25
Apr
2011

pCTF 2011 – Mission #26: “Hashcalc 2” write-up

The second hashcalc challenge is much the same as the first (make sure to read it!). Except this version is launched from inetd instead of being a forking server. This is annoying because it means that stack cookies and library offsets change every run. Let’s verify that by adapting our exploit to dump the GOT to the new binary.
{Read More}

25
Apr
2011

pCTF 2011 – Mission #22: “Hashcalc 1” write-up

The control flow relevant to the bug is as follows:

  • request_handler
  • recv into a 0x400 bytes large buffer (max 0x3ff bytes + NUL terminator)
  • call fprintf on this string (output goes into /home/hashcalc1/LOG, so we can’t see it)
  • hash the string
  • reply_func
  • sprintf string and hash using format string “%u (%s)” into buffer of size 0x100
  • send reply string

So what we have is a blind format string bug in request_handler, and a buffer overflow in reply_func. The buffer overflow is normally detected because of a damaged stack cookie however. Since the stack and libs are randomized we really want to have the freedom to explore the address space using ROP instead of just using a printf exploit, so let’s see if we can find a way to make the overflow work.
{Read More}

25
Apr
2011

pCTF 2011 – Mission 6 – Fun with Numb3rs

Another quick pCTF 2011 write-up. This is a windows Application made using .NET. Upon launching you get 3 sliders with a range of 0-255 and a button. Goal is to find the correct permutation for the 3 sliders. When you enter the wrong slider values you will get a nice failed message.

When decompiling the application using ILspy we find the following relevant code bits:
{Read More}

25
Apr
2011

pCTF 2011 – Mission 13: “Django..really?” Write-up

This is a quick write up of the Django webchallenge from PlaidCTF 2011.

Web application is a guestbook written using Django and can be found at: http://a12.amalgamated.biz/DjangoProblem1

Upon investigation it turns out they have pagecaching in Django enabled using Memcache. Memcache is a key/value store accessible over TCP. The memcache server is publicly accessible on the default memcached port 11211.

Some snooping around on the memcached server reveals Django uses python serialized objects in the cache. Serialized objects in the memcache keystore have a flag of ‘1’. (We missed this detail for a long time :/)
{Read More}