History view

Pwning in Linux

Armoury - Pragyan CTF 19

naivenom@debian ~ % theFaunia in the wild 2019. 3. 10. 13:40

Writeup - From Format String to Buffer Overflow

PKTeam

Recon

First of all we see the protections of the binary. 



We have several problems. We can not execute code in the stack such as a shellcode due to NX, we can not overflow without having a canary leak and if we want to attach with gdb we have to bypass PIE as if we want to do ROP (Return-Oriented Programming). We also need leak of a function to be able to make the corresponding calculation of the base memory address of libc for the ROP. Taking a look at the pseudocode generated by Ghidra, we see the first vulnerability a format string, cool!. 



We test the software and observe how we can leak the stack with format %x. Therefore we already have how to perform canary leak and bypass PIE. We must check another thing before continuing and that is that the binary is dynamically linked so we will have to leak the address of a function to later know the base memory address of libc.



Reversing

In order to make the different leak we have to study the stack and see if it meets the requirements we need. If we do AAAA.%x.%x.%x.%x.%x.%x.% x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x there is our output: 

AAAA.f7dd07e3.f7dd18c0.f7af4154.28.0.1.55554ced.414141a0.2e78252e

So we have our 0x414141 in eighth argument. So we can use this AAAA.%8$x to leak our A's. 

Leak Canary

We start first with the canary so we execute with GDB until after the printf function call. Canary value is in stack at rbp-0x8 and if we check the stack there will be our thirteen argument: %13$p.




Leak .text memory address to perform PIE bypass protection

With fourteen argument: %14$p we can leak .text to be able to calculate the base address of the binary elf and then bypass PIE. It is very useful to do PIE bypass since it will also allow us to attach to gdb in order to efficiently make the exploit.





Leak memory address of function to perform leak of base libc

With third argument: %3$p we can leak memory address of write function + 20. 



We can write our script to perform the corresponding leak remaining as follows: 



Libc base address and elf base address

To calculate the base address of libc we must subtract the address of write-20 leaked before minus the offset of write libc. To know the base memory address of the elf binary we must put the last 3 bytes of the leak to zeros using the operation AND with the 0xfff mask.





Exploitation

Then we see that after the scanf function call to know our feedback we have a buffer overflow discovered after a few attempts and step on the value of canary giving us a stack smashing. There is a space between our feedback input to the canary of 24 bytes then 8 bytes for saved rbp and return address. 



Exploit with ROP: 



Debugging ROP:



It also mentions that PIE leaker is not necessary, with leaking a LIBC address.

Then I'll show you the exploit of my friend @alextaito99 and thanks for doing the challenge together:



'Pwning in Linux' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

Writeup: 3x17  (0) 2019.03.26
Writeup: echo2  (0) 2019.03.25
Armoury - Pragyan CTF 19  (2) 2019.03.10
Secret Keeper - Pragyan CTF 19  (0) 2019.03.08
Writeup - echo1  (0) 2019.03.01
Exploit - Two targets pwnable.xyz  (0) 2019.02.28
Comments
  • ํ”„๋กœํ•„์‚ฌ์ง„ EverTokki Write-up ๊ฐ์‚ฌํ•ด์š”! ์•Œ์•„๋“ฃ๊ธฐ ์‰ฝ๊ฒŒ ์„ค๋ช…ํ•ด์ฃผ์…จ์–ด์š”. ์งˆ๋ฌธ์ด ๋ช‡๊ฐ€์ง€ ์žˆ๋Š”๋ฐ..

    1. ์นด๋‚˜๋ฆฌ์˜ ๋„๋ฐ”์ดํŠธ๋ฅผ ๋ฎ์–ด์”Œ์šฐ๋Š”๋ฐ ์•„๋ฌด ๋ฌธ์ œ๋„ ์•ˆ๋˜๋‚˜์š”?
    2. elf base ์ฃผ์†Œ๋Š” gdb๋ฅผ ์–ดํƒœ์น˜ํ• ๋•Œ ์‚ฌ์šฉํ•˜์‹ ๋‹ค๊ณ  ํ•˜์˜€๋Š”๋ฐ pop rdi์˜ ๊ฐ€์ ฏ์„ ์“ธ ๋•Œ๋„ ์‚ฌ์šฉํ•˜์…จ์ž–์•„์š”, ๊ฐ€์ ฏ์€ ๊ทธ๋ƒฅ libc์—์„œ ์ฐพ์•„ ์‚ฌ์šฉํ•ด๋„ ๋˜๋‚˜์š”? ์‚ฌ์‹ค elf base๋ฅผ ์–ด๋–ป๊ฒŒ ์‚ฌ์šฉํ•˜์‹ ๊ฑด์ง€ ์ดํ•ด๊ฐ€ ์ž˜ ๋˜์ง€ ์•Š์•„์„œ์š”. (๊ทธ๋ฆฌ๊ณ ,, ๊ฐ€์ ฏ์€ ์–ด๋–ป๊ฒŒ ์ฐพ์œผ์…จ๋‚˜์š”?)

    ์•ž์œผ๋กœ๋„ ๋‹ค๋ฅธ ๋ผ์ž‡์—…๋“ค ์ž˜ ์ฝ์„๊ฒŒ์š”!
    2019.03.16 05:36
  • ํ”„๋กœํ•„์‚ฌ์ง„ naivenom@debian ~ % theFaunia in the wild Hi EverTokki,
    1. If you overwrite canary value with junk data you get smashing stack, so you need to leak it.
    2. Because we can leak the base address of elf we can bypass the PIE protection and thus attach the debugger. In the same way we can find gadget of the binary elf or libc as you want. I used ROPgadget.
    I will write more writeup from pwnable.kr, pwnable.tw and from other CTF!
    Regards
    2019.03.18 14:56 ์‹ ๊ณ 
Comments form