Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stage 3 - Drumpf Hotels #48

Open
koddsson opened this issue Aug 15, 2016 · 3 comments
Open

Stage 3 - Drumpf Hotels #48

koddsson opened this issue Aug 15, 2016 · 3 comments
Labels
type:pwn

Comments

@koddsson
Copy link
Member

koddsson commented Aug 15, 2016
edited by ikornaselur
Loading

Description

Drumpf Hotels - Making security great again! Donald Trump decided to move his hotel operations online. Since he isn't very fond of foreigners coding for him, he dediced to code the platform with his own tiny hands. nc drumpf.vuln.icec.tf 6502 download file

Solution

Flag is: ``
@koddsson koddsson changed the title Trump Hotels Stage 3 - Trump Hotels Aug 16, 2016
@ikornaselur ikornaselur self-assigned this Aug 17, 2016
@ikornaselur
Copy link
Collaborator

First findings.

There's a flag function at 0x0804863d:

int flag()
{
  int fd; // ST18_4@1
  char buf; // [sp+1Ch] [bp-10Ch]@1
  int v3; // [sp+11Ch] [bp-Ch]@1

  v3 = *MK_FP(__GS__, 20);
  fd = open("./flag.txt", 0);
  read(fd, &buf, 0x100u);
  printf("%s", &buf);
  fflush(stdout);
  return *MK_FP(__GS__, 20) ^ v3;
}

So This prints out the flag normally, so we just have to find a way to call that function.

There are two functions that take user input, book_suite and book_room. They're almost the same, but not completely.

Book room

int book_room()
{
  void *v0; // ebx@1
  char s; // [sp+1Ch] [bp-1Ch]@1
  int v3; // [sp+2Ch] [bp-Ch]@1

  v3 = *MK_FP(__GS__, 20);
  room = malloc(0x104u);
  printf("Name: ");
  fflush(stdout);
  fgets((char *)room + 4, 256, stdin);
  printf("Room number: ");
  fflush(stdout);
  fgets(&s, 16, stdin);
  v0 = room;
  *(_DWORD *)v0 = atoi(&s);
  puts("Booked a room!");
  fflush(stdout);
  return *MK_FP(__GS__, 20) ^ v3;
}

Book suite

int book_suite()
{
  void *v0; // ebx@1
  char s; // [sp+1Ch] [bp-1Ch]@1
  int v3; // [sp+2Ch] [bp-Ch]@1

  v3 = *MK_FP(__GS__, 20);
  suite = malloc(0x108u);
  printf("Name: ");
  fflush(stdout);
  fgets((char *)suite + 4, 256, stdin);
  *(_DWORD *)suite = print_name;
  printf("Suite number: ");
  fflush(stdout);
  fgets(&s, 16, stdin);
  v0 = suite;
  *((_DWORD *)v0 + 65) = atoi(&s);
  puts("Booked a suite!");
  fflush(stdout);
  return *MK_FP(__GS__, 20) ^ v3;
}

main difference being the *(_DWORD *)suite = print_name; line in book_suite. It seems that print_name is actually a function:

int __cdecl print_name(int a1)
{
  int v1; // ST1C_4@1

  v1 = *MK_FP(__GS__, 20);
  printf("Name: %s", a1);
  fflush(stdout);
  return *MK_FP(__GS__, 20) ^ v1;
}

When printing out the booking, this is the difference:

    if ( suite )
    {
      (*(void (__cdecl **)(char *))suite)((char *)suite + 4);
      printf("Rooms number: %u\n", *((_DWORD *)suite + 65));
      fflush(stdout);
    }
    if ( room )
    {
      printf("Name: %s", (char *)room + 4);
      printf("Rooms number: %u\n", *(_DWORD *)room);
      fflush(stdout);
    }

So.. next step is to figure out what of this is exploitable!

@ikornaselur
Copy link
Collaborator

Reading in the room number reads 16 characters, but is converted into a 32bit integer.. so the max is 2147483647.

@ikornaselur ikornaselur changed the title Stage 3 - Trump Hotels Stage 3 - Drumpf Hotels Aug 17, 2016
@ikornaselur
Copy link
Collaborator

Taking a break from this.. don't really know what the attack vector is.

I'm not seeing where the buffer overflow could be for example.

@ikornaselur ikornaselur removed their assignment Aug 17, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:pwn
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@koddsson @ikornaselur