WWTV
The bug is easy to find at function Coordidate, this is basic format string bug
![](https://i1.wp.com/i1343.photobucket.com/albums/o783/peter_nguyen93/Screen%20Shot%202015-05-18%20at%209.45.12%20PM_zpsv7pq1eki.png?resize=604%2C359)
But before you enter printf(s), we must to bypass the check a pair float number is parsed from s, to bypass it we just append format string bug to the end of the pair '51.492137,-0.192878' , for more information about atof read this http://www.cplusplus.com/reference/cstdlib/atof/
So the payload to exploit this bug too easy:
- First, we need to leak binary base address, and libc address
- Second, calc system address and then overwrite atof got by system address and then pwned.
But the game is not over, before we exploit the bug, we need to solve 2 problems:
We must to write a program to solve the game to enter TARDIS mode (this task is to quite strange)
We must bypass timecheck to enter vulnerable function
![](https://i1.wp.com/i1343.photobucket.com/albums/o783/peter_nguyen93/Screen%20Shot%202015-05-18%20at%209.45.31%20PM_zps5cjo7w5t.png?resize=604%2C401&ssl=1)
time_c > 0x55592B6C && time_c <= 0x55592B7F;
We must set time_c in range (0x55592b6c,0x55592b7f].
Take a look at READ_DATA function , will be triggered after 2 second.
![](https://i0.wp.com/i1343.photobucket.com/albums/o783/peter_nguyen93/Screen%20Shot%202015-05-18%20at%209.45.50%20PM_zpswdzdbei7.png?resize=604%2C302&ssl=1)
OMG, the buffer was used for saving the connection to localtime server was used to store user input. We just send 9 zero bytes to server and then wait until READ_DATA is triggered and then send 4 bytes in require range, and we will enter vulnerable function.
Our poc here : https://gist.github.com/peternguyen93/f06aa5e27626598a1c21
CyberGrandSandbox
This is very interesting challenge.
After doing RE we find some usefull information:
This program implementing basic Polish Notation by using JIT compiler.
The structure of jit is:
![](https://i0.wp.com/i1343.photobucket.com/albums/o783/peter_nguyen93/Screen%20Shot%202015-05-18%20at%2010.16.00%20PM_zpsv7mooby2.png?resize=604%2C108&ssl=1)
Take a look at function handle_digit
![](https://i0.wp.com/i1343.photobucket.com/albums/o783/peter_nguyen93/Screen%20Shot%202015-05-18%20at%209.52.13%20PM_zpsyqmu8oxb.png?resize=604%2C329&ssl=1)
When we inputted a string of number is seperated by space character , the jit compiter will push it in the stack_buffer.
We know that size of stack_buf is 0x1000 (located below stack_code), in this function there are no unbound checking if we push the stack_buf into stack_code, and so this bug does.
We just write own shellcode and then overwrite some opcode in the end of asm_code with own shellcode (because cgc executable is not have sys_execve syscall so we just use some syscall provided by CGC to read the flag).
Our shellcode :
_start:
push 0x3
pop eax
push ebx
pop ecx
push 0x3
pop ebx
push 0x50
pop edx ;ebx hold my buffer
int 0x80
push 0x2
pop eax
push 0x1
pop ebx
int 0x80
Our poc is : https://gist.github.com/peternguyen93/e7d08cf109b38af6baae
This is the first time i wrote writeup using english, if something went wrong or some point you dont understand, feel free to ask me above