pCTF 2011 – Mission #22: “Hashcalc 1” write-up

The control flow relevant to the bug is as follows:

  • request_handler
  • recv into a 0x400 bytes large buffer (max 0x3ff bytes + NUL terminator)
  • call fprintf on this string (output goes into /home/hashcalc1/LOG, so we can’t see it)
  • hash the string
  • reply_func
  • sprintf string and hash using format string “%u (%s)” into buffer of size 0x100
  • send reply string

So what we have is a blind format string bug in request_handler, and a buffer overflow in reply_func. The buffer overflow is normally detected because of a damaged stack cookie however. Since the stack and libs are randomized we really want to have the freedom to explore the address space using ROP instead of just using a printf exploit, so let’s see if we can find a way to make the overflow work.
{Read More}