Running at 188.8.131.52:1234
All we were given for this problem is a core dump. Examining the core file revealed it was for FreeBSD ARM. One of the guys had setup a Raspberry Pi (have I mentioned how useful those are for these CTFs?) with FreeBSD so we were able to examine the core file. However, it did not contain any executable code, so we were going to have to Fuzz the service.
Connecting to the service first asks for your name, and then once in reveals that it is a text based RPG with various rooms. Eventually moving around you’ll come across a Troll which you can attack. (or run away from). Once you try to attack you are killed by the troll and a message saying “Sorry [name], You died…better luck next time.” Trying format strings for the name did not reveal any printf errors. And it appears that the commands for moving were properly read from the socket and limited in length. Trying long strings when in the room with a troll lead to what appeared to be a crash – the service would just disconnect. There would be no output sent back.
Eventually I figured out that when the input was longer than 275 characters the service would crash. So now we had to guess what it was doing (most likely stack overflow).
The core file had a bunch of A’s in the location of the stack and that led me to guess that it was a stack overflow. Playing around with putting various addresses (word aligned) and garbage led me to believe that I wasn’t quite overwriting the saved return address but a frame pointer or other pointer of some point.
So now where to put shellcode… luckily the core file had a string “The troll slayer” in memory stored in a static data section and we took a guess that it was the name entered. Sending our shellcode for the name, and smashing the stack with the address of that buffer led to execution.