Ready to Start Your Career?
By: Motasem
February 7, 2017
CTF Insomnihacking Teaser 2017 Challenge Write-up
By: Motasem
February 7, 2017
This challenge requires skills both in exploit development, reverse engineering and writing scripts using python. In this challenge we got a file named“baby-6971f0aeb454444a72cb5b7ac92524cd945812c2.tgz”After extracting this file we’ll be presented with two files; “baby” and “libc.so”. Our targeted file that we’re required to exploit is “baby”. As we get used to doing when analyzing and reversing binaries and files especially in the Linux environment of both 32 and 64 bit, we would like to get some information about the file.
As shown in the picture we got a DLL file which needs to be checked against the enabled security measures. We will use a tool called “checksec.sh” developed by “ slimm609”.
As we see above, we have PIE and NX enabled and that means that we cannot overwrite EIP using stack overflow simply because this file has ASLR and DEP enabled thus randomizing EIP each time. So we should leak some pointers and addresses by checking if there is a probability of “format string” vulnerability in place then we will leverage that to take advantage of libc base address and use that information to construct or ROP chain to bypass DEP and ASLR in order to drop our shell and pwn the system. First, let me show some approach on how to search for ROP gadgets and get them. If you have an executable file then use immunity debugger and use “mona” plugin developed by “corelanc”.Use the following command in immunity debugger to get ROP Gadgets in separated “rop.txt” file!mona modules!mona ropfunc -m some.dll -cpb '\x00\x09\x0a'Now “some.dll” in the command is a DLL which has non-rebase, non-ASLR and no bad characters to make sure that the generated ROP chains are proper and effective to conduct the attack.Now, in our case, we can use edb-debugger with ROP plugin to get’em. Basically, ROP chains end with “RET”
Now the interesting part which is the python script
Now let’s execute our pwn.py python script to see if we get the shell
...and voila, we got it.
As shown in the picture we got a DLL file which needs to be checked against the enabled security measures. We will use a tool called “checksec.sh” developed by “ slimm609”.As we see above, we have PIE and NX enabled and that means that we cannot overwrite EIP using stack overflow simply because this file has ASLR and DEP enabled thus randomizing EIP each time. So we should leak some pointers and addresses by checking if there is a probability of “format string” vulnerability in place then we will leverage that to take advantage of libc base address and use that information to construct or ROP chain to bypass DEP and ASLR in order to drop our shell and pwn the system. First, let me show some approach on how to search for ROP gadgets and get them. If you have an executable file then use immunity debugger and use “mona” plugin developed by “corelanc”.Use the following command in immunity debugger to get ROP Gadgets in separated “rop.txt” file!mona modules!mona ropfunc -m some.dll -cpb '\x00\x09\x0a'Now “some.dll” in the command is a DLL which has non-rebase, non-ASLR and no bad characters to make sure that the generated ROP chains are proper and effective to conduct the attack.Now, in our case, we can use edb-debugger with ROP plugin to get’em. Basically, ROP chains end with “RET” Now the interesting part which is the python scriptNow let’s execute our pwn.py python script to see if we get the shell...and voila, we got it.