Log in

View Full Version : Smash the Stack Wargames [blackbox]


esrever
October 22nd, 2010, 22:15
Hi all,

I've been searching information for Smash the Stack wargames and found this thread.
http://www.woodmann.com/forum/showthread.php?7932-Reverse-Engineering-Challenges!!!&highlight=smashthestack

However, there is no detail discussion about the wargames itself.
I've been trying one of the challenge at blackbox.smashthestack.org and stuck at this. Hopefully someone can guide me how to solve this problem.

Thanks

View all the files in the current directory
Quote:
level1@blackbox:~$ ls -las
total 1184
4 drwxr-x--- 2 level1 level1 4096 Jul 9 2009 .
4 drwxr-xr-x 16 root root 4096 Dec 20 2009 ..
0 lrwxrwxrwx 1 root root 9 Jun 17 2009 .bash_history -> /dev/null
4 -rw-r--r-- 1 level1 level1 567 Dec 29 2007 .bash_profile
4 -rw-r--r-- 1 level1 level1 1834 Jan 28 2008 .bashrc
1168 -rws--xr-x 1 level2 level2 1189337 Jan 12 2008 login2


Checking the type of the file
Quote:
level1@blackbox:~$ file login2
login2: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.4.1, statically linked, for GNU/Linux 2.4.1, not stripped


Trying to execute the LSB executable file.. Looks like this file is asking for password
Quote:
level1@blackbox:~$ ./login2
Username:
Password:
Invalid username or password


I know the password is hidden somewhere in the file. So I've ran gdb to see the content of the file. (Actually there is other easy way to get the hidden message, but I wanted to learn how to use gdb in order to get this message)
Quote:
level1@blackbox:~$ gdb ./login2
GNU gdb 6.4.90-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1".


To view the assembly code for the function "main"
Quote:
(gdb) disassemble main
Dump of assembler code for function main:
0x0804827a <main+0>: lea 0x4(%esp),%ecx
0x0804827e <main+4>: and $0xfffffff0,%esp
0x08048281 <main+7>: pushl 0xfffffffc(%ecx)
0x08048284 <main+10>: push %ebp
0x08048285 <main+11>: mov %esp,%ebp
0x08048287 <main+13>: push %ebx
0x08048288 <main+14>: push %ecx
0x08048289 <main+15>: sub $0x30,%esp
0x0804828c <main+18>: lea 0xfffffff4(%ebp),%eax
0x0804828f <main+21>: mov %eax,(%esp)
0x08048292 <main+24>: call 0x8072ec0 <_ZNSsC1Ev>
0x08048297 <main+29>: lea 0xfffffff0(%ebp),%eax
0x0804829a <main+32>: mov %eax,(%esp)
0x0804829d <main+35>: call 0x8072ec0 <_ZNSsC1Ev>
0x080482a2 <main+40>: movl $0x80ffe48,0x4(%esp)
0x080482aa <main+48>: movl $0x8130f60,(%esp)
0x080482b1 <main+55>: call 0x806d8f0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_E S5_PKc>
0x080482b6 <main+60>: lea 0xfffffff4(%ebp),%eax
0x080482b9 <main+63>: mov %eax,0x4(%esp)
0x080482bd <main+67>: movl $0x8130ec0,(%esp)
0x080482c4 <main+74>: call 0x806b2e0 <_ZSt7getlineIcSt11char_traitsIcESaIcEERSt13basic_ istreamIT_T0_ES7_RSbIS4_S5_T1_E>
0x080482c9 <main+79>: movl $0x80ffe53,0x4(%esp)
0x080482d1 <main+87>: movl $0x8130f60,(%esp)
0x080482d8 <main+94>: call 0x806d8f0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_E S5_PKc>
0x080482dd <main+99>: lea 0xfffffff0(%ebp),%eax
0x080482e0 <main+102>: mov %eax,0x4(%esp)
0x080482e4 <main+106>: movl $0x8130ec0,(%esp)
0x080482eb <main+113>: call 0x806b2e0 <_ZSt7getlineIcSt11char_traitsIcESaIcEERSt13basic_ istreamIT_T0_ES7_RSbIS4_S5_T1_E>
0x080482f0 <main+118>: movl $0x80ffe5e,0x4(%esp)
0x080482f8 <main+126>: lea 0xfffffff4(%ebp),%eax
0x080482fb <main+129>: mov %eax,(%esp)
0x080482fe <main+132>: call 0x80483ee <_ZSteqIcSt11char_traitsIcESaIcEEbRKSbIT_T0_T1_EPK S3_>
0x08048303 <main+137>: xor $0x1,%al
0x08048305 <main+139>: test %al,%al
0x08048307 <main+141>: jne 0x8048328 <main+174>
0x08048309 <main+143>: movl $0x80ffe65,0x4(%esp)
0x08048311 <main+151>: lea 0xfffffff0(%ebp),%eax
0x08048314 <main+154>: mov %eax,(%esp)
0x08048317 <main+157>: call 0x80483ee <_ZSteqIcSt11char_traitsIcESaIcEEbRKSbIT_T0_T1_EPK S3_>
0x0804831c <main+162>: xor $0x1,%al
0x0804831e <main+164>: test %al,%al
0x08048320 <main+166>: jne 0x8048328 <main+174>
0x08048322 <main+168>: movb $0x1,0xffffffe7(%ebp)
0x08048326 <main+172>: jmp 0x804832c <main+178>
---Type <return> to continue, or q <return> to quit---
0x08048328 <main+174>: movb $0x0,0xffffffe7(%ebp)
0x0804832c <main+178>: movzbl 0xffffffe7(%ebp),%eax
0x08048330 <main+182>: test %al,%al
0x08048332 <main+184>: je 0x8048366 <main+236>
0x08048334 <main+186>: movl $0x80ffe6e,0x4(%esp)
0x0804833c <main+194>: movl $0x8130f60,(%esp)
0x08048343 <main+201>: call 0x806d8f0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_E S5_PKc>
0x08048348 <main+206>: movl $0x806e0c0,0x4(%esp)
0x08048350 <main+214>: mov %eax,(%esp)
0x08048353 <main+217>: call 0x806bf10 <_ZNSolsEPFRSoS_E>
0x08048358 <main+222>: movl $0x80ffe80,(%esp)
0x0804835f <main+229>: call 0x80b5ab0 <system>
0x08048364 <main+234>: jmp 0x804838a <main+272>
0x08048366 <main+236>: movl $0x80ffe88,0x4(%esp)
0x0804836e <main+244>: movl $0x8130f60,(%esp)
0x08048375 <main+251>: call 0x806d8f0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_E S5_PKc>
0x0804837a <main+256>: movl $0x806e0c0,0x4(%esp)
0x08048382 <main+264>: mov %eax,(%esp)
0x08048385 <main+267>: call 0x806bf10 <_ZNSolsEPFRSoS_E>
0x0804838a <main+272>: lea 0xfffffff0(%ebp),%eax
0x0804838d <main+275>: mov %eax,(%esp)
0x08048390 <main+278>: call 0x8074e40 <_ZNSsD1Ev>
0x08048395 <main+283>: jmp 0x80483ad <main+307>
0x08048397 <main+285>: mov %eax,0xffffffdc(%ebp)
0x0804839a <main+288>: mov 0xffffffdc(%ebp),%ebx
0x0804839d <main+291>: lea 0xfffffff0(%ebp),%eax
0x080483a0 <main+294>: mov %eax,(%esp)
0x080483a3 <main+297>: call 0x8074e40 <_ZNSsD1Ev>
0x080483a8 <main+302>: mov %ebx,0xffffffdc(%ebp)
0x080483ab <main+305>: jmp 0x80483c5 <main+331>
0x080483ad <main+307>: lea 0xfffffff4(%ebp),%eax
0x080483b0 <main+310>: mov %eax,(%esp)
0x080483b3 <main+313>: call 0x8074e40 <_ZNSsD1Ev>
0x080483b8 <main+318>: mov $0x0,%eax
0x080483bd <main+323>: mov %eax,0xffffffe0(%ebp)
0x080483c0 <main+326>: jmp 0x80483e1 <main+359>
0x080483c2 <main+328>: mov %eax,0xffffffdc(%ebp)
0x080483c5 <main+331>: mov 0xffffffdc(%ebp),%ebx
0x080483c8 <main+334>: lea 0xfffffff4(%ebp),%eax
0x080483cb <main+337>: mov %eax,(%esp)
0x080483ce <main+340>: call 0x8074e40 <_ZNSsD1Ev>
0x080483d3 <main+345>: mov %ebx,0xffffffdc(%ebp)
0x080483d6 <main+348>: mov 0xffffffdc(%ebp),%eax
0x080483d9 <main+351>: mov %eax,(%esp)
0x080483dc <main+354>: call 0x80a5180 <_Unwind_Resume>
---Type <return> to continue, or q <return> to quit---
0x080483e1 <main+359>: mov 0xffffffe0(%ebp),%eax
0x080483e4 <main+362>: add $0x30,%esp
0x080483e7 <main+365>: pop %ecx
0x080483e8 <main+366>: pop %ebx
0x080483e9 <main+367>: pop %ebp
0x080483ea <main+368>: lea 0xfffffffc(%ecx),%esp
0x080483ed <main+371>: ret
End of assembler dump.
(gdb)


