bws

9447 CTF Exploitation Challenge: 190pts

Challenge Description:

"My friend has been playing that annoying song far too long. Can you own his web server now?

The web page is at http://bws-ad8sfsklw.9447.plumbing"

Material:

Solution:


BWS

1) Analysis of webserver binary

   The webserver takes our requests and processes it; we analyze the different cases in IDA.
   Of all the processing functions, we find that process_path contains some useful bugs.

2) First bug

   This function processes a request for path: "/.." by returning a listing of the files in the parent directory.
   As expected, there is a "flag.txt" file, the trouble is traversing to the parent directory.
   However the only way to get to the file is through exploiting the "process_path()" function.
   Specifically, the function's handling of ".." and "../" uses a looping system to copy one buffer into another.

3) Setting up the stack

   As the path cannot contain any zero bytes, we must use the HTTP body itself to setup the stack right.
   The HTTP body is located before the return address.
   So if we can overwrite this return address, we can execute one gadget.
   This gadget needs to be a stack pivot, move the stack pointer enough to land $pc inside the HTTP body.


   From here we can return to inside process_path() which contains code to open whichever path is at $esp.
   At this point, $esp points to our path variable, where we have our /../flag.txt\x00

4) Structure


Flag: