I’ve been playing the Microcorruption CTF since last few weeks & now I’m going to brag about it. Before starting, let me tell you that it is an embedded security ctf & its challenges are based on MSP430 microcontroller. Also keep in mind that the architecture we’ll be working on is 16-bit & I assume that you are not a noob & have some experience with assembly & pwning. So let’s start.
This is how the whole interface looks like.
The first level to solve is the TUTORIAL level where you’ll be shown how the whole thing works.
So don’t skip it. It’ll introduce you to all the commands necessary for debugging. You can also
help command in debugger console to print out all the releveant commands.
I won’t be talking about the debugger commands & their purpose but I’ll be
mentioning the assembler mnemonics & their purpose wherever necessary.
Now let’s proceed to solve the first level.
I always start with examining the
Many other functions are being called in
main but as of now, they are not to be
concerned except the
Interpreting that the commands has the pattern operation source,destination,
we can observe that instruction at address
0x4446 calls get_password and instruction
0x444c calls check_password. Right above each of them, there is
mov sp, r15
basically telling us get_password is storing it at r15 and check_password is checking
it from r15. The instruction at address
tst r15 which tests if r15 is
equal to 0 or not. The next instruction at address
jnz #0x445e <main+0x26>
which jumps & executes the instruction at address 0x445e if the result from the previous
operation is 0 otherwise it’ll continue to the next instruction. If the jump is successful,
then the door will be unlocked as the string Access Granted! is being moved into register
r15, a call to
puts is being made in order to print it and, finally, a call to
unlock_door that, obviously, unlocks the door and completes the level. But if the jump
is unsuccessful, the string Invalid password; try again. is being moved into register
r15, a call to
puts is being made in order to print it and another jump instruction
is being executed at
0x445c which further executes the instruction at
0x446a & clears
the content of r15 & ends the program. That’s how the main function works here.
Now let’s move on to the exploitation part.
This challenge is really simple. If you’ll follow the tutorial, you will notice that the vulnerability you need to exploit in this challenge is simply a length based one as the check_password routine simply checks if the password has a length of 9.
Once you hit the instruction at
0x4484, the first character of the password you entered
is loaded into
r14 from the memory location pointed to in
r15. Next, the registers
r15 are incremented. This will continue until a null byte is reached, causing
the jump at
0x448c not to be followed, making the cmp be the next instruction.
r12 ends up being
0x0009, indicating that out passwords was 8 characters long with
a null byte(\0), then the jump at
0x4492 will occur, finally calling the interrupt to
unlock the lock. For solving this challenge enter any 8 character string.
Hope you understood this one. It’s an extremely easy one.
I’ll keep posting on for other challenges until I get bored writing them.
Till then, Good Bye !!!