Write-up of the challenge “Function overwrite”#

This challenge is part of the “Binary exploitation” category and is in the hard category.

Goal of the challenge#

The objective of the challenge is just to input 2 number that will do “fun[num_1] += num_2” so in other words just add at the index num_1 the value of the num_2.

Program structure#

1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <string.h>
4
#include <unistd.h>
5
#include <sys/types.h>
6
#include <wchar.h>
7
#include <locale.h>
8

9
#define BUFSIZE 64
10
#define FLAGSIZE 64
11

12
int calculate_story_score(char *story, size_t len)
13
{
14
  int score = 0;
15
  for (size_t i = 0; i < len; i++)
16
  {
17
    score += story[i];
18
  }
19

20
  return score;
21
}
22

23
void easy_checker(char *story, size_t len)
24
{
25
  if (calculate_story_score(story, len) == 1337)
26
  {
27
    char buf[FLAGSIZE] = {0};
28
    FILE *f = fopen("flag.txt", "r");
29
    if (f == NULL)
30
    {
31
      printf("%s %s", "Please create 'flag.txt' in this directory with your",
32
                      "own debugging flag.\n");
33
      exit(0);
34
    }
35

36
    fgets(buf, FLAGSIZE, f); // size bound read
37
    printf("You're 1337. Here's the flag.\n");
38
    printf("%s\n", buf);
39
  }
40
  else
41
  {
42
    printf("You've failed this class.");
43
  }
44
}
45

46
void hard_checker(char *story, size_t len)
47
{
48
  if (calculate_story_score(story, len) == 13371337)
49
  {
50
    char buf[FLAGSIZE] = {0};
51
    FILE *f = fopen("flag.txt", "r");
52
    if (f == NULL)
53
    {
54
      printf("%s %s", "Please create 'flag.txt' in this directory with your",
55
                      "own debugging flag.\n");
56
      exit(0);
57
    }
58

59
    fgets(buf, FLAGSIZE, f); // size bound read
60
    printf("You're 13371337. Here's the flag.\n");
61
    printf("%s\n", buf);
62
  }
63
  else
64
  {
65
    printf("You've failed this class.");
66
  }
67
}
68

69
void (*check)(char*, size_t) = hard_checker;
70
int fun[10] = {0};
71

72
void vuln()
73
{
74
  char story[128];
75
  int num1, num2;
76

77
  printf("Tell me a story and then I'll tell you if you're a 1337 >> ");
78
  scanf("%127s", story);
79
  printf("On a totally unrelated note, give me two numbers. Keep the first one less than 10.\n");
80
  scanf("%d %d", &num1, &num2);
81

82
  if (num1 < 10)
83
  {
84
    fun[num1] += num2;
85
  }
86

87
  check(story, strlen(story));
88
}
89

90
int main(int argc, char **argv)
91
{
92

93
  setvbuf(stdout, NULL, _IONBF, 0);
94

95
  // Set the gid to the effective gid
96
  // this prevents /bin/sh from dropping the privileges
97
  gid_t gid = getegid();
98
  setresgid(gid, gid, gid);
99
  vuln();
100
  return 0;
101
}

Problem#

The problem I encountered is spotting the vulnerability and after a lot of research I just found out it was “outofbounds” vulnerability.

Security breach#

The vulnerability was

1
if (num1 < 10){
2
    fun[num1] += num2;
3
}

This is bad because it does not check if the number is negative and in C we can use that to go back and access other data in memory.

Solution#

So my idea was to jump to the check pointer “void (check)(char, size_t) = hard_checker;” and then make the value to it be the value after the check in hard_checker. After some time in gdb I found out that we need an offset of +47 to jump after the check in hard_checker. I also found out the difference in addresses from the check pointer and the fun array were 40. Because fun is an array and the program is 32 bits we need to divide 40/4 and then we get 16. Since the check pointer is before the fun array we convert the 16 to -16.

1
# Dump of assembler code for function fun:
2
#    0x0804c080 <+0>:     add    BYTE PTR [eax],al
3
#    0x0804c082 <+2>:     add    BYTE PTR [eax],al
4
#    0x0804c084 <+4>:     add    BYTE PTR [eax],al
5
#    0x0804c086 <+6>:     add    BYTE PTR [eax],al
6
#    0x0804c088 <+8>:     add    BYTE PTR [eax],al
7
#    0x0804c08a <+10>:    add    BYTE PTR [eax],al
8
#    0x0804c08c <+12>:    add    BYTE PTR [eax],al
9
#    0x0804c08e <+14>:    add    BYTE PTR [eax],al
10
#    0x0804c090 <+16>:    add    BYTE PTR [eax],al
11
#    0x0804c092 <+18>:    add    BYTE PTR [eax],al
12
#    0x0804c094 <+20>:    add    BYTE PTR [eax],al
13
#    0x0804c096 <+22>:    add    BYTE PTR [eax],al
14
#    0x0804c098 <+24>:    add    BYTE PTR [eax],al
15
#    0x0804c09a <+26>:    add    BYTE PTR [eax],al
16
#    0x0804c09c <+28>:    add    BYTE PTR [eax],al
17
#    0x0804c09e <+30>:    add    BYTE PTR [eax],al
18
#    0x0804c0a0 <+32>:    add    BYTE PTR [eax],al
19
#    0x0804c0a2 <+34>:    add    BYTE PTR [eax],al
20
#    0x0804c0a4 <+36>:    add    BYTE PTR [eax],al
21
#    0x0804c0a6 <+38>:    add    BYTE PTR [eax],al
22
# End of assembler dump.
23
# gef➤  disas &check
24
# Dump of assembler code for function check:
25
#    0x0804c040 <+0>:     ss xchg esp,eax
26
#    0x0804c042 <+2>:     add    al,0x8
27
# End of assembler dump.
28
# gef➤
29

30
# Find offset  (0x0804c080 - 0x0804c040) / 4 = -16 to check
31

32
# array[check] += offset_after_check
33

34

35
# gef➤  disas hard_checker
36
# Dump of assembler code for function hard_checker:
37
#    0x08049436 <+0>:     endbr32
38
#    0x0804943a <+4>:     push   ebp
39
#    0x0804943b <+5>:     mov    ebp,esp
40
#    0x0804943d <+7>:     push   ebx
41
#    0x0804943e <+8>:     sub    esp,0x54
42
#    0x08049441 <+11>:    call   0x80491f0 <__x86.get_pc_thunk.bx>
43
#    0x08049446 <+16>:    add    ebx,0x2bba
44
#    0x0804944c <+22>:    push   DWORD PTR [ebp+0xc]
45
#    0x0804944f <+25>:    push   DWORD PTR [ebp+0x8]
46
#    0x08049452 <+28>:    call   0x80492b6 <calculate_story_score>
47
#    0x08049457 <+33>:    add    esp,0x8
48
#    0x0804945a <+36>:    cmp    eax,0xcc07c9
49
#    0x0804945f <+41>:    jne    0x8049558 <hard_checker+290>
50
#    0x08049465 <+47>:    mov    DWORD PTR [ebp-0x4c],0x0 #THIS IS AFTER CHECK
51

52

53
# So -16 then +47

After excuting the script we get the flag back!