[PWN] NullConCTF 2025 - hateful2-challenge

-

  ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ )

(إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان)



Hoy, it's a heap challenge from Nullcon CTF 2025 ;-), Thanks to Saif (@wr3nchsr).

What will we try to do?

  • Reversing the Binery
  • List what we found.
  • Exploit
    • Leak the libc address using unsortedbin
    • Leak heap address and do (mangling/demangling)
    • Overwrite the next pointer of the free list
    • Control the RIP with ROP-Chain

Let's start ;-).

Reverse the Binary

after reversing the binary and the following screenshots are samples,




we have 5 options to interact with the binary:

  • what do we do? (about_us)
  • add message (malloc)
  • edit message
  • View message
  • remove message (free)
  • leave (exit)

List what we found

  • we can control the allocation size without limit
  • we have a leak in (about_us) function to a variable on the stack (stack-address).
  • there is Use-After-Free (read & edit) after free()ing the chunk.
  • the libc version is 2.36 (there is a protection on the free list addresses).


Exploit

first will set the script to interact with the binary easily (for us)


First, we will call (about us) function and take the stack address as the first leak.

We can control the size of the allocation so we can add a chunk to any bin, so to do a leak we will use the unsorted bin because when we free it the free list is stored in something called (main arena) and this is on the libc so we will get a leak from it.

Easily we will create a large allocation (0x1000) and after it we will create a small one (0x10) this small chunk is a guard and it used to protect our chunk from being consolidated with the wildness of the heap (if this is hard xD you can leak all of that from pwn.college), so we will free the large chunk and the main arena address will be stored in the chunk so using the UAF we will read from the free()ed chunk which contains the libc address and with we have our second leak



Now we will leak a heap address because it will be used to mangle and demangle the addresses before putting it into the free list to overwrite the next chunk address (got these functions from pwn.college modules too - you can check the libc source code to understand the logic)

def magic_obs2good(obs):
middle_state = (obs >> 12 ^ obs)
good = middle_state ^ middle_state >> 24
return good

def magic_good2obs(obs, addr):
good = (obs >> 12) ^ addr
return good

after leaking the heap address and controlling the list we will try to:

  • allocate a chunk on RIP
  • modify the chunk to overwrite the address that we will jump to
easy?! when we try to allocate a chunk we got this error (source code)



now we have to make sure that the address that we try to allocate is a good address to malloc to be accepted, form some reading and previous practice I tried to use an address that aligned (ends with 0 i think) and it works with me (rip_address - 0x28) is a good one for me and i could control the follow with it (note that you can use the different address).




now building the ROP chain



and we got the shell ;-).



Thank you for reading, solver in Github.


عن عبد الله بن عمرو رضي الله عنهما أن النبي صلى الله عليه وسلم قال:
«بَلِّغُوا عَنِّي وَلَوْ آيَةً، وَحَدِّثُوا عَنْ بَنِي إِسْرَائِيلَ وَلَا حَرَجَ، وَمَنْ كَذَبَ عَلَيَّ مُتَعَمِّدًا فَلْيَتَبَوَّأْ مَقْعَدَهُ مِنَ النَّارِ». 
[صحيح] - [رواه البخاري] - [صحيح البخاري - 3461]

Comments

Post a Comment

Popular posts from this blog

[BlackHatMEA-CTF 2024] cockatoo PWN challenge

-
Image
 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) Let's check the "cockatoo" pwn challenge from Blackhat MEA CTF 2024. Reverse the Binary we note that the binary takes the input byte by byte and there is a counter (i hate static analysts) Dynamic analysis  Let's jump to GDB and see what happened. I set a breakpoint on the road to get the stack address in which our input will be stored, and the following screenshots show our input increase and the counter before the RIP address. and the payload to overwrite the counter and control where the next write will be in the following screenshots  and we added to the counter (16) and could overwrite the RIP now we have to find our gadgets and do a simple execve, right?!!! NOOOOOO Exploit we don't have gadgets for "rdx, rdi, rsi" and we need to do "execve(rdi, rsi, rdx)", but we have "syscall" and "pop rax" so its time for our SROP attack. we...
Read more

[WEB] ASC Wargame CTF 2024 - Challenge Hot Proxy

-
Image
 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) It was a nice CTF, I got 2nd place with my guys: Hissien Misbah ( Twitter ) Mohamed Bebo ( Linkedin ) Sameh ( Linkedin ) Osama Zidan ( Linkedin ) A picture during solving this challenge in the last 5m of the CTF (thinking that we got 1st place). Let's walk through the Web Challenge Hot Proxy, note that we did not solve it during the time of the CTF it was a minute way, let's start. Note: there is no source code in the challenge attachment, I requested it from the author ( @serWazito0 ) thanks to him, challenges files ( ASCWG_2024_CTF ). Note: the flag file in the server and called "flag_<RANDOM>.txt", so we have to get RCE. From the title I know that there is an "SSRF" vulnerability in this challenge and from the description, we know that there is an internal application called "app1" with a route called "/secret" so our target is to access...
Read more

Lets Analysis STM32F103 Chip Firmware from Attify

-
Image
( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) Let's start our blog. As we know any IoT device should have a firmware to run it and there is a thought that it is secure by default because it is in a board, but we know that we can dump this firmware, our firmware know is already shared with us something like training to learn basics of reversing firmware. you can download the firmware from here . if we run the file command on the firmware we will find this "STM32F103C-firmware.bin: data" and if we try to get the architecture using binwalk it will return empty result "binwalk -A STM32F103C-firmware.bin" but we don't need this because it is a famous chip and we can know what we want from google. After searching for the chip name STM32F103C we will open its default page you will know that it run using "ARM Cortex M3" we will need that later, it is time to analysis using Ghidra. Analysis Dropping the firmware file to Ghidra but it will not detect anything...
Read more