beVX Conference Challenge – HiTB

During the event of Hack In the Box, we launched an ARM reverse engineering and exploitation challenge and gave the attendees the change to win great prizes.

The challenge was divided into two parts, a file – can be downloaded from here: https://www.beyondsecurity.com/bevxcon/bevx-challenge-10 – that you had to download and reverse engineer and server that you had to access to have a running version of this file.

The challenge consisted of a binary that is acting as a ‘server’ which expects incoming connections to it, when an incoming connection occurs and a certain ‘protocol’ is implemented and it will print out ‘All your base’ and exit. The challenge was to write an exploit that will cause the program to print out ‘Belong to us!’.

The intended way of solving this challenge was to preform an overflow and cause the execution path of the code to change, while one of the solutions provided did not follow this path – and was still able to change the output of the program.

We received several submissions, only two were complete and solved the challenge completely, others were close but did not meet our minimum requirements and therefore are not presented here.
ebux25
In this submission, the execution path is not overwritten rather the string displayed is changed such that the program does not crash while it still prints the required string. While this was not the intended idea of the challenge, there was no rule against this kind of solution.

yohanes
The solution provided by yohanes, was meeting more our expectations to what we were looking, it changes the execution code path.



*** This is a Security Bloggers Network syndicated blog from SecuriTeam Blogs authored by SSD / Noam Rathaus. Read the original post at: https://blogs.securiteam.com/index.php/archives/3694