It is a baking program, that allows to build your own recipe.
After printing the available ingredients, the main function does this (at
Which translates to the pseudo-code:
Then it enters a loop to add the ingredients:
If we enter BAKE, it will simply jump to the buffer allocated by mmap from
Otherwise, it will check using strstr() if our ingredient we entered is in the
list of valid ingredients. If the sub-string was found, it calls a function at
0x400B15 with 2 arguments, the string we provided as input for ingredient, and
the random integer generated initially.
The function at 0x400B15 is fairly simply and could be translate to pseudo-code
The result is then and-ed to 0xff and written at current location in the mmap
The pointer to the mmap buffer is incremented.
So what this program is doing, is using the “accumulator” function to write
inside the mmap buffer, which will then be jumped into and executed.
Getting the initial random integer can be done by reading from the socket until
reahcing the string 0v3n w4rm3d up to and divide this value by 0x1337.
To reliably control the content of the mmaped buffer, we need to “compensate”
the accumulation that the function is doing. Since we know the initial random
integer, my approach was to use one of the valid ingredients (in this case
FLOUR) which is required to pass the strstr() check, sum up the ascii values
of the letters of the word, and add the random init.
If the value does not finish by a NULL, I calculate what is the closest upper
bound to be aligned with 0, and substract the result with my value:
This gives me in the diff variable what needs to be added to the stub `randint
‘F’ + ‘L’ + ‘O’ + ‘U’ + ‘R’. We can then padding this stub by appending to
this stuff diff times \x01`. This way we fully control the last byte, so we
can append the character we actually want written in memory.
Now that we can write reliably one character at a time, we can copy our
And to execute it, the only thing left is to start baking!
Fun challenge, thanks to the whole HITB crew for their continuous inventivity.