Home

Awesome

CTF-pwn-tips

Catalog

Overflow

Assume that: char buf[40] and signed int num

scanf

gets

read

E.g.

memory layout

0x7fffffffdd00: 0x4141414141414141      0x4141414141414141
0x7fffffffdd10: 0x4141414141414141      0x4141414141414141
0x7fffffffdd20: 0x4141414141414141      0x00007fffffffe1cd

strcpy

Assume that there is another buffer: char buf2[60]

strcat

Assume that there is another buffer: char buf2[60]

Find string in gdb

In the problem of SSP, we need to find out the offset between argv[0] and the input buffer.

gdb

E.g.

(gdb) p/x (char **)environ
$9 = 0x7fffffffde38
(gdb) x/gx 0x7fffffffde38-0x10
0x7fffffffde28: 0x00007fffffffe1cd
(gdb) x/s 0x00007fffffffe1cd
0x7fffffffe1cd: "/home/naetw/CTF/seccon2016/check/checker"

gdb peda

gdb-peda$ searchmem "/home/naetw/CTF/seccon2016/check/checker"
Searching for '/home/naetw/CTF/seccon2016/check/checker' in: None ranges
Found 3 results, display max 3 items:
[stack] : 0x7fffffffe1cd ("/home/naetw/CTF/seccon2016/check/checker")
[stack] : 0x7fffffffed7c ("/home/naetw/CTF/seccon2016/check/checker")
[stack] : 0x7fffffffefcf ("/home/naetw/CTF/seccon2016/check/checker")
gdb-peda$ searchmem 0x7fffffffe1cd
Searching for '0x7fffffffe1cd' in: None ranges
Found 2 results, display max 2 items:
   libc : 0x7ffff7dd33b8 --> 0x7fffffffe1cd ("/home/naetw/CTF/seccon2016/check/checker")
[stack] : 0x7fffffffde28 --> 0x7fffffffe1cd ("/home/naetw/CTF/seccon2016/check/checker")

Binary Service

Normal:

With specific library in two ways:

After this, you can connect to binary service by command nc localhost $port.

Find specific function offset in libc

If we leaked libc address of certain function successfully, we could use get libc base address by subtracting the offset of that function.

Manually

E.g.

$ readelf -s libc-2.19.so | grep system@
    620: 00040310    56 FUNC    GLOBAL DEFAULT   12 __libc_system@@GLIBC_PRIVATE
   1443: 00040310    56 FUNC    WEAK   DEFAULT   12 system@@GLIBC_2.0

Automatically

E.g.

from pwn import *

libc = ELF('libc.so')
system_off = libc.symbols['system']

Find '/bin/sh' or 'sh' in library

Need libc base address first

Manually

Automatically

E.g.

from pwn import *

libc = ELF('libc.so')
...
sh = base + next(libc.search('sh\x00'))
binsh = base + next(libc.search('/bin/sh\x00'))

Leak stack address

constraints:

There is a symbol environ in libc, whose value is the same as the third argument of main function, char **envp. The value of char **envp is on the stack, thus we can leak stack address with this symbol.

(gdb) list 1
1       #include <stdlib.h>
2       #include <stdio.h>
3
4       extern char **environ;
5
6       int main(int argc, char **argv, char **envp)
7       {
8           return 0;
9       }
(gdb) x/gx 0x7ffff7a0e000 + 0x3c5f38
0x7ffff7dd3f38 <environ>:       0x00007fffffffe230
(gdb) p/x (char **)envp
$12 = 0x7fffffffe230

This manual explains details about environ.

Fork problem in gdb

When you use gdb to debug a binary with fork() function, you can use the following command to determine which process to follow (The default setting of original gdb is parent, while that of gdb-peda is child.):

Alternatively, using set detach-on-fork off, we can then control both sides of each fork. Using inferior X where X is any of the numbers that show up for info inferiors will switch to that side of the fork. This is useful if both sides of the fork are necessary to attack a challenge, and the simple follow ones above aren't sufficient.

