PicoCTF 2014 - best shell

Last time I tried to solve few challenges from Pico CTF 2013. This time I decided to check few cases from next edition - 2014. Below we will try to solve "best shell" . Here we go...
We will start here:

Let's simply grep some functions available in the source code:

When we'll read the source we can see setup_handlers() - it will be our 'menu':

Looking for shell_handler in the source:
 

Ok, so there should be an admin variable too, checking:

Indeed. So to run the binary, we should: read the password file, if it's not null then we will proceed with the handlers:

Checking with Ida:

It's always good to check imports. (We can find some interesting/vulnerable functions and references to them.) To do that (in Ida) go to View -> Open subviews and click Imports (but this tab should already be open:)

For example - strcpy:

Function can be found in rename_handler:

Checking pseudocode:

 I changed sub esp,28 to 40 (click to 28 and click letter 'h', the same you can achieve by right-click):

Verifying length:

One more... ;]

Ok, checking with gdb:

Looks good:

 ... but why:

As you can see: JE instruction (yellow) is pretty the same as if(admin) - 'diff' from pseudocode and gdb is presented on the screen below:

(Few more similar cases you can find described here.) Checking outside gdb:

Good. :)

I think there is also another solution to solve this challenge: when you'll open the binary in gdb, before the run set a breakpoint after call setup_handlers. Then if you run the program you will be  stopped here:

It's good, because all 'settings' (see the source of challenge) in main() should already be loaded in memory of the program - checking the 'admin_password' then:

"...just a thought..." ;)


See you next time!

Cheers