PwnCollege - RE - Magic Numbers

File Formats: Magic Numbers(Python)

#!/usr/bin/exec-suid -- /usr/bin/python3 -I

import os
import sys
from collections import namedtuple

Pixel = namedtuple("Pixel", ["ascii"])

def main():
    if len(sys.argv) >= 2:
        path = sys.argv[1]
        assert path.endswith(".cimg"), "ERROR: file has incorrect extension"
        file = open(path, "rb")
    else:
        file = sys.stdin.buffer

    header = file.read1(4)
    assert len(header) == 4, "ERROR: Failed to read header!"

    assert header[:4] == b"{:m6", "ERROR: Invalid magic number!"

    with open("/flag", "r") as f:
        flag = f.read()
        print(flag

if __name__ == "__main__":
    try:
        main()
    except AssertionError as e:
        print(e, file=sys.stderr)
        sys.exit(-1)

# -n option -> no newline
hacker@reverse-engineering~file-formats-magic-numbers-python:~$ echo -n "{:m6" > payload.cimg
hacker@reverse-engineering~file-formats-magic-numbers-python:~$ /challenge/cimg payload.cimg
pwn.college{**********************************************}

File Formats: Magic Numbers(C)

void win()
{
    char flag[256];
    int flag_fd;
    int flag_length;

    flag_fd = open("/flag", 0);
    if (flag_fd < 0)
    {
        printf("\n  ERROR: Failed to open the flag -- %s!\n", strerror(errno));
        if (geteuid() != 0)
        {
            printf("  Your effective user id is not 0!\n");
            printf("  You must directly run the suid binary in order to have the correct permissions!\n");
        }
        exit(-1);
    }
    flag_length = read(flag_fd, flag, sizeof(flag));
    if (flag_length <= 0)
    {
        printf("\n  ERROR: Failed to read the flag -- %s!\n", strerror(errno));
        exit(-1);
    }
    write(1, flag, flag_length);
    printf("\n\n");
}

void read_exact(int fd, void *dst, int size, char *msg, int exitcode)
{
    int n = read(fd, dst, size);
    if (n != size)
    {
        fprintf(stderr, msg);
        fprintf(stderr, "\n");
        exit(exitcode);
    }
}

struct cimg_header
{
    char magic_number[4];
} __attribute__((packed));

typedef struct
{
    uint8_t ascii;
} pixel_bw_t;
typedef pixel_bw_t pixel_t;

struct cimg
{
    struct cimg_header header;
};

void __attribute__ ((constructor)) disable_buffering()
{
    setvbuf(stdin, NULL, _IONBF, 0);
    setvbuf(stdout, NULL, _IONBF, 1);
}

int main(int argc, char **argv, char **envp)
{

    struct cimg cimg = { 0 };
    int won = 1;

    if (argc > 1)
    {
        if (strcmp(argv[1]+strlen(argv[1])-5, ".cimg"))
        {
            printf("ERROR: Invalid file extension!");
            exit(-1);
        }
        dup2(open(argv[1], O_RDONLY), 0);
    }

    read_exact(0, &cimg.header, sizeof(cimg.header), "ERROR: Failed to read header!", -1);

    if (cimg.header.magic_number[0] != '<' || cimg.header.magic_number[1] != 'O' || cimg.header.magic_number[2] != '%' || cimg.header.magic_number[3] != 'r')
    {
        puts("ERROR: Invalid magic number!");
        exit(-1);
    }

    if (won) win();

}

echo -n "<O%r" > payload.cimg

hacker@reverse-engineering~file-formats-magic-numbers-c:~$ /challenge/cimg payload.cimg
pwn.college{U8Qj1nr1Y8CCrAcigFixhqFtuxF.QX2ATN2EDL4cjM1gzW}

File Formats: Magic Numbers (x86)

0x00401546      488b45d0       mov rax, qword [rbp - 0x30]
0x0040154a      4883c008       add rax, 8
0x0040154e      488b00         mov rax, qword [rax]
0x00401551      4889c7         mov rdi, rax
0x00401554      e807fcffff     call sym.imp.strlen         ;[1]
0x00401559      4883e805       sub rax, 5
0x0040155d      4801d8         add rax, rbx
0x00401560      488d35850b..   lea rsi, str..cimg          ; 0x4020ec ; ".cimg"
0x00401567      4889c7         mov rdi, rax
0x0040156a      e861fcffff     call sym.imp.strcmp         ;[2]
0x0040156f      85c0           test eax, eax
0x00401571      741b           je 0x40158e
0x00401573      488d3d7e0b..   lea rdi, str.ERROR:_Invalid_file_extension_    ; 0x4020f8 ; "ERROR: Invalid file extension!"
0x0040157a      b800000000     mov eax, 0
0x0040157f      e80cfcffff     call sym.imp.printf         ;[3]
0x00401584      bfffffffff     mov edi, 0xffffffff         ; -1
0x00401589      e882fcffff     call sym.imp.exit           ;[4]
0x0040158e      488b45d0       mov rax, qword [rbp - 0x30]
0x00401592      4883c008       add rax, 8
0x00401596      488b00         mov rax, qword [rax]
0x00401599      be00000000     mov esi, 0
0x0040159e      4889c7         mov rdi, rax
0x004015a1      b800000000     mov eax, 0
0x004015a6      e855fcffff     call sym.imp.open           ;[5]
0x004015ab      be00000000     mov esi, 0
0x004015b0      89c7           mov edi, eax
0x004015b2      e8c9fbffff     call sym.imp.dup2           ;[6]
0x004015b7      488d45e4       lea rax, [rbp - 0x1c]
0x004015bb      41b8ffffffff   mov r8d, 0xffffffff         ; -1
0x004015c1      488d0d4f0b..   lea rcx, str.ERROR:_Failed_to_read_header_    ; 0x402117 ; "ERROR: Failed to read header!"
0x004015c8      ba04000000     mov edx, 4
0x004015cd      4889c6         mov rsi, rax
0x004015d0      bf00000000     mov edi, 0
0x004015d5      e863feffff     call sym.read_exact         ;[7]
0x004015da      0fb645e4       movzx eax, byte [rbp - 0x1c]
0x004015de      3c7b           cmp al, 0x7b                ; '{' ; 123
0x004015e0      7518           jne 0x4015fa
0x004015e2      0fb645e5       movzx eax, byte [rbp - 0x1b]
0x004015e6      3c6e           cmp al, 0x6e                ; 'n' ; 110
0x004015e8      7510           jne 0x4015fa
0x004015ea      0fb645e6       movzx eax, byte [rbp - 0x1a]
0x004015ee      3c6d           cmp al, 0x6d                ; 'm' ; 109
0x004015f0      7508           jne 0x4015fa
0x004015f2      0fb645e7       movzx eax, byte [rbp - 0x19]
0x004015f6      3c36           cmp al, 0x36                ; '6' ; 54
0x004015f8      7416           je 0x401610
0x004015fa      488d3d340b..   lea rdi, str.ERROR:_Invalid_magic_number_    ; 0x402135 ; "ERROR: Invalid magic number!"
0x00401601      e83afbffff     call sym.imp.puts           ;[8]
0x00401606      bfffffffff     mov edi, 0xffffffff         ; -1
0x0040160b      e800fcffff     call sym.imp.exit           ;[4]

echo -n "{nm6" > payload.cimg
hacker@reverse-engineering~file-formats-magic-numbers-x86:~$ /challenge/cimg payload.cimg
pwn.college{**********************************************}