This challenge is a binary in a form of note keeping application. On start it changes directory to /home/noted and presents the user with a menu.
Before login, we need to register an account. On registration the application creates a folder with the provided user id. For the password it creates a file in the new directory, password.txt that only contains plaintext ASCII password for this user.
Once we login a different menu is presented.
A short description of all the functions in the application.
List note displays the notes the user has created
Write note is how a user creates a note. Each note creates a file in the user’s designated directory, each file/note starts with 16 bytes serving as a password for that note followed by a maximum of 1024 bytes of note’s content.
Read note reads a note
Edit note edits a note
Delete note deletes a note by moving the note/file in a subdirectory named recyclecan
Recover note moves a deleted note from the recyclecan directory back to the user’s main folder
Empty recyclecan deletes all files/notes in the recyclecan folder
Logout logs out by setting a local variable in main and presents the login menu
To exploit the application we only need to know the Write note and Edit note functions.
It’s going to be easier if I just show the decompiled pseudo-code.
What we need to do here is, create a note with arbitrary name and password and a negative content length. The goal is to create a note with its content only its password.
The check if length is negative before writing to the note is preventing us from supplying data to the note, however by creating a note with it’s content only it’s password we can trigger an integer underflow in Edit note.
If you read the comments, you pretty much know what needs to be done in order to exploit this function.
So let’s create a username, login and create a note with length -1. Then go into Edit note and edit our note. This will cause the leak of the whole stack, that’s where we are going to grab an address within libc calculate the offset to system() and /bin/sh string and classically overwrite the return address of the Edit note.