Dienstag, 25. Mai 2010

Defcon 18 CTF Writeup - Binary L33tness 500

This Level was really interesting in my opinion, so i decided to write this up. :)

The first part is to "find" the binary.
http://quals.ddtek.biz/quals/b500_478f0845e1bbd201.html was with following content, which led to a 404-Notfound.

<meta http-equiv="refresh" content="0;url=http://ddtek.biz/bin5oo.html">

So the real binary was located at
I assume everybody got this fast.

noname:b500 macpro$ file b500_478f0845e1bbd201.bin
b500_478f0845e1bbd201.bin: gzip compressed data, from Unix, last modified: Fri May 21 08:04:12 2010

After extraction we have two filess

noname:b500 macpro$ file c500_b6427ab1a64e6836*
c500_b6427ab1a64e6836.bin: ELF 64-bit MSB executable, SPARC V9, total store ordering, version 1 (SYSV), dynamically linked (uses shared libs), stripped
c500_b6427ab1a64e6836.dat: data

Now the funny part begins :)

Lets talk about the constrains.
  • No access to a SUN
  • No knowledge about SPARC-ASM
  • But we have IDA which could read the binary

The disassembly looks like:

.text:0000000100000CB8 mov 0x125, %l0
.text:0000000100000CBC stx %l0, [%fp+arg_7CF]
.text:0000000100000CC0 stx %l3, [%fp+arg_7D7]
.text:0000000100000CC4 mov 8, %l0
.text:0000000100000CC8 stx %l0, [%fp+arg_7DF]
.text:0000000100000CCC ldx [%fp+arg_7CF], %o0
.text:0000000100000CD0 call _SUNW_C_GetMechSession

We looked into the documentation of getmechsession() and found the following call.

    CK_RV SUNW_C_GetMechSession(CK_MECHANISM_TYPE mech,

You can see in the assembly that mech has the constant parameters 125 and 8.

By looking into pkcs11t.h you can see the following constant.

#define CKM_DES_CBC_PAD 0x00000125

It looks like, the binary uses a DES-CBC encryption. By googling we found one example implementation on suns website

mechanism.mechanism = CKM_DES_CBC_PAD;
mechanism.pParameter = des_cbc_iv;
mechanism.ulParameterLen = 8;

rv = SUNW_C_GetMechSession(mechanism.mechanism, &hSession);

It looks like they implemented this sample code :)
So lets look where the IV is stored:

Looking at the beginning of main() we see:

set 0x100000, %l1
sllx %l1, 12, %l1
bset 0xFE0, %l1

What is located at 0x100000FE0?

0x100000FE0: 0xdeadbeefbaadfood
Sounds like an IV :-))

But DES also needs a KEY. Lets look further into the code

.text:0000000100000D6C ldx [%fp+arg_7BF], %o0
.text:0000000100000D70 sethi %hi(0x3800), %g5
.text:0000000100000D74 btog -0x101, %g5
.text:0000000100000D78 add %fp, %g5, %o1
.text:0000000100000D7C add %fp, arg_7C7, %o3
.text:0000000100000D80 mov 5, %o2
.text:0000000100000D84 call _C_CreateObject

Looking into the sample:

rv = C_CreateObject(hSession, template, sizeof (template) / sizeof (CK_ATTRIBUTE), &hKey);
and the template has this format:

CK_ATTRIBUTE template[] = {
{CKA_CLASS, &class, sizeof (class) },
{CKA_KEY_TYPE, &keyType, sizeof (keyType) },
{CKA_TOKEN, &falsevalue, sizeof (falsevalue) },
{CKA_ENCRYPT, &truevalue, sizeof (truevalue) },
{CKA_VALUE, &des_key, sizeof (des_key) }

In our assembly the value for sizeof (template) / sizeof (CK_ATTRIBUTE) == 5, so we have also 5 CK_ATTRIBUTEs like the sample.

now you can try to understand SPARC-ASM but getting the key is easier than getting the IV :-)

looking into the .data section in IDA you will find a global variable called k, yes k like KEY :-)

0x100101668 k: DD73CC7FDD7ECC7F

Now you can decrypt the .dat file

noname:b500 macpro$ openssl enc -d -des-cbc -in c500_b6427ab1a64e6836.dat -K DD73CC7FDD7ECC7F -iv DEADBEEFBAADF00D

Isn't it ironic? 500 points level got solved pretty fast without executing the binary and Packet Madness 100 took us 2 days :-)

If you have questions or suggestions for improvements, you can send an e-mail to my gmail.com account "bashrx".

Keine Kommentare:

Kommentar veröffentlichen