[PWN - Writeup] Syscalls and Backup Power from UIUCTF 2024

 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ )
(إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان)



Let's solve Backup Power & Syscalls (pwn).

Table of Content


Backup Power (pwn - 454)

This was a MIPS chall (i like mips), let's start with reversing the binary.

start with the security of controls on the application



what the binary takes from us


now let's reverse the binary, we have commands and just the allowed commands [shutup, shutdown] and the system is not in the allowed list.






if we used "devolper" is the username we will take a branch that will call function "develper_power_managemnet_portal"


this function is vulnerable to stack overflow it gets input without validation of the size but we have to take care of the stack we have to make "vars20" equal to "cfi" we will not do the canary check (i think).


there is a default command "todo" that will be compared with the commands


after all of that I though that I had to add "system" to the allowed list and then use it, but for some reason, it did not work with me (maybe I did something wrong) but I used another way.

i did a breakpoint on the "strcmp"


now we will see that there is a compare "todo" with all commands in the binary





so I tried to overflow the "todo" command at "0x40800430" to be "system" After that i found there was a call to system, our buffer started at "0x40800308".

When i tried to fill the padding between my buffer and the address to "todo" command i faced a crash 


I overwrote an address that is used in the "$gp" register, i added a breakpoint on this address run the program normally again took the right address from it "0x004aa330" and just filled the padding with it

replacing "todo" with "system" will make the check like that



and we will see that


these "A"s form our buffer so we have to add a command to read the flag and i just have 8 bytes and should be separated "4" + "4" and we know that the flag called "flag.txt" so i used the following payload "cat " and "fla*".

this is my final stack values


and we got the flag ;-).


the solution script here.

Syscalls (pwn - 398)

hint form the name it replated to some syscall jail xD.

first running "seccomp-tool" to know the forbidden syscalls


reversing the binary show that it's simple just take input from you and execute it after making sure that there is no forbidden syscalls.




after searching on ther syscalls table found some useful syscalls [openat, preadv2, pwritev2] and i tried it first in a simple C code 

#define _GNU_SOURCE
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/uio.h>

int main() {
const char *filename = "flag.txt";
int fd = openat(-100, filename, 0);

char *buffer[4096];
struct iovec iov[1];
iov[0].iov_base = buffer;
iov[0].iov_len = sizeof(buffer);

ssize_t bytes_read = preadv2(fd, iov, 1, 1, 0);

ssize_t bytes_written = pwritev2(1, iov, 1, 0, 0);

return 0;
}

first i tried it but no flag printed in local test and the issue was in "pwritev2" it said that the fd is not seacable the stdout one, a friend helps me with this one after checking the man page there is comment "if the offset argument is -1, then the current file offset is used and updated" donno waht the hack this mean but when i tried it the magic happen and the issue fixed locally.


now we have to send the assembly to do the same 


the solution script here.

Thanks for reading.

Comments

Popular posts from this blog

Exploit & Debug Looney Tunables CVE-2023-4911 Local Privilege Escalation in the glibc's ld.so

Lets Analysis STM32F103 Chip Firmware from Attify

[Debug/Exploit CVE-2022-24355] TP-Link TL-WR940N Stack-based Buffer Overflow