Secuinside on System Overlord

Secuinside Quals 2014: Simple Login

david@systemoverlord.com (David Tomaschik) — Wed, 04 Jun 2014 02:08:25 +0000

In this challenge, we received the source for a site with a pretty basic login functionality. Aside from some boring forms, javascript, and css, we have this PHP library for handling the session management:

#!php
<?
	class common{
		public function getidx($id){
			$id = mysql_real_escape_string($id);
			$info = mysql_fetch_array(mysql_query("select idx from member where id='".$id."'"));
			return $info[0];
		}

		public function getpasswd($id){
			$id = mysql_real_escape_string($id);
			$info = mysql_fetch_array(mysql_query("select password from member where id='".$id."'"));
			return $info[0];
		}

		public function islogin(){
			if( preg_match("/[^0-9A-Za-z]/", $_COOKIE['user_name']) ){
	 			exit("cannot be used Special character");
			}

			if( $_COOKIE['user_name'] == "admin" )	return 0;

			$salt = file_get_contents("../../long_salt.txt");

			if( hash('crc32',$salt.'|'.(int)$_COOKIE['login_time'].'|'.$_COOKIE['user_name']) == $_COOKIE['hash'] ){
				return 1;
			}

			return 0;
		}

		public function autologin(){

		}

		public function isadmin(){
			if( $this->getidx($_COOKIE['user_name']) == 1){
				return 1;
			}

			return 0;
		}

		public function insertmember($id, $password){
			$id = mysql_real_escape_string($id);
			mysql_query("insert into member(id, password) values('".$id."', '".$password."')") or die();

			return 1;
		}
	}
?>

Some first impressions:

Secuinside Quals 2014: Shellcode 100

david@systemoverlord.com (David Tomaschik) — Mon, 02 Jun 2014 04:57:01 +0000

This is a level that, at first, seemed like it would be extremely simple, but then turned out to be far more complicated than expected. We were provided a zip file containing a python script and an elf binary.

Disassembling the binary reveals a very basic program:

/ (fcn) sym.main 165
| 0x0804847d 55 push ebp
| 0x0804847e 89e5 mov ebp, esp
| 0x08048480 83e4f0 and esp, 0xfffffff0
| 0x08048483 83ec30 sub esp, 0x30
| 0x08048486 8b450c mov eax, [ebp+0xc]
| 0x08048489 83c004 add eax, 0x4
| 0x0804848c 8b00 mov eax, [eax]
| 0x0804848e 890424 mov [esp], eax
| ; CODE (CALL) XREF from 0x08048376 (fcn.08048376)
| ; CODE (CALL) XREF from 0x08048370 (fcn.08048366)
| 0x08048491 e8dafeffff call 0x108048370 ; (sym.imp.atoi)
| sym.imp.atoi(unk)
| 0x08048496 89442428 mov [esp+0x28], eax
| 0x0804849a c7442424000. mov dword [esp+0x24], 0x0
| 0x080484a2 c7442408040. mov dword [esp+0x8], 0x4
| 0x080484aa 8d442424 lea eax, [esp+0x24]
| 0x080484ae 89442404 mov [esp+0x4], eax
| 0x080484b2 8b442428 mov eax, [esp+0x28]
| 0x080484b6 890424 mov [esp], eax
| ; CODE (CALL) XREF from 0x08048330 (fcn.0804832c)
| 0x080484b9 e872feffff call 0x108048330 ; (sym.imp.read)
| sym.imp.read()
| 0x080484be 8b442424 mov eax, [esp+0x24]
| 0x080484c2 c7442414000. mov dword [esp+0x14], 0x0
| 0x080484ca c7442410fff. mov dword [esp+0x10], 0xffffffff
| 0x080484d2 c744240c220. mov dword [esp+0xc], 0x22
| 0x080484da c7442408070. mov dword [esp+0x8], 0x7
| 0x080484e2 89442404 mov [esp+0x4], eax
| 0x080484e6 c7042400000. mov dword [esp], 0x0
| ; CODE (CALL) XREF from 0x08048350 (fcn.08048346)
| 0x080484ed e85efeffff call 0x108048350 ; (sym.imp.mmap)
| sym.imp.mmap()
| 0x080484f2 8944242c mov [esp+0x2c], eax
| 0x080484f6 8b442424 mov eax, [esp+0x24]
| 0x080484fa 89442408 mov [esp+0x8], eax
| 0x080484fe 8b44242c mov eax, [esp+0x2c]
| 0x08048502 89442404 mov [esp+0x4], eax
| 0x08048506 8b442428 mov eax, [esp+0x28]
| 0x0804850a 890424 mov [esp], eax
| 0x0804850d e81efeffff call 0x108048330 ; (sym.imp.read)
| sym.imp.read()
| 0x08048512 31c0 xor eax, eax
| 0x08048514 31c9 xor ecx, ecx
| 0x08048516 31d2 xor edx, edx
| 0x08048518 31db xor ebx, ebx
| 0x0804851a 31f6 xor esi, esi
| 0x0804851c 31ff xor edi, edi
\ 0x0804851e ff64242c jmp dword [esp+0x2c]

