2018-01-18 13:45
During the last Hackathon, we were asked to do some challenges, just for fun. One of them forced us to hack a small binary to get an address and use tcpdump to get a password.
How the hell am I supposed to do?
First of all, let's run the binary.
$ ./hackbin
put first password
So, there is the need to add a password. Anything I put here, will prompt
$ ./hackbin
put first password
asdad
:'(
What if I use ltrace?
$ ltrace ./hackbin
__libc_start_main(0x4008ff, 1, 0x7ffd58bc3af8, 0x400990
puts("put first password"put first password
) = 19
scanf(0x400a14, 0x7ffd58bc39a0, 0x7f7dec7477a0, 0x7f7dec47bc00asd
) = 1
strncmp("asd", "thisisit", 9) = -19
puts(":'(":'(
) = 4
+++ exited (status 255) +++
OMG, we have it.
$ ltrace ./hackbin
__libc_start_main(0x4008ff, 1, 0x7fff00f66538, 0x400990
puts("put first password"put first password
) = 19
scanf(0x400a14, 0x7fff00f663e0, 0x7f151cfa17a0, 0x7f151ccd5c00thisisit
) = 1
strncmp("thisisit", "thisisit", 9) = 0
scanf(0x400a14, 0x7fff00f66350, 8, 0asdsdas
) = 1
strnlen(0x7fff00f66350, 10, 0x7f151cfa17b0, 0) = 7
puts(":'(":'(
) = 4
+++ exited (status 255) +++
Ok so we need another password. Trying asdsdas seems to give no answer, we can't use the same trick here :'(.
Let's try to objdump this.
00000000004008ff :
4008ff: 55 push %rbp
400900: 48 89 e5 mov %rsp,%rbp
400903: 48 83 c4 80 add $0xffffffffffffff80,%rsp
......
40095d: eb 1c jmp 40097b
40095f: e8 e2 fe ff ff callq 400846
400964: 85 c0 test %eax,%eax
400966: 79 02 jns 40096a
......
400980: e8 7b fd ff ff callq 400700
400985: b8 ff ff ff ff mov $0xffffffff,%eax
40098a: c9 leaveq
40098b: c3 retq
40098c: 0f 1f 40 00 nopl 0x0(%rax)
0000000000400846 :
400846: 55 push %rbp
400847: 48 89 e5 mov %rsp,%rbp
40084a: 48 83 ec 70 sub $0x70,%rsp
40084e: 48 8d 45 90 lea -0x70(%rbp),%rax
400852: 48 89 c6 mov %rax,%rsi
400855: bf 14 0a 40 00 mov $0x400a14,%edi
40085a: b8 00 00 00 00 mov $0x0,%eax
40085f: e8 dc fe ff ff callq 400740
400864: 85 c0 test %eax,%eax
400866: 79 14 jns 40087c
400868: bf 17 0a 40 00 mov $0x400a17,%edi
40086d: e8 8e fe ff ff callq 400700
400872: b8 ff ff ff ff mov $0xffffffff,%eax
400877: e9 81 00 00 00 jmpq 4008fd
40087c: 48 8d 45 90 lea -0x70(%rbp),%rax
400880: be 0a 00 00 00 mov $0xa,%esi
400885: 48 89 c7 mov %rax,%rdi
400888: e8 83 fe ff ff callq 400710
40088d: 48 83 f8 06 cmp $0x6,%rax
400891: 74 07 je 40089a
........
4008e2: b8 ff ff ff ff mov $0xffffffff,%eax
4008e7: eb 14 jmp 4008fd
4008e9: 0f b6 45 90 movzbl -0x70(%rbp),%eax
4008ed: 3c 72 cmp $0x72,%al
4008ef: 74 07 je 4008f8
4008f1: b8 ff ff ff ff mov $0xffffffff,%eax
4008f6: eb 05 jmp 4008fd
4008f8: b8 00 00 00 00 mov $0x0,%eax
4008fd: c9 leaveq
4008fe: c3 retq
So basically here it looks like the main calls a innercheck and then print something. Let's try to modify innercheck to return 0 (the instruction is jns, so returning 0 is enough).
In order to do it, let's use xxd. Let's put the return just after b8 00 00 00 00.
00000840: 5de9 7aff ffff 5548 89e5 4883 ec70 488d ].z...UH..H..pH.
00000850: 4590 4889 c6bf 140a 4000 b800 0000 00c9 E.H.....@.......
00000860: c3fe ffff 85c0 7914 bf17 0a40 00e8 8efe ......y....@....
Now, If we xxd -r and run it
$ /tmp/hacked
put first password
thisisit
omg you found it
"omg you found it" is the address of the machine to connect to, to retrieve the final password!