Sunday, March 2, 2014

Boston Key Party CTF 2014 - risc_emu - Pwning 100 Write-up

In this challange we were given a emulator which suppose to emulate RISC arch as understood from the name but it was different in the code :)

First i tried many RISC instructions and kept getting ERROR! message then i decided to dive into assembly so i saw there are just 10 instructions:

And they were called from a buffer which initialized at the start of main:
and when we give our instruction (base64'd of course) it was calling the appropriate function by accesing this buffer with that code:

so if we could find a way to change the variables in the mainfun buffer we could jump to any function we want -i choosed system- and the best part is our functions first parameter is the rest of our instructions. Lets get the address of the system function:
the first entry of the mainfun is 0x401E80 and our system function is at 0x4010D0 all we need to do is subtract 0x0DB0 from the pointer the first sub instruction -the one with 3 parameters- were disabling as to reach for places from the register memory but the subi instructions memory access was not limited it is where we will exploit the code:
var_C is our first parameter and we are writing to r[rdi*4] with no check lets look at the memory position of r:
it is right above the main::fun buffer so we can overflow it by using subi and it was the operation with the opcode 0x03 it is first parameter is the register number which we will write to. The distance between the buffer and the registers is 0xC0 bytes and each register is 4 bytes in size so if we write to 0x30th register we will write to first function pointer in the main::fun buffer also we want to subtract 0x0DB0 bytes from it so our instruction should be like this:
And after that when we try to access to 0x00th instruction (add) we will call system function and rest of the string as parameter to it -don't forget we are giving them base64'd.

(perl -e 'print "\x03\x30\x0d\xb0\x00cat key"') | base64 | nc 4545

and ta-daa :))

1 comment :

  1. aKrEZ5/clZ7QEDxcSjLtQoD6taKlg//TFowFkUpYGHHr/NdhYtPL+MJBtNyXnBxT