Sunday, March 23, 2014

Random diffing

So, this is how people get past the registration process of a text editor thats been gaining popularity lately.

Monday, March 17, 2014

RuCTF 2014 Vuln 300

[RuCTF 2014 with Segfault]

I did not solve this challenge on remote in time, only locally. The application "Posts" was a CLI application, statically compiled(buttload of gadgets, yes), had a NX stack. It asked you for a name, a count, and read in `count` number of "Titles" and "Contents".

If we give 260 A's as the content, a function pointer is overwritten and we have a nice crash.

Next step, setup a ROP payload and jump to it. It would be great if we could use Posts as the location but it had a '\r' in its address which would prevent that from working.

The final sploit involved setting up the ROP chain in `name` and overwriting the function pointer with the address of the ROP chain. Locally the buffer address was 0xbffff5f4.

RuCTF 2014 crypto 100

[RuCTF 2014 with Segfault]

The questions stated :-
Server ( accepts only authorized messages.
It works like this:------------------------------- buf = c.recv(4096) digest, msg = buf.split(" ", 1) if (digest == md5(password+msg).hexdigest()): #here I send a secret else: c.send("Wrong signature\n")-------------------------------

You have intercepted one authorized message: "b34c39b9e83f0e965cf392831b3d71b8 do test connection". Construct your own authorized message! Answer starts with 'RUCTF_'

It seemed pretty obvious that it was a hash length extension attack. I did not have any library to automate the attack so I ended up writing a bit of python to wrap around hash extender, a nice C library for performing hash length extension attacks.

We do not know the length of the length of the padding required and need to bruteforce that.

The solution for the same can be found here.