Codegate 2017 quals - meow

Linux ELF binary and a service port is given. So I assume it’s a pwnable task.

1. First look

This binary receives 10 byte input and checks its MD5 hash. If the check passes, the string is used to decrypt two data blobs. Then two decrypted blobs are mmaped to fixed addresses 0x12000 and 0x14000 with RWE permission. Then at the end of the program, we can ‘call’ the code at 0x12000 just like a function.

Since finding preimage of the MD5 hash is hopeless, our goal is now finding the 10 byte key that makes the decoded blob plausible. To do that, we had to analyze the decryption function 0xD1D. But I felt I will definitely make mistake during understanding it. So my teammate took another way.

2. Simplifying the decryption routine

The decryption seemed to be composed of simple XORs. So we used angr to derive the symbolic relation between input and output.

First load the binary in angr.

import angr
proj = angr.Project('./meow')

Read more

HITCON CTF 2016 Quals - MixerBox

Linux x86 ELF Reverse challenge.

Mixed-arch, mixerbox

Mixed-arch?

Why is this mixed-arch? There are these instructions everywhere.

  ...
  push 0x33
  call change_arch();
  call f();
  call restore_arch();
  ...

change_arch:
  retf

restore_arch:
  mov [ebp+4], 0x23
  retf

Read more

Running ARM in QEMU

QEMU에서 ARM debian을 돌리는 방법 정리.

https://www.aurel32.net/info/debian_arm_qemu.php 와
https://people.debian.org/~aurel32/qemu/armhf/를 참고하면 쉽게 할 수 있다.

1. Install

먼저 qemu를 설치한다.

sudo apt-get install qemu

그 다음 이미지들을 다운받는다.

wget https://people.debian.org/~aurel32/qemu/armhf/debian_wheezy_armhf_standard.qcow2
wget https://people.debian.org/~aurel32/qemu/armhf/initrd.img-3.2.0-4-vexpress
wget https://people.debian.org/~aurel32/qemu/armhf/vmlinuz-3.2.0-4-vexpress

• debian_wheezy_armhf_standard.qcow2는 debian wheezy가 설치된 디스크 이미지,
• initrd.img-3.2.0-4-vexpress는 부팅에 필요한 임시 파일시스템 (initrd; initial ramdisk) 이미지,
• vmlinuz-3.2.0-4-vexpress는 리눅스 커널 이미지이다.

이 중에서 qcow2 이미지는 시스템을 사용하면 내용이 바뀌기 때문에 (디스크 이미지니까) 깨끗한 버전을 하나 백업해 두는 것도 좋은 생각이다.

Read more

DEF CON 2016 Quals - feedme

feedme is a baby’s first pwnable task.

The binary is a fork-based server. There is an obvious buffer overflow vulnerability in the child process routine.

int handler()
{
	char buf[32];  // [ebp-0x2c]
	int canary;    // [ebp-0xc]

	printf("FEED ME!\n");
	int size = read_byte();
	readn(buf, size);
	// Shows up to 16 bytes. Cannot leak canary with this.
	printf("ATE %s\n", tohex(buf, size, 16));
	return size;
}

void server()
{
	while (1) {
		int pid = fork();
		if (pid == 0) {
			int n = handler();
			printf("YUM, got %d bytes!", n);
			return;
		}
		else {
			waitpid(pid, &status, 0);
			printf("child exit.\n");
		}
	}
}

So we can exploit this program by brute-forcing stack canary and doing ROP to get a shell. Classic.

Read more

PlaidCTF 2016 - quite quixotic quest writeup

Well yes, it certainly is quite quixotic. (Yes, the flag format is PCTF{} )

It’s a reversing task. We have an x86 ELF binary. I’ve just ran it firsthand.

$ ./qqq
curl: try 'curl --help' or 'curl --manual' for more information
$ ./qqq --version
curl 7.49.0-DEV (i686-pc-linux-gnu) libcurl/7.49.0-DEV
Protocols: dict file ftp gopher http imap pop3 rtsp smtp telnet tftp
Features: IPv6 Largefile UnixSockets

It seems the binary is a modified curl. Since the problem mentioned about the flag format, I naturally searched for “PCTF” string in the binary.

Read more