voidget_str(char* buf, size_t cap) { char c; printf("content> "); // I'm so nice that you won't have to deal with null bytes for (int i = 0 ; i < cap ; ++i) { int scanned = scanf("%c",&c); if (scanned !=1 || c=='\n') { return; } buf[i] = c; } }
voidslam() { size_t idx; size_t pos; puts("is this rowhammer? is this a cosmic ray?"); puts("whatever, that's all you'll get!"); if (get_num("index",&idx,sizeof(*stdin))) { return; }
if (idx < 64) { puts("[-] invalid index"); return; }
We are allowed 1 bit flip in the stdin file struct but only after 0x40 bytes (_IO_buf_end and onwards) from the start of the stdin file struct and this is a classic write on alloc challenge with no apparent UAF/double free.
Quick lore drop: IO_2_1_stdin holds a buffer which holds in user input (as marked by _IO_buf_base and _IO_buf_end typically 0x1000 bytes) before transferring everything to the acctual destination addr. However, if we were to bitflip one of the bits of _IO_buf_end such that _IO_buf_end-_IO_buf_base>>>>0x1000, we can read in past the allocated buffer chunk into other chunks
This allows us to overwrite other chunks metadata which is what I did for this challenge
I first set up a chunk 0 (victim chunk) and chunk 1 (chunk holding our fake chunk and also the chunk that will be involved in a largebin attack I will explain later). After allocating a guard chunk and allocating the smaller chunk than chunk 1 to be the 2nd chunk involved in the largebin attack, I allocated another guard chunk and a 3rd chunk of 0x430 (to be fair, I’m not sure of the purpose of this but it was around 1-2am when I was writing this exploit lol). After doing a bitflip on _IO_buf_end of IO_2_1_stdin, I overwrote the chunk metadata of chunk 0 to artificially increase it’s size to end where the fake chunk would be in chunk 1
I then freed chunk 1 to end up in unsorted and to send it away from unsorted to largebin, I allocated a chunk larger than chunk 1’s size. Now if I freed chunk 0 which is now overlapping with chunk 1 that is FREED (coz of the size increase) and use remaindering to malloc back the chunk, I can overwrite the metadata like (fd_nextsize,bck_nextsize) in chunk 1 in largebin.
Looking at this, I can see if I were to overwrite the bk_nextsize of chunk 1 and then send a chunk which has a size smaller than that of chunk 1 (chunk 2) but belonging in the same bin, it will trigger an arbitrary write where [target-0x20]=chunk 1 address. So, once we free chunk 2 then malloc something greater than chunk 2 to send it to largebin, our arb write will be trigerred. But what do we even arb write? We dont have a libc leak.
To expand our attack vector, we need to exploit malloc_par which I won’t go into detail since the article below would do it better than me anyway (https://4xura.com/binex/pwn-mp_-exploiting-malloc_par-to-gain-tcache-bin-control/) but basically, if we overwrite mp_.tcache_bins to be greater than 64, it will allow for OOB access of the tcache_perthread_strcut->entries and given entires contain the UNMANGLED pointers of the chunk addresses, if we were to send a chunk to unsorted beforehand, malloc it back but partial overwrite the unsorted bin pointer to point to IO_2_1_stdout and try calling malloc(>0x410) where through csize2idx(), tcache will reference the pointer in entries[OOB index]=_IO_2_1_stdout, this will let us get arbritrary allocation of stdout. However for this to work, tcache_perthread_struct->counts[OOB index] should also be set > 1. But this is trivial since when we do an extended read into the IO_2_1_stdin buffer as mentioned earlier we can overwrite the 0x1000 chunk with multiple p16(0x3) to fake counts.
If this doesnt sound like it makes sense, check out the article coz once again, it explains the concept way better than me.
Remember the fact I can overwrite bk_nextsize of chunk 1? Why not just partial overwrite bk_nextsize of chunk 1 to mp.tcache_bins-0x20 so when the largebin attack is trigerred, mp.tcache_bins-0x20+0x20=chunk 1 addr. Now, we simply have to allocate a chunk of a huge size such that tcache will return the partially overwritten unsorted bin pointer that now points to _IO_2_1_stdout as our chunk.
To get libc leak, we can set the flags of stdout to 0xfbad1887 and overwrite everything up till the LSB of _IO_write_base which we will deliberately set to 0x0 to make it smaller than _IO_write_base so when puts() is called, it will call a long chain of functions that will eventually lead to
A more detailed explanation of the long call of functions can be found here (https://faraz.faith/2020-10-13-FSOP-lazynote/) but I think looking through elixir bootlin code for _IO_new_file_xsputn should more or less grant you the answer.
Once we get our libc leak, we can now perform FSOP over stdout and get shell. Now it is to be noted I did this challenge under 2.41 (too lazy to do it for 2.39) so my fsop payload might be slightly different. Full payload below
malloc(0,0x2d10,p64(0xfbad1887)+p64(0x0)*3+b"\x00") buffer=p.recvuntil(b"alloc")[1:-5] print(buffer) libc_leak=u64(buffer[:0x8].ljust(8,b"\x00")) print(hex(libc_leak)) libc_base=libc_leak-0x1e8644 libc.address=libc_base gadget=libc.address+0x0000000000150a0c stdout=libc.sym['_IO_2_1_stdout_'] fake_vtable=libc.sym['_IO_wfile_jumps']-0x18 stdout_lock=libc.address+0x1e97b0 fake = FileStructure(0) fake.flags = 0xfbad2888 fake._IO_read_end=libc.sym['system'] # the function that we will call: system() fake._IO_save_base = gadget fake._IO_write_end=u64(b'/bin/sh\x00') # will be at rdi+0x10 fake._lock=stdout_lock fake._codecvt= stdout + 0xb8 fake._wide_data = stdout+0x200# _wide_data just need to points to empty zone fake.unknown2=p64(0)*2+p64(stdout+0x20)+p64(0)*3+p64(fake_vtable) payload=bytes(fake) input("") malloc(1,0x2450,payload)
p.interactive()
I hope I explained everything correctly but if I made some inaccuracy, dm me in discord @baaaa_fs7 so I can correct it lol.
fs