Last time I tried to solve few challenges from Pico CTF 2013. This time I decided to check few cases from next edition - 2014. Below we will try to solve "best shell" . Here we go...
We will start here:
Let's simply grep some functions available in the source code:
When we'll read the source we can see setup_handlers() - it will be our 'menu':
Looking for shell_handler in the source:
Ok, so there should be an admin variable too, checking:
Indeed. So to run the binary, we should: read the password file, if it's not null then we will proceed with the handlers:
Checking with Ida:
It's always good to check imports. (We can find some interesting/vulnerable functions and references to them.) To do that (in Ida) go to View -> Open subviews and click Imports (but this tab should already be open:)
For example - strcpy:
Function can be found in rename_handler:
Checking pseudocode:
I changed sub esp,28 to 40 (click to 28 and click letter 'h', the same you can achieve by right-click):
Verifying length:
One more... ;]
Ok, checking with gdb:
Looks good:
... but why:
As you can see: JE instruction (yellow) is pretty the same as if(admin) - 'diff' from pseudocode and gdb is presented on the screen below:
(Few more similar cases you can find described here.) Checking outside gdb:
Good. :)
I think there is also another solution to solve this challenge: when you'll open the binary in gdb, before the run set a breakpoint after call setup_handlers. Then if you run the program you will be stopped here:
It's good, because all 'settings' (see the source of challenge) in main() should already be loaded in memory of the program - checking the 'admin_password' then:
"...just a thought..." ;)
See you next time!
Cheers
Brak komentarzy:
Prześlij komentarz