Defcon CTF Quals 2013 - \xff\xe4\xcc 300 (linked)

30 June 2013 by mf

This problem was an online one. The service was accepting and executing shellcode, maximum 16 bytes in size. The submitted shellcode had to walk a linked list until the entry with tag 0×41414100 was found.

Problem description:

typedef struct _llist {
 struct _llist *next;
 uint32_t tag;
 char data[100];

and:

register char *answer;
 char *(*func)();
 llist *head;
 …
 func = (char *(*)(llist *))userBuf;
 answer = (char *)(*func)(head);
 send_string(answer);
 exit(0);

Write me shellcode that traverses the randomly generated linked list, looking for a node with a tag 0×41414100, and returns a pointer to the data associated with that tag, such that the call to send_string will output the answer.

Running at linked.shallweplayaga.me:22222 OR linked2.shallweplayaga.me:22222

The following NASM code solves the challange:

main:
   pop %edx
   pop %esp
l:
   pop %eax
   pop %ebx
   xchg %eax,%esp
   cmp $0x41414100,%ebx
   jne l
   push %edx
   ret

The restriction was 16 bytes…so we solved it in 15 bytes instead! \o/


Comments