CTF/gits2012teaser/3-Hackquest

Question
Find the key. (File running at hackquest.ghostintheshellcode.com:7331) Hint: [[Media:9692febb68918a3c5127c56a5320439d.bin.gz|Binary file]] Hint: [[Media:1f5d7afa5f3765385a9973e1d500bee7.c|Partial source code]]

Solution

 * Remote system running some sort of text adventure.
 * Hint dropped source code partially (extremely helpful)
 * Hint from irc: look at the items
 * struct ItemInfo contains a union:


 * magical item:


 * use has an insufficient test:


 * if we "use letter on $target", we can make it call ->func
 * .requiredTarget aliases with .newItem, which in turn contains a set of pointers, all static -> $target is known
 * ->func aliases with .name
 * the game asks us for our name, and stores this into a 31 byte static buffer
 * whatever we use as name will be used as function address to be called -> we captured control flow
 * ROP ensues:
 * first gadged: pivot stack pointer to area we control (the 256 byte cmd buffer in handleConnection)
 * then mmap an anonymous page RWX to a fixed location -> memory we can write to and run code from, we choose the offset
 * our data is on the stack, which is likely on a random offset -> need to move data from stack buffer to page
 * work around this problem by putting bootstrap shellcode into the static name buffer (see above)
 * bootstrap code copies stack-relative buffer to our page, then transfers control:


 * remaining shell code takes socket fd from fixed stack offset and dup2s to 0, 1, 2, then spawns /bin/sh:


 * cat key.txt


 * all combined, use as (ruby h.rb; cat) | nc host 7331