9447ctf writeup calcpop reloaded

This challenge is an exploitation challenge. A binary is given and it runs in RedOS. An operating system created for the exploitation challenges.

We first load the binary in IDA with base address 0x100000. We then reach main function at 0x1008bc. The psudeo-code of the function looks like the following

There is no proper limit on input buffer, causing a stack overflow. Now to the fun part. The exploit, and shellcode.

First let's understand how RedOS handles syscalls. The system uses interrupt 0xff as a syscall handler which is handled by function in kernel at address 0xc0102660. Syshandler psudeocode :

We know the flag is at /ctf/level1.flag so we need to craft our shellcode to do the following :

and we need to make sure that no badchars in the things we send.

Now we connect, solve the SHA1 challenge, send buffer, control esp,ebp,..etc and eip, then execute shellcode and get the flag. Full exploit :

Code that solves sha1:

Exploit :

Proxied content from gemini://0x80.org/gemlog/2015-11-30-calc.gmi.
Get a proper gemini browser and visit!

Gemini request details:

Original URL
gemini://0x80.org/gemlog/2015-11-30-calc.gmi
Status code
20
Meta
text/gemini;lang=en-US