Solves:Category: Exploitation, CRS
Description: CRS (Cyber Reasoning System) are all the rage (and going on right now)
… but they only have 7 syscalls
….we’re giving you 190. Good luck.
Neophyte_cgc challenge was the easier version of apprentice_cgc, challenge is about AEG (Automated Exploit Generation).
When connecting to the server, we get a different binary. Well, kinda same same… but different ;). In main there’s a single byte being checked as a password. If correct byte is supplied execution branches to the vulnerable function. If not we return.
Vulnerable function just line apprentice_cgc has a classic stack overflow with Canaries, NX and ASLR exploit mitigation disabled. One difference is that neophyte binary does not provide us with the address of the stack buffer so we need to find a gadget…
Also the stack frame of the vulnerable function is different size on every new binary, so we have to calculate this from the objdump output.
Again, I’m using a ghetto but method that works fast.
Connect to the server and get generated binary
Drop the binary to disk and analyze it with objdump
Send the correct 1 byte password
Calculate the stack frame of the vulnerable function from the objdump output