[Pwnable.kr] input writeup – Toddler’s bottle

This level is particularly fun, kind of easy, straight forward and really useful in the long run. Very often, to exploit a binary or an executable, you need to provide data or input to it, and there are multiple ways you can do that, depending on how the executable takes them.

Let’s see what’s required from us to clear this level. The first level is straightforward :

To clear the first stage, the program expects us to run it with 100 arguments, with the values 0x0  and 0x0d0a20  put respectively into the arguments indexed ‘A’ and ‘B’.

I chose to construct a C program to solve this challenge, you can of course use your favorite language to port the solution to.

So let’s begin, here are the lines of code that’ll take care of stage 1:

Stage 2 is quiet simple too :

In this block of code, the program expect two different values of 4bytes from two different file descriptors : 0 and 2.

The way we can write data into file descriptors, is using pipes. Pipes are a redirection method used by linux to send data or output from one process to another.

Pipes have two ends, a write end and a read end. We create a pipe using the function  pipe(fd); such as fd  is an array of 2 integers. The read end is in fd[0]  and the write end is in fd[1] .

 

Pipes

Keep this in mind, we can clear stage two, by flowing this scenario:

  1. Create two pipes, one for each file descriptor (evidently)
  2. Create a child thread; this thread will duplicate the file descriptors, and launch from it the program we’re trying to “hack” so we can redirect our input values to it.
  3. Send the values to the pipes we just created from the parent process.

Translating this scenario into code gives something like this :

Stage 2 cleared.

Stage 3 is easy too, we need to set an environment variable \xde\xad\xbe\xef with a predefined value of   \xca\xfe\xba\xbe .

The code to do that is pretty straightforward too, we declare the variable env , that will hold the environment variable with its value, and then we pass in the third parameter of the execve()  function :

 

Stage 4 expects a file named  \x0a with the content  \x00\x00\x00\x00 , and that’s pretty easy to accomplish too :

In stage 5, the program expects to find a port open, it tries to connect to it, and expect to receive the value  \xde\xad\xbe\xef . The tiny detail here is that the program takes the value argv[‘C’] as a port and connects to it. So what we need to do first, is choose a port number, and pass it with the arguments array, in the index ‘C’. So the previous block of code become :

After that, we open the port, listen to it, wait some moments using the sleep()  function, and then send the value expected from us :

Let’s collect the pieces into one code, that also hosted here :

One last thing to remember, is that, probably the only place you can compile this is in /tmp folder, but the flag is located in the ~/ folder. The way we can work around this, is by creating a symlink to this file in the /tmp folder next to the program we compiled using the command :

Let’s try this :

It's happening

It’ll happen, it’s happening and it happened.

One last note, and that’s something you probably noticed, the challenged was designed in a way to prevent us from clear the stages manually, because most of the variable and values needed to pass were unprintable bytes and characters, and that was kinda part of the challenge too, which made it peculiar and more enjoyable a bit.

If you have any questions, corrections or remarks, don’t hesitate 🙂

See ya !

 

One thought on “[Pwnable.kr] input writeup – Toddler’s bottle

Leave a Reply

Your email address will not be published. Required fields are marked *

* Copy This Password *

* Type Or Paste Password Here *