This is probably the easier way of solving the challenge; indeed, this is exactly how my team did it. However, there's a somewhat more interesting solution, exploiting a badly implemented doubly-linked list: https://blog.skullsecurity.org/2014/defcon-quals-writeup-for...
Good God. Whenever I read these, I always get chills down my spine. Part of me wants to do the same, get better at it (I know tiny parts of many things including what is discussed here but not even remotely close to the author), the other one just wonders how does one get so good as to perform all this by themselves. Reverse engineering is beautiful :)
He gave us a bit of a run-through presentation of his tactics for the latest shmoocon CTF. It seemed like it was a combination of time, skill, more time, patience... and skill? The world of reversing is so beyond my ken, but I love having people around who know how to do it.
When I asked how to get started, he suggested I just jump into a CTF and try.
[edit] I work at endgame (see my other comment), we're hiring, etc. etc.
Http://crackmes.de
They have lots of challenges, with difficulty levels going from 1-10, and each challenge has an annotated solution explaining how to crack the program.
Exactly how I feel! It looks awesome, and quite understandable when explained step by step. But I feel that I wouldn't be able to get past the first few steps if I encountered these problems by myself.
This stuff is like crack to me. I love these sort of explanations. I have absolutely no ability to do any of it and can only kind of follow it, but it's so facinating to read about.
Anyone who's interested we (Endgame) are hiring. Check the careers page and get in touch. I'm on the data science team, but we have a variety of openings in DC and SF.
> Therefore, if we are copying into s2 and we only leak data after the 4th character, we can assume that by default in the uninitialized stack there is a null at s23.
I'm very inexperienced with reverse-engineering, and haven't finished the article yet, but is "s23" here a typo? I can't find any other reference to it in the article, and it doesn't make sense to me. Should it be "s2"? Thanks
It might be a slight typo, but I think that s23 is referring to the 3rd index in s2. Since the 4th character (or index 3 in a 0-index string), is the one that is causing the leak, this must be where the null character is.
I love the concept of CTFs but as a web developer (JS/PHP) this is like Greek to me. I presume you need to be a hardcore low-level security hacker to even consider doing CTFs.
I'm not a low-level security hacker but I've created and debugged enough C code in my career to follow exactly what is going on here.
I don't know if I would have been able to derive this solution on my own though, that's where the creativity comes in. However, I'm guessing these CTF challenges are usually kind of "similar" in the same way that ACM programming challenges are. If you do these sort or challenges often enough it should become easier.
The CTFs I've played usually had a good mix of web stuff and binary exploitation.
Also, the best way to learn this stuff is to do it. Even if this seems out of your league, I'd suggest to just join a team and start playing - if that kind of thing seems interesting to you.
Try microcorruption.com--it's pretty accessible to anyone who understands basic C programming concepts (like stacks and null-terminated strings) and the challenges have a nice progression in difficulty and complexity.
