q3k
/
ctf
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add authorship to CGFinals2015 pizza

master
q3k 2015-04-08 11:29:09 +09:00
parent 6842434792
commit 26e6f37d20
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CGFinals2015/pizza/README.md
View File

@ -14,3 +14,8 @@ This is pretty convoluted, as it was pretty late when I was solving this. First,
This 2nd stage ROP leaks printf in GOT.PLT, which is then used by the exploit client to calculate the address of system in libc. Then things get weird. Since we can't really easily call a read-from-client-into-memory function (lack of rdx manipulating gadgets), we jump into a gadet that first calls fgets() and then calls atoi(). We use fgets to overwrite `pcap\_open\_offline` in GOT.PLT. Earlier, we used three sprintf calls to overwrite `atoi` in GOT.PLT to point to a `pop rdi` shell. This lets us return from the fgets call into the chain. Additionally, we also re-call the program's `main()` after the `printf` in GOT.PLT leak in order to populate address filter buffers with usefule values (source for sprintf, and `sh\x00\x00`). Finally, we return into `pcap_open_offline`, which is now system. This 2nd stage ROP leaks printf in GOT.PLT, which is then used by the exploit client to calculate the address of system in libc. Then things get weird. Since we can't really easily call a read-from-client-into-memory function (lack of rdx manipulating gadgets), we jump into a gadet that first calls fgets() and then calls atoi(). We use fgets to overwrite `pcap\_open\_offline` in GOT.PLT. Earlier, we used three sprintf calls to overwrite `atoi` in GOT.PLT to point to a `pop rdi` shell. This lets us return from the fgets call into the chain. Additionally, we also re-call the program's `main()` after the `printf` in GOT.PLT leak in order to populate address filter buffers with usefule values (source for sprintf, and `sh\x00\x00`). Finally, we return into `pcap_open_offline`, which is now system.
Oh, and there are some `ntohl` calls in the chain to make sure that `(s)printf` calls run with `eax` = 0. Otherwise, weird crashes due to XMM register preserving occur. Oh, and there are some `ntohl` calls in the chain to make sure that `(s)printf` calls run with `eax` = 0. Otherwise, weird crashes due to XMM register preserving occur.
Author
------
q3k from Dragon Sector.