Secret of a mysterious section - .tls

constraints:

We make malloc use mmap to allocate memory(size 0x21000 is enough). In general, these pages will be placed at the address just before .tls section.

There is some useful information on .tls, such as the address of main_arena, canary (value of stack guard), and a strange stack address which points to somewhere on the stack but with a fixed offset.

Before calling mmap:

7fecbfe4d000-7fecbfe51000 r--p 001bd000 fd:00 131210         /lib/x86_64-linux-gnu/libc-2.24.so
7fecbfe51000-7fecbfe53000 rw-p 001c1000 fd:00 131210         /lib/x86_64-linux-gnu/libc-2.24.so
7fecbfe53000-7fecbfe57000 rw-p 00000000 00:00 0
7fecbfe57000-7fecbfe7c000 r-xp 00000000 fd:00 131206         /lib/x86_64-linux-gnu/ld-2.24.so
7fecc0068000-7fecc006a000 rw-p 00000000 00:00 0              <- .tls section
7fecc0078000-7fecc007b000 rw-p 00000000 00:00 0
7fecc007b000-7fecc007c000 r--p 00024000 fd:00 131206         /lib/x86_64-linux-gnu/ld-2.24.so
7fecc007c000-7fecc007d000 rw-p 00025000 fd:00 131206         /lib/x86_64-linux-gnu/ld-2.24.so

After call mmap:

7fecbfe4d000-7fecbfe51000 r--p 001bd000 fd:00 131210         /lib/x86_64-linux-gnu/libc-2.24.so
7fecbfe51000-7fecbfe53000 rw-p 001c1000 fd:00 131210         /lib/x86_64-linux-gnu/libc-2.24.so
7fecbfe53000-7fecbfe57000 rw-p 00000000 00:00 0
7fecbfe57000-7fecbfe7c000 r-xp 00000000 fd:00 131206         /lib/x86_64-linux-gnu/ld-2.24.so
7fecc0045000-7fecc006a000 rw-p 00000000 00:00 0              <- memory of mmap + .tls section
7fecc0078000-7fecc007b000 rw-p 00000000 00:00 0
7fecc007b000-7fecc007c000 r--p 00024000 fd:00 131206         /lib/x86_64-linux-gnu/ld-2.24.so
7fecc007c000-7fecc007d000 rw-p 00025000 fd:00 131206         /lib/x86_64-linux-gnu/ld-2.24.so

Predictable RNG(Random Number Generator)

When the binary uses the RNG to make the address of important information or sth, we can guess the same value if it's predictable.

Assuming that it's predictable, we can use ctypes which is a build-in module in Python.

ctypes allows calling a function in DLL(Dynamic-Link Library) or Shared Library.

Therefore, if binary has an init_proc like this:

srand(time(NULL));
while(addr <= 0x10000){
    addr = rand() & 0xfffff000;
}
secret = mmap(addr,0x1000,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS ,-1,0);
if(secret == -1){
    puts("mmap error");
    exit(0);
}

Then we can use ctypes to get the same value of addr.

import ctypes
LIBC = ctypes.cdll.LoadLibrary('/path/to/dll')
LIBC.srand(LIBC.time(0))
addr = LIBC.rand() & 0xfffff000

Make stack executable

Use one-gadget-RCE instead of system

constraints:

Almost every pwnable challenge needs to call system('/bin/sh') in the end of the exploit, but if we want to call that, we have to manipulate the parameters and, of course, hijack some functions to system. What if we can't manipulate the parameter?

Use one-gadget-RCE!

With one-gadget-RCE, we can just hijack .got.plt or something we can use to control eip to make program jump to one-gadget, but there are some constraints that need satisfying before using it.

There are lots of one-gadgets in libc. Each one has different constraints but those are similar. Each constraint is about the state of registers.

E.g.

How can we get these constraints? Here is an useful tool one_gadget !!!!

