FR EN

Welcome

Last posts extracts
[BKP CTF 2016] qwn2own - generic browser exploits

I've recently had the pleasure to stay for a couple of weeks in the gorgeous industrial zone of Belmont, WA. Nearest pub being a ~25 minutes walk, I've put my 5 Kbps Internet connection to good use and downloaded a few challenges from recent CTFs. qwn2own from the latest Boston Key Party CTF definitely stood out, as we don't often see browser exploitation challenges in CTFs. I reckon it very successfully touched the browser exploitation world, as it required players to use techniques close to nowadays client-side exploits, but with the ability to easily debug and look at the underlying source. And so I've decided to use this challenge as a material for my yearly article which will try to cover why corrupted vector/array objects can be (and often are) used to write universal, per platform, browser exploits.

The challenge itself was distributed in this archive, which contained an x64/PIE/Full RELRO binary of a simple QT-based browser with a custom Javascript extension, "BKPDataBase". Basically, a database object can be used to create and manage data stores (vectors) or keyed stores (maps) as I think their example page illustrates well:

[Plaid CTF 2015] PlaidDB - pwn 550

PlaidDB is an x64 stripped executable, compiled with full RELRO, PIE and NX support. It's libc was provided, seemingly from Ubuntu LTS 14.04. It manages key-value pairs which one can add, update, retrieve or delete:

The vulnerability lies in the function at 0x1040, used to get the key values from standard input:

[BKP CTF 2014] Zen garden - pwn 300

The zengarden is an x86 executable, from some mixed C/C++ code. Its libc was provided. As with any basic zen garden, one can add trees and ponds:

"Add" allocates C++ objects, and "perform" calls the first method of each object. Once an object is deleted its slot cannot be refilled, and its actions cannot be performed. As shown above, the pond's action discloses the address of its object, providing us with a free leak.

[BKP CTF 2014] Risc_emu - pwn 100 FR

Comme son nom l'indique, risc_emu est un petit émulateur de CPU RISC, écrit en C++ et compilé pour x64. On doit lui donner en entrée un bytecode en base64 qui est ensuite exécuté. L'exécutable est de taille modeste, je ne vais donc pas rentrer dans les détails.

Le main() commence par initialiser la table des opcodes, main::fun : 10 opcodes de 0 à 9 (add, addi, sub, subi, mmul, mdiv, mxor, mand, mor, term) dans l'ordre. Le bytecode est pris sur l'entrée standard par cin >>, ce qui signifie qu'il est de longueur arbitraire. Il est ensuite décodé, puis recopié dans main::buf, situé 0x90 bytes avant main::fun. Cependant, juste après l'initialisation de main::fun, un cookie (qui correspond simplement au premier rand() de srand(time(0))) est placé juste à la fin de main::buf, et vérifié avant toute exécution de bytecode.

[iCTF 2013] Poipoi service

The poipoi service listens on port 3335 as a classic accept/fork server. A simple netcat connection displays a menu but the protocol seems a bit more complicated:

The service manages users and POIs (Points of Interest I guess). The child connection handler is execute_service():