![]() They described a systematic way of building codes that could detect and correct multiple random symbol errors. "Reed–Solomon (RS) codes are non-binary cyclic error-correcting codes. It turned out that the function "DoDecodeBlockEv" was actually implementing the decoding step of a Reed-Solomon error correction code. The good news was that, even if we had no idea on what the "decoding" step and the obscure checks were actually doing, we started to see the light: in fact, by quickly reversing the remaining part of the executable, we realized that if the program is able to process without errors all the 1920 bits in input, the content of the buffer B2 is later directly executed! Reed-Solomon error correction codes if the "DoDecodeBlockEv" function returns without errors, the first 16 bytes of the output are appended to buffer B2, while the latter 16 bytes are discarded.If these "checks" are not satisfied, those 32 bytes are somehow modified or, in the worst case, the program quits. some obscure checks are performed on the output.Its output are 32 bytes, that in the general case differ from the 32 bytes in input. the 32 bytes in B1 are passed as argument to a function called DecodeDataStream::DoDecodeBlockEv, that performs a "decoding" step (at that point, we had no idea on what that function was doing).When the buffer B1 happens to contain 256 bits (32 bytes), the following additional steps are performed: At each iteration, the current bit is appended to B1. From a high-level point of view, such data structure contains two buffers, that I will refer to as B1 and B2. As I mentioned, these steps are performed for each 8x8 subblock (1920 times in our case). This bit is then passed to the DecodeDataStream::AddDataBit function that updates an internal data structure. This eventually returns a single bit as output, 0 for low entropy, 1 for high entropy (at least, this is what we understood :)). This new matrix is then passed as argument to the function DCTCoefficient::DecodeDCT that computes some sort of statistics related to the entropy of the original 8x8 pixels. That is, the output of this step is still a 8x8 matrix, but we are now in the frequency domain!! #wtf That means that in our case, the binary extracts a total of (512/8)*(80/8)* 3 = 1920 8x8 subblocks.įor each of these subblocks, the binary then computes (what it seems to be) its discrete cosine transformation (by calling the function SimpleDCT::DCT2Calc8x8). ![]() Actually, for each 8x8 pixels, the executable "extracts" three different 8x8 matrices, one per channel. It first extracts 8x8 pixels subblocks starting from the top-left corner of the BMP. So, after checking the constraints against the BMP header, the executable starts to "process" the actual BMP data. As we are going to deal with some numbers, I'll directly use as references the values from our final exploit: a BMP of size 512x80. checks that the width and the height is less than 0x200 and multiple of 8 (actually, we later figured out that their BMP data's parser was also assuming a width of exactly 0x200.).checks that the "bits per pixel" is set to 24 (i.e., standard RGB).sanity checks against some bytes in the header (for example, bytes 0x1a-0x1b must be 0x0001).read the following four bytes and interpret them as the BMP's size. ![]() check that the two first bytes are "BM".The first thing it does is to perform these simple steps on the BMP's header: We soon figured out that the program expects a BMP as input. This write-up is split in two parts: 1) our journey reversing the sh*t out of lena 2) how we wrote our exploit. ![]() As this challenge is belong to the "shellcode" category, we already knew that the binary was supposed to get "something" in input, that was later processed and "somehow" executed. The scenario is the usual one: we have to exploit a binary (Linux, x86, 32bits) called " lena_server" that is running on a remote machine controlled by the organizers. Needless to say, solving this was not easy (only 8 teams solved it!), but it was definitively super-fun and one of the best CTF challenges I've played with so far.Īlright, let's get it started. Also, we probably wouldn't have made it without that monitored our health conditions when we were trying to finalize our exploit, during the following morning. I partecipated to the quals with the Shellphish team (we ended up in 7th place!), and I needed to spend an entire night with the great (one of the Shellphish's secret weapon) to solve this challenge. This is my write-up for the Defcon CTF Quals 2013 - \xff\xe4\xcc 5 (lena).
0 Comments
Leave a Reply. |