25
Apr
2011

pCTF 2011 – Mission #26: “Hashcalc 2” write-up

The second hashcalc challenge is much the same as the first (make sure to read it!). Except this version is launched from inetd instead of being a forking server. This is annoying because it means that stack cookies and library offsets change every run. Let’s verify that by adapting our exploit to dump the GOT to the new binary.
{Read More}

25
Apr
2011

pCTF 2011 – Mission #22: “Hashcalc 1” write-up

The control flow relevant to the bug is as follows:

  • request_handler
  • recv into a 0x400 bytes large buffer (max 0x3ff bytes + NUL terminator)
  • call fprintf on this string (output goes into /home/hashcalc1/LOG, so we can’t see it)
  • hash the string
  • reply_func
  • sprintf string and hash using format string “%u (%s)” into buffer of size 0x100
  • send reply string

So what we have is a blind format string bug in request_handler, and a buffer overflow in reply_func. The buffer overflow is normally detected because of a damaged stack cookie however. Since the stack and libs are randomized we really want to have the freedom to explore the address space using ROP instead of just using a printf exploit, so let’s see if we can find a way to make the overflow work.
{Read More}