Solving the Cyberlympic Pwnable WGZLiveLabsTrivia

This year I competed for the first time in the Cyberlympics contest. This year it was created by warl0ckgam3z. Our 4-man team managed to get to the third round in Europe, but we wasted too much time on some challenges and were beaten by two of last years finalists. One of the challenges in round3 was a pwnable named WGZLiveLabsTrivia. I didn’t solve it during the contest, but the day after and still wanted to write about it. So sorry about the delay. but here finally is the write up. (Also the team, that did solve this during the contest, used the same principle).

The binary we got was a simple server which listens on port 1432 and asks for a Logon: name. If not correct it exits with a Goodbye message.

The first task is to find the Logon name. With our good friend strings we were able to find the name Joshua. When logging in with Joshua, it just asks us for a bunch of questions and ends with the question of the launch code.

And the Launch Code contains a buffer overflow. We started the server in gdb (with peda) and used moneyshot to create a pattern and see how big our buffer is.

So our buffer needs 1132 characters to overwrite EIP. So far the easy part. Next thing is to figure out our best way of exploitation. We don’t have an executable stack and we don’t know anything about the system it runs on (libc/aslr). While looking for ROP gadgets in the objdump -d output, we noticed several int $0x80 instructions. So we could do something like:

At the end I came up with the following ROP-chain (comments in code). Not the most elegant solution, but it works.

And running it locally returns a shell: