RSS

Baltic CTF: South America 100

0 Comments | This entry was posted on May 27 2012

root@bt:/tmp# cat /home/rev100/.bash_history
lynx "http://marc.info/?l=linux-kernel&m=XXXXXXXXXXXXXXX&w=2"
cd /tmp/
touch exploit.c
nano expoit.c
gcc -o doit exploit.c
strip doit
echo "evil-code" > /dev/null
./doit
# Download

https://www.dropbox.com/s/1mebjt3cndederr/doit

# Question:
which is equal to XXXXXXXXXXXXXXX?

Lets find this kernel exploint back in the mailing list.

Opening the file in IDA, gives only this string:
error:%s\n

Some unique functions in the binary to find the used exploit back via google (look in IDA):

  1. socketpair
  2. send_fd

When surfing to the linux-kernel section of http://marc.info and clicking on a message we can see that the original mailing list was: http://vger.kernel.org

The following search string in google, gives interesting results:
http://vger.kernel.org/ error: %s\n socketpair send_fd
I found this program lying around on my laptop. It kills my box
(2.6.35) instantly by consuming a lot of memory (allocated by the
kernel, so the process doesn't get killed by the OOM killer). As far
as I can tell, the memory isn't being freed when the program exits
either. Maybe it will eventually get cleaned up the UNIX socket
garbage collector thing, but in that case it doesn't get called
quickly enough to save my machine at least.

Searching for this string in google + the http://marc.info site string, gives:
http://marc.info/?l=linux-kernel&m=129055087923940

Solution: 129055087923940

100 points earned.