Category Archives: Uncategorized

Solving a Crack Me with Triton and Pin (a.k.a the lazy way)

I have originally written this post for blackbunny‘s blog.

Some definitions


As stated in Triton’s home page:

Triton is a dynamic binary analysis (DBA) framework. It provides internal components like a Dynamic Symbolic Execution (DSE) engine, a Taint Engine, AST representations of the x86 and the x86-64 instructions set semantics, SMT simplification passes, a SMT Solver Interface and, the last but not least, Python bindings. Based on these components, you are able to build program analysis tools, automate reverse engineering and perform software verification.

That might sound gibberish for some of you. So let’s cover these definitions first.
Continue reading Solving a Crack Me with Triton and Pin (a.k.a the lazy way)

[io64][smashthestack] level7: ROP me baby, ROP me all night long

In this post, I’ll be covering the resolution of smash the stack’s io64 level7.

First you need to login to the server:

As usual, the binary has the suid bit set, and the source code is provided:

The code is quite straightforward, there’s a buffer orverflow opportunity,  let’s look at the protections:

Continue reading [io64][smashthestack] level7: ROP me baby, ROP me all night long

[io64][smashthestack] level6: may the brute force be with you

This one is about messing with ASLR, let’s look at the code:

this code has one little problem, it is not correctly checking the  error code on the second call to mmap. It is actually not checking wether addr have been set to MAP_FAILED (-1) or not,  and this can lead to dereferencing -1 and trigger a segfault. So if we manage to succeed on the first call of mmap but fail on the second we will get the shell !

Continue reading [io64][smashthestack] level6: may the brute force be with you

[io64][smashthestack] level5: noexecstack is not enough

As the header of the file states it, there is no way  to execute the stack. It also says ASLR is not enabled, but it happens that it is on a stack point of view… (you can check that with the dm command in radare2)

Continue reading [io64][smashthestack] level5: noexecstack is not enough

[io64][smashthestack] level4: stack smashing… at last !

in this level, we’re finally going to exploit the binary:

as you can see no bound checking is done at all on argv[1], a long string would cause the return address of the dobug function to be overwritten.

Continue reading [io64][smashthestack] level4: stack smashing… at last !

[io64][smashthestack] level 3: no proper bound checking

Let’s tale a look at the source code:

With C code, one can quickly spot the problem: the for loop is iterating on 17 elements of the buffer instead of 16, this is caused by the “<=” sign.

This means one could  overwrite the lsb of the fp pointer, and this is exactly what we are going to do with the help of radare2 !

Continue reading [io64][smashthestack] level 3: no proper bound checking

[io64][smashthestack] level2: Divide and conquer (or not…)

For this level, and for all next levels, we’ll always be provided the source code, the goal here is not really to reverse but to “exploit” the binary.

One could first try dividing  0x1064deadbeef4601 by 0xd1038d2e07b42569, let’s try it with bc:

Of course that didn’t work, the result is not an integer, we need to overflow a multiplication and obtain a 128 bit value who’s 64 LSB are equal to 0xd1038d2e07b42569. But how ?

Continue reading [io64][smashthestack] level2: Divide and conquer (or not…)

[io64][smashthestack] level 1: a piece of cake

Here it is, my first post !

In this post I’ll be talking about smashthestack‘s io64 level1.

First let’s connect to the server:

Instructions are pretty straightforward, let’s have a look at the levels folder:

All binaries have suid bit set and belong to next level.

Continue reading [io64][smashthestack] level 1: a piece of cake