[HITB 2017] Baby shellcode writeup
This is the second time I participate in HITB and my first time solving pwn challenge on windows. I got first solve for this challenge. It's a really good challenge I suggest you try the challenge yourself first before reading my writeup.
You can download the binary here
The challenge consist of two 32bit PE files:
- babyshellcode.exe (which have /dynamicbase enable) is the main program logic
- scmgr.dll which export 3 functions init_scmgr allocsc getshell_test
Tips: I have to use netcat for windows to debug this challenge https://eternallybored.org/misc/netcat/. Really cool piece of software
Program logic:
We need to find a way to call getshell_test. The program allow us to create 20 node, each node represents a shellcode in memory. Pointer to these node is store in an Array at offset 0x02B53F8. We can list, delete and try to execute these shellcode. We can't directly execute our shellcode unless the guard variable at offset 0x02B5448 is set and there is nowhere in the code allow us to do that ;) notice that guard variable locate right behind our array of pointers.
Shellcode allocation is done using allocsc a malloc-like function that split a small chunk of memory from a large VirtualAlloc chunk and return to us. The address of this chunk is printed to us when the program starts.
Vulnerabilites:
-The first vulnerability is a buffer overflow in main the program ask us to 'leave our name'. Since the program just call exit() to exit we can't contrip eip using this vuln instead we use it to leak the binary base address.
-The second vulnerability is an integer overflow is inside allocsc.
Using this vulnerability we can force allocsc to return an abitrary address as long as it less than `HEAP + HEAP_SIZE`. This is similar to house of force technique used in linux heap exploitation but much simpler.
Solution:
-Alloc a chunk with negative size to trigger the integer overflow bug - this have to be the 21st node so that the function will return right after the allocation. Alloc another chunk overlaps with our Array at offset 0x02B53F8 then we can corrupt the Array of pointers, create a fake nodes and set the guard variable to 0.
-Using the name pointer in a fake node we can leak the base address of allocsc in the import table to calculate the address of getshell_test.
-Using shellcode pointer to hijack eip and get shell.
My exploit code:
You can download the binary here
The challenge consist of two 32bit PE files:
- babyshellcode.exe (which have /dynamicbase enable) is the main program logic
- scmgr.dll which export 3 functions init_scmgr allocsc getshell_test
Tips: I have to use netcat for windows to debug this challenge https://eternallybored.org/misc/netcat/. Really cool piece of software
Program logic:
We need to find a way to call getshell_test. The program allow us to create 20 node, each node represents a shellcode in memory. Pointer to these node is store in an Array at offset 0x02B53F8. We can list, delete and try to execute these shellcode. We can't directly execute our shellcode unless the guard variable at offset 0x02B5448 is set and there is nowhere in the code allow us to do that ;) notice that guard variable locate right behind our array of pointers.
Shellcode allocation is done using allocsc a malloc-like function that split a small chunk of memory from a large VirtualAlloc chunk and return to us. The address of this chunk is printed to us when the program starts.
Vulnerabilites:
-The first vulnerability is a buffer overflow in main the program ask us to 'leave our name'. Since the program just call exit() to exit we can't contrip eip using this vuln instead we use it to leak the binary base address.
-The second vulnerability is an integer overflow is inside allocsc.
Using this vulnerability we can force allocsc to return an abitrary address as long as it less than `HEAP + HEAP_SIZE`. This is similar to house of force technique used in linux heap exploitation but much simpler.
Solution:
-Alloc a chunk with negative size to trigger the integer overflow bug - this have to be the 21st node so that the function will return right after the allocation. Alloc another chunk overlaps with our Array at offset 0x02B53F8 then we can corrupt the Array of pointers, create a fake nodes and set the guard variable to 0.
-Using the name pointer in a fake node we can leak the base address of allocsc in the import table to calculate the address of getshell_test.
-Using shellcode pointer to hijack eip and get shell.
My exploit code:
nice xà :thanhduy:
ReplyDelete