Thursday, October 22, 2015

PicoCTF 2014 ExecuteMe & PicoCTF 2014 OBO

I'm working on these in my spare time.  I still haven't solved these.  I think that I know what I'm supposed to do, but I either have the wrong shell code, or I'm getting the syntax wrong.  For Execute Me, I think that I'm supposed to send the C program Shell Code.  That's what the hint says.  So, I tried this:  The <shell code here> part actually has shell code in it when I type the command.

./executeme $(python -c 'print "<shell code here>"')

No shell code.

$(python -c 'print "<shell code here>"') | ./executeme

That gets me a shell, but I can't interact with it without getting a segmentation fault.  So then I tried this:

$(python -c 'print "<shell code here>"') & cat flag.txt | ./executeme

I'm getting a command not found error.

So I go on to start reading OBO.  I can go back to Execute Me anytime.  Here is the interesting part of the program for OBO:

int hex_table[256];

void generate_hex_table(void) {
  int i;
  for (i = 0; i <= 256; ++i) {
    hex_table[i] = -1;
  }

  for (i = 0; i <= 10; ++i) {
    hex_table['0' + i] = i;
  }

  for (i = 0; i <= 6; ++i) {
    hex_table['a' + i] = 10 + i;
  }

  for (i = 0; i <= 6; ++i) {
    hex_table['A' + i] = 10 + i;
  }

  // I don't know why, but I was getting errors, and this fixes it.
  hex_table[0] = 0;
}

int read_password(FILE *file, char *password, size_t n) {
  fgets(password, n, file);

  password[strcspn(password, "\n")] = '\0';

I think that OBO stands for Off By One.  As in Off By One error in C programming.  I was looking at the first for loop and noticed that he started variable "i" as 0.  Then he iterates it to 256.  If "i" started at one, that would be fine, but it doesn't.  So, he iterated through the first for loop one too many times.  Then I noticed the null byte (\0) which was tacked on the phrase "password[strcspn(password, "\n")] = '\0';"  If I'm not mistaken, it overwrites the lowest memory byte.  So I was wondering what was useful about that.  I looked at Google, and found an article about a poison null byte.  I also found a SANS white paper describing how to exploit an off by one error.  I haven't tried yet, but from what I understand, one way to exploit it is, you control the address, so you can have the pointer point at a buffer, put shell code into the buffer, and you get shell.  

It's kind of scary how much difference one byte can make.

https://www.sans.org/reading-room/whitepapers/threats/buffer-overflows-dummies-481
http://insecure.org/news/P55-07.txt

No comments:

Post a Comment