I'm stuck at this . Which instruction should I look at in order to find the hidden message?

Darkelf
October 23rd, 2010, 15:45
Whooha, really big cannons for such a small target
How about a tiny "strings login2"?
You will have your username/password within 30 sec.
If you stuck somewhere, just ask.

Regards and much fun
darkelf

edit says: I overlooked that you WANT TO use gdb on this. Well I'm off then. GDB is imho the worst debugger on earth (at least when the CLI is used).
Sorry.

esrever
October 23rd, 2010, 21:43
Quote:
[Originally Posted by Darkelf;87964]Whooha, really big cannons for such a small target
How about a tiny "strings login2"?
You will have your username/password within 30 sec.
If you stuck somewhere, just ask.

Regards and much fun
darkelf

edit says: I overlooked that you WANT TO use gdb on this. Well I'm off then. GDB is imho the worst debugger on earth (at least when the CLI is used).
Sorry.


Darkelf, thanks for your response
Yeah, I know about the strings, that's why I mentioned it earlier on my first post that I know the easier method.

I've been reading about this on the internet on found out that the next step I should do is to find the right break point right? The question is how to identify the right one based on assembly language that I post above?

Vigual
October 26th, 2010, 23:07
I think this is what you are looking for

0x080482c4 <main+74>: call 0x806b2e0 <_ZSt7getlineIcSt11char_traitsIcESaIcEERSt13basic_ istreamIT_T0_ES7_RSbIS4_S5_T1_E>

This api is called twice.

I don't know how much reversing experience you have... When starting to reverse, start with looking at api calls.
I am guessing this api, i think its istream, is getting the text input which is the user name and password. I don't do much linux debugging. Just windows. Maybe i am wrong. Look at the registers before the api call, because they push parameters (they dont get pushed here so i dont know what's happening). if they did get pushed, they will tell you were the text is stored in memory. You can trace the code to find the compares between user input and correct user name and password. Anyways, try putting a bp before the istream api, and trace. also look up istream.getline() api parameters and funtion etc.