Here's the doorkey, but please enter through the window.

The challenge submitted in exelab.ru is a two-stage crackme. The first stage consists of finding a valid username and password, which in turn produces the instruction for the second stage. This means that once the instruction is known, the first stage can be omitted in the subsequent runs. As in my other analyses, the environment is Windows XP.

From hardcode in the crackme the username of interest evidently is admin. The user who posted this crackme in exelab.ru correctly identified the password that solves the first stage: LOL2BIN. The first stage of this crackme and the method for solving it are a simplified version of the crackme designed by Speedo, which is why this time I'll only outline the key points:

  • The password and its subsequently processed value are stored in address 404110h.
  • The processing of the password occurs in 4013ECh - 401507h.
  • The processed value [of the password] is expected to match the seven bytes as specified in the opcodes at 401509h - 401521h (in addition to the trailing zero).
  • The quick method to find the correct password is to enter as password every alphanumeric character and, once the password has been processed, take note which bytes are mapped to the seven bytes mentioned in the previous remark. Hence the resemblance with Speedo's crackme.

Upon entering the correct password for admin, the crackme acknowledges it and produces the instructions for the second stage: To gain "administrator privileges" -metaphorically speaking- without entering the password, thus inspiring the title of this article.
At least to me, the meaning of the statement "Last four bytes of the 'alternative password' presented in hex mode are the final solution" is unclear and leads to a philosophical problem: What are the bytes of a password when the rule is "do not to enter one"? But here it won't matter as long as the message "Now you're the administrator" is obtained without entering the password. This will be accomplished by the technique of buffer overflow.

In 4016B7h - 401706h, the crackme expects the input string to be yes or no. The input is stored in the stack (specifically in 22FF50h). In the previous screenshot, notice from opcode at 4017B9h or from the stack at 22FF7Ch that the return address of interest is 40124Bh. Thus, instead of entering a yes or no string, the user needs to enter a string long enough to overwrite the contents of 22FF7Ch.

At first glance, the desired return address would be 40136Bh, as there is where message "Now you're administrator" gets displayed via printf. The drawback of this simplistic approach is that thereafter the crackme will crash because a RETN opcode will set the EIP and/or EBP registers to an invalid value. As in my previous article on buffer overflow, here the "shellcode" string should contain opcodes to attain a more skilled manipulation of the stack.

The following string will do the job by inserting in the stack14 NOPs followed by a number of opcodes:
perl -e "print \"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x33\xC0\x40\xC1\xE0\x05\x48\x48\x48\x48\x03\xc4\xbb\x4b\x12\x40\x80\xd1\xe3\xd1\xeb\x36\x89\x18\x66\xbb\x6b\x13\xff\xe3\x5E\xFF\x22\""

Note that the last three bytes of the pseudo-shellcode point to the address to which we wish to redirect program flow. In this case, execution will occur in the stack itself, starting from 22FF5Eh. In short, this pseudo-shellcode (1) sets the stack so that the return address will be 40124Bh, where the Exit function is located (thereby preventing the program from eventually crashing and burning); and (2) redirects the execution (by 'JMP'-ing) to 40136Bh, the offset where the target message is displayed on screen.

After entering the pseudo-shellcode and pressing Enter, the crackme will request for new input from the user because the input string is neither yes nor no. To break that loop it suffices to enter no, which will be stored in the first two bytes in [22FF50] (see above) followed by a null byte. The opcodes in the rest of the previous string will be preserved.
After pressing the key to "logout and exit", execution ends normally. 

To summarize, the task was to cause the message "Now you're administrator" to be displayed without entering a password. Buffer overflow not only made that possible; in this case, the task does not involve the entry of username either.

Iñaki Viggers

No comments:

Post a Comment