Writeup – Overcobol (INS’Hack)

Over the past weekend, I participated in the INS’Hack CTF. This was a well executed CTF with a fairly mixed-bag of challenges. A sizeable serving of salt coming from a blind Python breakout which took a bit of brute force, but as I neared completion, was declared not working (nevertheless, this was a lot of fun, and I broadened my creative horizons a bit).

One noteworthy and excellent aspect of this CTF was a COBOL challenge: truth told, this was the first time I had ever seen COBOL. Without further ado, the writeup follows:

Overcobol

This challenge was presented as an low-value (IIRC) exploitation challenge, with the source code to a COBOL program provided. You can download this here. Honestly, I’m amazed Github has syntax highlighting for this.

Reviewing the challenge reveals what appears to be a straightforward buffer overflow:

02 TMPNAME PIC X(10).
02 TMPSCORE PIC 99.
02 SUBPRGARG PIC X(20).
02 SUBPRGNAME PIC X(20).

This seems triggered by the SEND-CLOUD… function?

SEND-CLOUD.
IF SUBPRGNAME = SPACE
MOVE "send" TO SUBPRGNAME
MOVE "matchs" TO SUBPRGARG
END-IF
DISPLAY SUBPRGNAME " " SUBPRGARG
CALL SUBPRGNAME USING SUBPRGARG.
END-SEND-CLOUD.

A little bit of brute forcing yields the argument lengths required to load SUBPRGARG and SUBPRGNAME – but invoking “CALL ls USING /” yields nothing meaningful. A little while of Google later, and we stumble across the SYSTEM COBOL module, and a working exploit appears:

Thankyou to the organisers of INS’Hack for putting this challenge together, and coming up with some really creative challenges.

I realize I haven’t written anything for the past few months, and truth told, haven’t been pushing myself to work as hard on side projects (at least to completion). I acknowledge this weakness and strive to correct it – I look forward to another year of pushing my boundaries.

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.