It takes a single argument, an integer, which it uses as a file descriptor for input. It then reads 4 bytes from the file descriptor, mmap’s an anonymous block of memory of that size with RWX permissions, then reads that many bytes from the file descriptor into the mapped region, and finally jumps to the map region. So, in summary, read shellcode length, read shellcode, then jump to shellcode.

Secuinside Quals 2014: Javascript Jail (Misc 200)

david@systemoverlord.com (David Tomaschik) — Mon, 02 Jun 2014 03:43:33 +0000

The challenge was pretty straightforward: connect to a service that’s running a Javascript REPL, and extract the flag. You were provided a check function that was created by the checker function given below:

#!javascript
function checker(flag, myRand) {
 return function (rand) {
 function stage1() {
 var a = Array.apply(null, new Array(Math.floor(Math.random() * 20) + 10)).map(function () {return Math.random() * 0x10000;});
 var b = rand(a.length);

 if (!Array.isArray(b)) {
 print("You're a cheater!");
 return false;
 }

 if (b.length < a.length) {
 print("hmm.. too short..");
 for (var i = 0, n = a.length - b.length; i < n; i++) {
 delete b[b.length];
 b[b.length] = [Math.random() * 0x10000];
 }
 } else if (b.length > a.length) {
 print("hmm.. too long..");
 for (var i = 0, n = b.length - a.length; i < n; i++)
 Array.prototype.pop.apply(b);
 }

 for (var i = 0, n = b.length; i < n; i++) {
 if (a[i] != b[i]) {
 print("ddang~~");
 return false;
 }
 }

 return true;
 }

 function stage2() {
 var a = Array.apply(null, new Array((myRand() % 20) + 10)).map(function () {return myRand() % 0x10000;});
 var b = rand(a.length);

 if (!Array.isArray(b)) {
 print("You're a cheater!");
 return false;
 }

 if (b.length < a.length) {
 print("hmm.. too short..");
 for (var i = 0, n = a.length - b.length; i < n; i++) {
 delete b[b.length];
 b[b.length] = [Math.random() * 0x10000];
 }
 } else if (b.length > a.length) {
 print("hmm.. too long..");
 for (var i = 0, n = b.length - a.length; i < n; i++)
 Array.prototype.pop.apply(b);
 }

 for (var i = 0, n = b.length; i < n; i++) {
 if (a[i] != b[i]) {
 print("ddang~~");
 return false;
 }
 }

 return true;
 }

 print("stage1");

 if (!stage1())
 return;

 print("stage2");

 if (!stage2())
 return;

 print("awesome!");
 return flag;
 };
}

As you can tell, there are two nearly identical stages that create an array of random length (10-30) consisting of random values. The only difference is in how the random values are generated: once from Math.random, and, in stage 2, from a function provided by the factory function. This function was not available to us to reverse the functionality of.