PWN1: ASIS CTF full-protection challenge

Hello again guys, this is another write-up for ASIS CTF.

Let's download the binary and the libc (if you don't have them downloaded I will upload them to my github repo, link in the bottom)

Name of the challenge : Full-Protection

File:



We're dealing with :
* 64 bits binary.
* Not stripped (We can reverse engineer the binary easily)

Checksec:


As the name of the challenge said, we're really dealing with a binary with all protection mechanisms enabled.

Reverse engineering :


Let's open ghidra and give it our binary and let's look at the decompiler pseudo-code :


This is the portion of code I'm interested in the most :
It's just enter an infinite loop reading a line with max size of 0x40 = 64 bytes and print it using __printf_chk()


__printf_chk() is a secure version of printf() it mitigate format string exploitation techniques, then __IO_putc() will enter a newline

readline() :


It uses gets() to get our input but it checks the length of the string entered if it's higher than 64 bytes using strlen() it print "[FATAL] Buffer Overflow" and exit(1)

Please remember the fact that the binary is using strlen() to calculate the length of the string.

The program is easy let's play with it.

Play with the binary :






The plan :

1) - Leak the canary and a libc address using the format string vulnerability

2) - Trick strlen() and enter a string with length higher than 64 overflowing the canary with it's right value and using a simple ROP chain to pop a shell.


The exploit :

For the first step :

How did I leaked the Canary ?

I just sent a bunch of "%p %p .. %p" and see the result :

Let's do this in practice and show you exactly how I did it :



This 0x860ee85ea5edb700 looks like the canary but I don't have a proof why it's the canary !

Let's go and prove it :


Press "Enter"


Do this "b * main" and press enter

enter "run" it will stop in main :



 gef has a cool feature that let you know the value of the canary easily by running this :



gef says that the canary is : 0x16e18c325dd64c00

Enter "c" or "continue"
and enter the same pattern again "%p %p .. %p" and press enter :


We got the same canary as the last %p. perfect !

This is the portion of python script that capture the canary :



Now we need to leak an address from libc :
What I did was this (just by test and fail):


The address I highlighted is from libc.
press the hot-key : Ctrl-C :

and enter "xinfo `the adress here`" and see if you got an address from libc :


it's an address from the stack, hmmm, I don't need it
Let's try harder and test the other addresses.


Wow and address from the libc actually it's __libc_start_main + 243 so it's easy to calculate the libc base address

This is the portion of code that leak libc and calculate the libc base address :



Let's test our python script until now :



Perfect !

Now to the second step :

Now we have the canary and libc base address so we can do anything we want really if we only can overflow the canary, RBP, and return pointer

strlen() is preventing us from overflowing canary, RBP, and return pointer because we need more than 64 bytes to do it.

But as you may know strlen() stops counting when it receives a NULL character \x00 , so we can easily bypass strlen() check by entering a padding of \x00 in the beginning and strlen() will return 0 and we can pass the check.

Our exploit will look like this :

"\x00"*64 + canary + "M"*8 + ROP CHAIN

My ROP CHAIN is simply doing this :

PopRdi
/bin/sh address
return
system()

This is the part of the code that craft the final payload and send it and we can get a shell :



And enjoy ! I'm really looking forward your feedbacks ^^

Contact me here : Maher#7775

The binary, libc, full exploit here :

https://github.com/MaherAzzouzi/PWNing/tree/master/ASIS/full_protection_distfiles




Comments

  1. Great writeup! Learned a lot of new tricks like using xinfo on gdb and the strlen() bypass. Hoping to see more writeups!

    ReplyDelete
    Replies
    1. Thanks a lot for your feedback, I will post more write-ups and I'm hoping to share everything I know about binary exploitation.

      Delete

Post a Comment