Secure login facebook bountycon 2020
this is the only one pwn challenge on facebook bountycon 2020 , here is how i solve it.
the description :
We developed a super secure login system, but unfortunately we aren't
familiar with those newfangled memory-safe languages.
and we are given 64-bit ELF binary
./secure_login: ELF 64-bit LSB shared object,
x86-64, version 1 (SYSV), dynamically linked,
interpreter /lib64/l, BuildID[sha1]=e04815d2376518cc8b4295463f91479b57b8212a,
for GNU/Linux 3.2.0, not stripped
after open it on ida , i found some function
- 0x0000000000001269 wait_for_zombie
- 0x0000000000001291 check_passwd
- 0x0000000000001414 take_connections_forever
- 0x00000000000014dc main
let’s see check_passwd()
function
looks like our input will compare with v17 , i assume v17 and v18 is one variable since this is md5
this is take_connections_forever()
function
look like we have to follow child process to debug check_passwd()
, since there’s
fork()
on
this is can be done by using command set follow-fork-mode child
on gdb
and set breakpoint on check_passwd
now lets try to run it
the binary will made a connection on port 10000 , so i connect to this port using
nc
command, now lets set another breakpoint on
0x00005555555553af <+286>: call 0x555555555100 <memcmp@plt>
and try to input AAAAAAAA
value on 0x00007fffffffdda0
is md5 from our input and 0x00007fffffffdd90
from the binary it self , lets see rsp
0x7fffffffdd10: 0x4141414141414141 0x000000000000000a <-- our input
0x7fffffffdd20: 0x0000000000000000 0x0000000000000000
0x7fffffffdd30: 0x0000000000000000 0x0000000000000000
0x7fffffffdd40: 0x0000000000000000 0x0000000000000000
0x7fffffffdd50: 0x0000000000000000 0x0000000000000000
0x7fffffffdd60: 0x0000000000000000 0x0000000000000000
0x7fffffffdd70: 0x0000000000000000 0x0000000000000000
0x7fffffffdd80: 0x0000000000000000 0x0000000000000000
0x7fffffffdd90: 0xa99dd1dbed586201 0xc6bbb0b969f29e4d <-- the md5 password
0x7fffffffdda0: 0xf5f48e17c7c26f5c 0x71750fc6d47e8ca8 <-- this is md5 from our input
let’s input A*152
look like we can control rsi
and rcx
, let’s see the stack
now we can try to overwrite 0x7fffffffdd90
so the value will have same value
with our input , this is my exploit to solve this challenge