CSAW CTF 2014: greenhornd Writeup

Introduction

Nowadays, I'm trying to learn windows exploitation by reading the tutorials and solving tasks that recommended by open-source seminar written with the Korean language (Thanks to google translate) besides other external resources. So, I decided to provide writeups for the chosen challenges existed within the seminar repository.

Consequently, I am going today to solve my first 32-bit windows pwn challenge within window10 which is greenhornd from CSAW CTF 2014 using the Open-Read-Write ROP chain to read the file named key from a remote server. Additionally, I will use AppJailLauncher to launch the exe file for providing a game server experience using the following command.


Finding the Vulnerability

First of All, I executed the greenhornd exe, and the following text got printed to the screen which asks you to find the secret key and it suggested that you can look at strings within the binary using strings utility or IDA disassembler (sorry I will use R2 cutter xD ).

Figure[1]
    Figure[1]







So, I started to check the strings using Cutter and find the secret password which is GreenhornSecretPassword!!! as appear in Figure[2].

Figure[2]
Figure[2]




 After inputting the secret password, a menu with the following options printed to the screen as appear in Figure[3].

Figure[3]
Figure[3]

as appear in Figure[4]These options are represented in the disassembly by switch table for achieving the jump to certain function based on your choice. However, I'm just interested in only two options which are (A)SLR and (V)ulnerability.

Figure[4]
Figure[4]

Let's start with the (A)SLR option, It prints text about Address Layout Randomization in windows beside give us two anonymous addresses as appear in the next figure.

Figure[5]
Figure[5]

So let us back to the disassembler to figure out what these two addresses. As you see inside the red-colored rectangle block within Figure[6], The function A_SLR gets the module handle of the current process through WinApi GetModuleHandle which is the same as the ImageBase address of exe in memory then save ImageBase subtracted by value 0x400000 in the variable on the stack. Afterward, It sends the ImageBase-0x400000 and the address holding it to the function WriteAddressesToStdout to print them respectively as appear in a blue-colored rectangle block.

Figure[6]
Figure[6]

Now we are done with (A)SLR, So let us start checking the (V)urlnerability option. As you see in the following screenshot, there is a text that asks you to input 1024 characters with some constraints in the input string.

Figure[7]
Figure[7]

Let's jump to the Vulnerable_Function to analyze it and check what the type of vulnerability it contains. The instructions within the red-colored block in Figure[8] holds responsibility for reading a string from stdin to the buffer at stack address equal to (ebp-400h) with a max length of 2048 characters. Therefore, The classic buffer overflow vulnerability exists as the max size of the string exceeds the size of the buffer specified for the input string which is 1024 characters. 

However, The function can exit without returning which will prevent the execution of overwritten saved return address if the string does not achieve a certain constraint. As appear in the blue-colored block which is responsible for the last-mentioned constraint, The instructions check if the 1st character equal to 'C' or 2nd character equal to 'S' or 3rd character equal to 'A' or 4th character equal to 'W' to return otherwise the function exit without returning.

Figure[8]
Figure[8]








 

Exploiting the vulnerable function

Based on previous analysis, We concluded that the Vulnerable_Function contains Buffer overflow vulnerability and we will exploit that vulnerability to build our Open-Read-write ROP chain. So let's define our stack layout that achieves the goal of reading the file named key then prints it content to stdout.

As appear in Figure[9], The left-hand side represents the stack state before overflowing while The right-hand side of the diagram represents the stack layout after overflowing with appropriate values that mirror the Open-Read-Write ROP chain. 

The Blue-colored block within the following Figure represents functions/ROP Gadgets address. On the other hand, The orange blocks represent the parameters for the functions. Additionally, The grey text within the blocks represents the value of that block. 

Also, The parameters labeled with the same number as a certain function are parameters of this function. 

Figure[9]
Figure[9]




As you see in the previous diagram, There are missing addresses that will be needed to build our ROP chain. These values are OpenFile, ReadFile, WriteToStdout, ImageBase, and finally stack address that represents InputAddress.

As appear in Figure[5], The (A)SLR option leak the ImageBase-0x400000 and stack address that hold it. So, We will use them to estimate ImageBase by adding the same subtracted value. Also, InputAddress will be calculated by adding the offset(between the stack address holding ImageBase-0x400000 and the InputAddress) which equals 0x3F4 to stack leaked address as you see in the following code snippet.


As appear in Figure[6], There is a function called WriteToStdout that is responsible for writing to Stdout. It takes only one parameter that represents the address of string/bytes to write it to screen and it's located at address equals ImageBase+0x14d0.

Now we will work on leaking the addresses of OpenFile and ReadFile WinApi functions, The ReadFile is imported in the binary file which means its address saved inside IAT at address equal to ImageBase+0x2014.

So, Our plan will be based on overflowing the Vulnerable_Function to pass the IAT entry address of ReadFile function(ImageBase+0x2014) as a parameter to WriteToStdout As appear in Figure[10].

Figure[10]





In the following code snippet, We will receive the ReadFile Function address from Stdout. Then we will estimate the OpenFile function which equals Readfile address + 0x35350.


Now we have all the addresses we need to construct our ROP chain that defined in Figure[9] and we will achieve it by using the following snippet of code.


The whole exploit script exists Here.

Comments

Post a Comment

Popular posts from this blog

Windows Service Analysis

Image
Introduction In my first post, I will analyze the dropper of Shamoon 3.0 malware which is windows service executable that differs from a normal executable structure and execution method. So by analyzing dropper of Shamoon 3.0, we can understand: 1) windows service structure. 2) how to analyze & debug windows service.    So let us understand what's windows service and how it structured before jumping to Analysis. Windows service program a program that executed by Service Control Manager (SCM) and conforms to its rules. it runs in the background with no GUI interface as it doesn't need a user to interact with it. It can be started automatically at system boot. Windows Service Structure The Window Service Structure program consists of three important functions as seen in windows service structure Figure: 1. Main entry point function  the main function of the windows service program, its goal to inform the...
Read more

Patching ELF with Rair

Image
Introduction In this post, I will try to solve oracle level 3 challenge from chapter 5 of practical binary analysis book using Rair which is a Reverse Engineering Framework that's under development. Briefly, Its rewrite of radare2 but in rust to become more memory safe and more stable along with superior features that are under development. Today, I will just use Rair hex-editor feature for patching the ELF Binary file to solve our challenge. Installation in Linux 1. Install Rust. 2. Add Rust to your system PATH manually. 3. Use cargo Rust’s build system and package manager to download Rair. Level-3 Analysis At the start, I execute the lvl3 binary and kinda get an error that file has an invalid format.   Also, when I tried to check the file format of lvl3 using file utility command I still get an error. Now we know something wrong is going on with format and we need to dig deeper by checking ELF headers to know what causes this error with t...
Read more