So if we can satisfy those constraints, we can get the shell more easily.

Hijack hook function

constraints:

By manual:

The GNU C Library lets you modify the behavior of malloc, realloc, and free by specifying appropriate hook functions. You can use these hooks to help you debug programs that use dynamic memory allocation, for example.

There are hook variables declared in malloc.h and their default values are 0x0.

Since they are used to help us debug programs, they are writable during the execution.

0xf77228e0 <__free_hook>:       0x00000000
0xf7722000 0xf7727000 rw-p      mapped

Let's look into the src of malloc.c. I will use __libc_free to demo.

void (*hook) (void *, const void *) = atomic_forced_read (__free_hook);
if (__builtin_expect (hook != NULL, 0))
{
    (*hook)(mem, RETURN_ADDRESS (0));
    return;
}

It checks the value of __free_hook. If it's not NULL, it will call the hook function first. Here, we would like to use one-gadget-RCE. Since hook function is called in the libc, the constraints of one-gadget are usually satisfied.

Use printf to trigger malloc and free

Look into the source of printf, there are several places which may trigger malloc. Take vfprintf.c line 1470 for example:

#define EXTSIZ 32
enum { WORK_BUFFER_SIZE = 1000 };

if (width >= WORK_BUFFER_SIZE - EXTSIZ)
{
    /* We have to use a special buffer.  */
    size_t needed = ((size_t) width + EXTSIZ) * sizeof (CHAR_T);
    if (__libc_use_alloca (needed))
        workend = (CHAR_T *) alloca (needed) + width + EXTSIZ;
    else
    {
        workstart = (CHAR_T *) malloc (needed);
        if (workstart == NULL)
        {
            done = -1;
            goto all_done;
        }
        workend = workstart + width + EXTSIZ;
    }
}

We can find that malloc will be triggered if the width field is large enough.(Of course, free will also be triggered at the end of printf if malloc has been triggered.) However, WORK_BUFFER_SIZE is not large enough, since we need to go to else block. Let's take a look at __libc_use_alloca and see what exactly the minimum size of width we should give.


/* Minimum size for a thread.  We are free to choose a reasonable value.  */
#define PTHREAD_STACK_MIN        16384

#define __MAX_ALLOCA_CUTOFF        65536

int __libc_use_alloca (size_t size)
{
    return (__builtin_expect (size <= PTHREAD_STACK_MIN / 4, 1)
        || __builtin_expect (__libc_alloca_cutoff (size), 1));
}

int __libc_alloca_cutoff (size_t size)
{
	return size <= (MIN (__MAX_ALLOCA_CUTOFF,
					THREAD_GETMEM (THREAD_SELF, stackblock_size) / 4
					/* The main thread, before the thread library is
						initialized, has zero in the stackblock_size
						element.  Since it is the main thread we can
						assume the maximum available stack space.  */
					?: __MAX_ALLOCA_CUTOFF * 4));
}

We have to make sure that:

  1. size > PTHREAD_STACK_MIN / 4
  2. size > MIN(__MAX_ALLOCA_CUTOFF, THREAD_GETMEM(THREAD_SELF, stackblock_size) / 4 ?: __MAX_ALLOCA_CUTOFF * 4)
    • I did not fully understand what exactly the function - THREAD_GETMEM do, but it seems that it mostly returns 0.
    • Therefore, the second condition is usually size > 65536

More details:

conclusion

Use execveat to open a shell

When it comes to opening a shell with system call, execve always pops up in mind. However, it's not always easily available due to the lack of gadgets or others constraints.
Actually, there is a system call, execveat, with following prototype:

int execveat(int dirfd, const char *pathname,
             char *const argv[], char *const envp[],
             int flags);

According to its man page, it operates in the same way as execve. As for the additional arguments, it mentions that:

If pathname is absolute, then dirfd is ignored.

Hence, if we make pathname point to "/bin/sh", and set argv, envp and flags to 0, we can still get a shell whatever the value of dirfd.