Akshay B

Tag: binary overflow

  • Microcorruption CTF Level 0 – Tutorial

    What is Microcorruption?

    Microcorruption CTF is a beginner level embedded device CTF challenge. You are given a debugger and a lock (with several iterations based on the level that you are on). Your task is to unlock the lock.

    The debugger lets you reverse engineer parts of the code with a disassembler.It also lets you utilise certain functions such as break points and a live memory dump. Using these tools, we must figure out a way to break the program using exploits and unlock the lock.

    Pre-requisites

    Some of the prerequisites are:

    • you are familiar with debuggers (or can at least learn while debugging)
    • some knowledge of assembly (a lock manual is given but you will need to look up certain lines of code to understand more)
    • knowledge of some memory exploits such as buffer overflow
    • Previous experience w

    The lock (LockIT Pro) given is based off the MSP430 microcontroller as written in the manual.

    Microcorruption CTF home page
    A look at the Microcorruption CTF website as well as the level system

    Level 0 : Tutorial

    So the tutorial goes through the basics of the debugger. Let’s go through the solution of this challenge.

    4438 <main>
4438:  3150 9cff      add	#0xff9c, sp
443c:  3f40 a844      mov	#0x44a8 "Enter the password to continue", r15
4440:  b012 5845      call	#0x4558 <puts>
4444:  0f41           mov	sp, r15
4446:  b012 7a44      call	#0x447a <get_password>
444a:  0f41           mov	sp, r15
444c:  b012 8444      call	#0x4484 <check_password>
4450:  0f93           tst	r15
4452:  0520           jnz	#0x445e <main+0x26>
4454:  3f40 c744      mov	#0x44c7 "Invalid password; try again.", r15
4458:  b012 5845      call	#0x4558 <puts>
445c:  063c           jmp	#0x446a <main+0x32>
445e:  3f40 e444      mov	#0x44e4 "Access Granted!", r15
4462:  b012 5845      call	#0x4558 <puts>
4466:  b012 9c44      call	#0x449c <unlock_door>
446a:  0f43           clr	r15
446c:  3150 6400      add	#0x64, sp

    Hmm… that check_password function looks interesting. Let’s take a look at it

    4484 <check_password>
4484:  6e4f           mov.b	@r15, r14
4486:  1f53           inc	r15
4488:  1c53           inc	r12
448a:  0e93           tst	r14
448c:  fb23           jnz	#0x4484 <check_password+0x0>
448e:  3c90 0900      cmp	#0x9, r12
4492:  0224           jeq	#0x4498 <check_password+0x14>
4494:  0f43           clr	r15
4496:  3041           ret
4498:  1f43           mov	#0x1, r15
449a:  3041           ret

    The first character of the password entered is loaded into r14 from the memory location pointed to in r15
    Both r15 and r12 are incremented till we get a null byte \0
    Once reached, it bypasses the jump (0x448c) and reaches the cmp statement. Here, it tests to see if there are 8 characters in the password statement (8 characters + the null byte = 9 ).

    If there are, it unlocks the door.

    Password: Any 8 character password

    Next: Level 1 & 2 (New Orleans and Sydney)

    This is the first of many in the CTF Writeup series which I will be posting about. We will finish parts of the microcorruption CTF and then look at other challenges.