Difference between revisions of "CTF-practice-evening:2014-03-24"
| Line 45: | Line 45: | ||
* readelf shows us that we have both data and text - the binary executable is loaded into 2 pages, starting from the start of the binary until 4096 bits later | * readelf shows us that we have both data and text - the binary executable is loaded into 2 pages, starting from the start of the binary until 4096 bits later | ||
** The kernel loads it into the virtual address | ** The kernel loads it into the virtual address | ||
| − | ** You can also see another offset, used for page alignment with memory | + | ** You can also see another offset, used for page alignment with memory (in chunks of 4096 bytes) |
Revision as of 19:48, 24 March 2014
| CTF-practice-evening:2014-03-24 | |
|---|---|
| Date | 2014/03/24 |
| Time | |
| Location | ACTA |
| Type | Workshop |
| Contact | Melanie |
Contents
Capture The Flag evening - Part 11
- 24 March, 2014 - 7 PM
- Please bring along a laptop with you!!!
General CTF Info
- See the page for the Ctf-evenings
- Link to the Tech Inc Challenge Website Scoreboard
Walkthrough: Minibomb
- Brainsmoke is explaining how he solved the challenge 'Minibomb' during the Codegate CTF
- Minibomb is a small setuid binary
- This is probably a handmade binary written in assembler, Linux ELF, 32 bit
- You can see the ELF header if you use file or hexdump
- For more information about the ELF header (including the binary entry point, memory pages being loaded, executable text, etc..), you can use readelf
- Objdump allows us to disassemble the binary
- It's a static binary - there's no dynamic loader
- Dynamic binaries have an interpreter section, with more LD-* things that need to be resolved
- The kernel needs to tell where the binary starts
- You could also use IDA, but that's overkill for this binary
- If you run it with strace, you see a list of signals and system calls
- It starts, does an old_mmap call (you can get lots of information from the arguments, including the starting address), an unman (looks like a stack address - bfxx if usually on the stack in 32 bits)
- It does a write and read
- If you send lots of A's, you get a segfault - this gives away that you have a bug here
- You can do this in gdb to get more information
- You can see that a fault happens on the address 0x41414141 - our input!
- It's easy to get arbitrary code execution here
- Because it's a small file, we can take a look at the disassembled code
- We can see the memory map
- You can get system call information by typing 'syscall mmap' - we can see 0x5a, which is the syscall instruction in the disassembly!
- We should read up to understand the meanings of: %eax, %ebx, etc…
- We can give 6 arguments with a system call
- Next command: %ebp is the frame pointer for the function call frames - this is also for the old_mmap system call
- The one argument is an array of six arguments - that is a pointer to that argument
- Next command: int 0x80 is the system call command on x86
- readelf shows us that we have both data and text - the binary executable is loaded into 2 pages, starting from the start of the binary until 4096 bits later
- The kernel loads it into the virtual address
- You can also see another offset, used for page alignment with memory (in chunks of 4096 bytes)
Next CTF Competition
- We are having a look at:https://ctftime.org/event/list/upcoming
