PWN8 : Fword 2020 Blacklist PWN Challenge

 Hello guys this is another write-up for the challenge named Blacklist.

If you don't have the binary downloaded, you can find it in my GitHub here : 

https://github.com/MaherAzzouzi/PWNing/tree/master/Fword2020/blacklist

Let's go !


Description :



By the description I know that I want to read the content of the file aaaaaa...txt under /home/fbi
So maybe the flag is here : /home/fbi/aaaaa...cma.txt

Information about the binary : 

- As you can see the challenge is statically linked and PIE is disabled, which means you can find all functions of libc (like system(), printf() and the others) in known addresses in the binary.

- Because the binary is stripped, I can't use Ghidra to reverse engineer the binary because the binary doesn't contain symbols so Ghidra will try to decompile every function in the binary which will take forever.

- No canary is found and that's good for stack overflow.


Play with the binary :

- The process doesn't show anything, and when entering a large input we see Segmentation fault, which means we overwrote the return pointer. We have stack overflow.

To extract the exact offset to overwrite the return pointer : 

lunch python3 and import pwn




Press "Enter":

 The exact offset is 72.


Plan:

- Extract useful gadgets from the binary.

- Write the path to the file we want to read in the bss (known address).

- Make the bss segment executable so we can execute shellcode on it.

- Execute our shellcode that opens that file and read its content to stdout.


Exploit : 


- To find the gadgets we're gonna use just use Ropper tool like this : 

Here I have the address of syscall, ret so I can use it in my ROP chain.

I searched for gadgets like (The same way I did for syscall) :

- Pop Rax; ret

- Pop Rdi; ret

...

Just to use them in my ROP chain and control all the arguments and use syscall in the end.

Now the first thing to do is to do this : 

read(rax=0, rdi=0, rsi=BSS, rdx=0x1000)

This is how the ROP chain looks like : 

PopRsp is used here to to pivot the stack, to the bss to execute :

mprotect(rax=0xa, rdi=BSS, rsi=0x100, rdx=0x7)

(If you're not familiar with stack pivoting google it)

Until here the process will wait for us to send input, and that input will be stored in the bss.

What I will be sending ??

This is just the full path to the flag file.

This is used to execute mprotect() and make the bss executable and in the end it will jump to shellcode.


This is simply the shellcode I tried to simply use execeve("/bin/sh", 0, 0) but it didn't work because seccomp is used in this challenge, even write() is blocked.

So what our shellcode is doing is this :

Openat(rax=0x101, rdi=6, rsi=BSS [pointer to file full path], rdx=0, r10=0)

sendfile(rax=0x28, rdi=1 [stdout], rsi=3 [file fd], rdx=NULL [offset this means read from the beginning of the file], r10=100 [read 100 bytes from the file])


Summary : 

- We've crafted a ROP chain just to read our filename, the second ROP chain, and our shellcode to the bss, and when finishing the first ROP chain we just pivoted to the other (The address is hardcoded in the first ROP chain) and the second just make the BSS executable and again jump to the shellcode.


You can find the full exploit in my GitHub too.

If you have any questions : Maher#7775

Comments

  1. hey ur 3 picture reveals that u searched how to take screenshot in linux. its not funny.if it was sensitive data ,someone will play with us for fun.
    and article is good work.

    ReplyDelete
    Replies
    1. Hey, I already know how to take screenshots LOL, it's just the hotkey didn't work and I wanted to make sure it's not my Linux problem and it wasn't. And yes it's a bad practice to screenshot over a screen that already contain some information, it can leak some important data. Thanks for you reply.

      Delete

Post a Comment