| Task | Night Sky |
|---|---|
| Competition | CONFidence CTF 2015 |
| Location | Krakow, Poland |
| Category | Software exploitation |
| Platform | Linux x64 |
| Scoring | 500 pts (hard) |
| Number of solves | 2 out of 11 teams |
The night is dark and full of terrors... or errors? Probably both. Use the force to manage stars and constellations on the sky, Harry, and let the odds be ever in your favor.
See the slides, or a short summary below.
Click to expand
- Insert a
LIBC_FATAL_STDERR_=1string into static memory via a new constellation's name. - Leak the address of a static buffer with controlled data via the
edit_staroperation, which doesn't properly nul-terminate the name buffer, and thenlist_starsin order to retrieve it back. - Trigger a non-exploitable stack-based buffer overflow in the
register_programfunction vian=0, settingargv[0]to the address of a secret (serial number) in static memory, andenvp[]to{"LIBC_FATAL_STDERR_=1", NULL}. This will result in triggering SSP and leaking the secret serial number. - Reconnect to the server, and register the program using the leaked secret. This will make it possible to trigger another stack-based buffer overflow in the
save_to_fileoperation. Since a structure is overrun, SSP does not protect against overwrites of function pointers residing after the buffer. Now, two paths can be taken: either construct a ROP based on gadgets found in the challenge binary, or simply use a partial overwrite of thecanonicalize_file_namepointer. As it turns out, thesystem()andcanonicalize_file_name()functions have the same 2 upper bytes of address (they reside within 64kB of each other).