fgets to get from stdin and also gathering 256 bytes (till the newline, or eol).

The second part (and the most interesting one) which gets our note into somewhere after 0x080d7100 by using these calculations and also calling that calculated address:
because of system is getting the input via scanf we can put as much data as we want to overwrite the next function going to be called. The index was easy to calculate after each note the index was shifting 516 bytes from the note title and 260 bytes from the notes body, till the next function pointer and if we overwrite that address we would be able to get the
eip control and we did so. But no :( there was nothing to jump to everything useful was around 0x080d0000 and because of 0d is a newline character we could not use it in our input and it caused us to change our mind from just jumping to system libc function to ROP. (well actually it is our first ROP practice :D). The ASLR was disabled so getting ram addresses didn't make any troubles. And we managed to write a script like this:
you can see the memory layout and gadget adresses at the top of the source.

Our note's were not being kept on the stack but the name was. So we used name variable for arranging stack for ROP and note's to overwrite the next function pointer to point our name. Just 2 notes were enough in first we overwrite the next posts pointer and when the system wanted to get the second note it called our overwritten function and ta-daaa :))

** GDB and the real stack addresses were different due to initial stack alignment and by testing we found out that real offset would be 32 bytes away from the gdb's stack.


  1. Hi, how did you find the exact address of name outside gdb in the remote machine?

  2. Hi, what did you call syscall 11 for ?

      as you can see from here, syscal11 is for execve function to spawn shell, or in our case directly calling the cat, to gather the flag :)

    2. Btw, I can't connect to the ssh server, I can't seen where they gave the password ?

    3. the server might be down but the credentials are:
      username: user
      password: Ikiy7ei5