[NahamconCTF] Pwn Challenges (So Much Cache & Gopherflow Returns)

-

 

( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ )
(إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان)



Hoy, let's go through the challenges from NahamconCTF.

I wanna thank Mohamed (ixSly) for his support in this CTF.

1. So Much Cache (hard)

This one was easy and direct if we understand what it is doing we finish, let's start.

it gives us the ability to allocate places in memory, free it, and jump to a location that the binary chooses, if we can control this location it will be a simple "ret2win" (we have a win function to read the flag).



we can write in our allocation with size (input size * 3) if we create an allocation 8 we can write into the memory (8*3) size which will overflow and corrupt the next heap allocation metadata and that is what we need.


what we will do?
  1. create allocation with size "16" (you can do it with different size).
  2. fill this allocation with "(A* ((16*3)-1) )" the "-1" for the "0x0a" newline.
  3. choose "Prepare Jump" choice that will allocate memory with size "24" after our allocation.
  4. now choose to jump into the first location "1" It will try to jump to "
so what we have to do is to add the win address to the place that will jump to and replace the "A's", you can calculate it or just add unique values for each "8" bytes and check where the jump will be.



and that is it for this challenge, easy right?.

Solution script on GitHub.


2. Gopherflow Returns (hard)

this is my first exploit with a "go" binary and this post helped me understand what I have to do thanks to @Adel for sharing it with me.

our approach overflowing and get a crash fix it and go to the next crash until we control the rip after that we will build our ROP.

the binary security controls


lets use favorite char to fuzz "A's" and we get our first crash in function "slicebytetostring" and you can see that we controlled the arguments of it


check the main function in Ghidra to know what is the used functions


if we add a breakpoint on this function, re-run the binary in gdb and check before and after overflowing we will find the following

after overflow

before overflow


so we overwrite the "rcx" and if we fix it the crash will disappear and that what happen but we didn't finish all crashes yet i did the same with the following 2 crashes

memmove crash


bufio crash1

bufio crash2

just i added a breakpoint on each instruction that crashed and got the right value, added it to my payload, and send it.

After fixing all crashes it's time for more padding to control the RIP and I got it.


and our "0xdeadbeef" is the new RIP


I used "ropper" to create the "ropchain" but it was not that good and I edited it a lot to fit my case, finally i got a running ropchain that will push "bin/sh" to memory and use it with syscall "execve".

ropper ropchain

modified ropchain

running it we got a call for our "execve" with a shell, note that you have to set the "envp" to zero to make the syscall work it took time for me to note this issue "ropper will not do that" and the arrangement of gadgets is important because some gadgets corrupt others.





Solution script on GitHub.

That's it 😉,
Thank you.

عن عبد الله بن عمرو قال: قال رسول الله صلى الله عليه وسلم: من صمت نجا. رواه الترمذي وأحمد.

Comments

Post a Comment

Popular posts from this blog

Exploit & Debug Looney Tunables CVE-2023-4911 Local Privilege Escalation in the glibc's ld.so

-
Image
Hoi, let's try to debug and explain CVE-2023-4911 which is a buffer overflow in the glibc loader my debugging and exploit tested on Ubuntu 22.04.2 (Jammy Jellyfish), you can read the analysis and more information from the Qualys Security writeup . POC to check if you are vulnerable or not env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --help My exploit POC video takes 5m but I speeded up the video Preparing let's disable ASLR and debug our exploit echo 0 | sudo tee /proc/sys/kernel/randomize_va_space you have to know (from qualys security): On Linux, the stack is randomized in a 16GB region, and our environment strings can occupy up to 6MB (_STK_LIM / 4 * 3, in the kernel's bprm_stack_limits()): after 16GB / 6MB = 2730 tries we have a good chance of guessing the address of our environment strings. using the buffer overflow vulnerability in the tunables we will overflow the link_map struct wh
Read more

Lets Analysis STM32F103 Chip Firmware from Attify

-
Image
( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) Let's start our blog. As we know any IoT device should have a firmware to run it and there is a thought that it is secure by default because it is in a board, but we know that we can dump this firmware, our firmware know is already shared with us something like training to learn basics of reversing firmware. you can download the firmware from here . if we run the file command on the firmware we will find this "STM32F103C-firmware.bin: data" and if we try to get the architecture using binwalk it will return empty result "binwalk -A STM32F103C-firmware.bin" but we don't need this because it is a famous chip and we can know what we want from google. After searching for the chip name STM32F103C we will open its default page you will know that it run using "ARM Cortex M3" we will need that later, it is time to analysis using Ghidra. Analysis Dropping the firmware file to Ghidra but it will not detect anything
Read more

[BlackHatMEA-CTF 2024] cockatoo PWN challenge

-
Image
 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) Let's check the "cockatoo" pwn challenge from Blackhat MEA CTF 2024. Reverse the Binary we note that the binary takes the input byte by byte and there is a counter (i hate static analysts) Dynamic analysis  Let's jump to GDB and see what happened. I set a breakpoint on the road to get the stack address in which our input will be stored, and the following screenshots show our input increase and the counter before the RIP address. and the payload to overwrite the counter and control where the next write will be in the following screenshots  and we added to the counter (16) and could overwrite the RIP now we have to find our gadgets and do a simple execve, right?!!! NOOOOOO Exploit we don't have gadgets for "rdx, rdi, rsi" and we need to do "execve(rdi, rsi, rdx)", but we have "syscall" and "pop rax" so its time for our SROP attack. we
Read more