One Article Review
| Source |  SkullSecurity |
|---|---|
| Identifiant | 8300177 |
| Date de publication | 2022-06-17 20:19:23 (vue: 2023-01-11 16:56:04) |
| Titre | BSidesSF 2022 Writeups: Miscellaneous Challenges (loca, reallyprettymundane) |
| Texte | Hey folks, This is my (Ron's / iagox86's) author writeups for the BSides San Francisco 2022 CTF. You can get the full source code for everything on github. Most have either a Dockerfile or instructions on how to run locally. Enjoy! Here are the four BSidesSF CTF blogs: shurdles1/2/3, loadit1/2/3, polyglot, and not-for-taking mod_ctfauth, refreshing turtle, guessme loca, reallyprettymundane Loca - A weird Windows reversing challenge Several years ago, I wrote a challenge called launchcode, where I backdoored calc.exe so it would detect a certain pattern of button presses and display a special message if it detects them (that in turn was based on a bug in Steam). But often, if I replaced certain bytes in the executable, it would mysteriously corrupt the code and crash! I eventually figured out it was due to "relocations", and I thought I'd make a challenge based on that. This is where loca came from! A Windows binary (ie, PE file) has a section called .reloc, or relocation. That section is essentially a big list (encoded in a weird, page-based DOS-ey feeling way) that lists every hardcoded memory address in the PE image. When the Windows loader loads the PE image at an address where it doesn't want to be loaded to (which is always with ASLR), it will navigate that list and update each address in the loaded binary. It adds the difference between where it wants to be loaded and where it is actually loaded to the original value. That way, no matter where the image is loaded into memory, the hardcoded addresses will point to the right spot. That's obviously a ridiculous way to handle relocations, but I'm sure there are pros and cons. For this challenge, I calculate a simple request/response. The problem is that the initial value of the checksum I calculate is marked as a relocation, which means it changes based on where it's loaded. That means that for a solution, you need to: Realize it's relocating the seed address Leak a memory address using an information-disclosure issue Calculate the result for the current offset All this has the bonus that it breaks debugging - debuggers disable ASLR, which means if you debug this executable you'll miss the trick entirely. I'm not sure if that's good or bad, because I had several people ask questions, but it certainly made it challenging! reallyprettymundane reallyprettymundane is an RPM-spec-injection attack. It's based on something I found while investigating CVE-2022-1388. Basically, if you can add newlines to an RPM's .spec file, you can run arbitrary code by adding a new section to the .spec. Some sections contain executable code, and that's what we care about! For our solution, we target the %check section, which consists of shell c |
| Envoyé | Oui |
| Condensat | $rpm 1388 2022 :body :description :name :release :summary :version about actually add adding address addresses adds ago all always and any arbitrary are ask aslr attack author backdoored bad based basically because being between big binary blogs: bones bonus breaks bsides bsidessf bug build but button bytes calc calculate called came can care certain certainly challenge challenges challenging changes check checksum code command commands complex cons consists contain copies corrupt could crash ctf ctfauth current cve deal debug debuggers debugging description detect detects didn difference disable disclosure display dockerfile doesn don dos due each either encoded enjoy entirely essentially eventually every everything exe executable execution feeling figured file filename flag folder folks for form: found four francisco from full get github good guessme had handle hardcoded has have here hey how iagox86 image information initial injection instructions into investigating is: issue launchcode leak list lists loaded loader loadit1/2/3 loads loca locally made make marked matter means memory message miscellaneous miss mod most mysteriously name navigate ncp need new newlines not obviously offset often one original our out over packaged page path pattern payload people point polyglot presses problem pros questions realize reallyprettymundane refreshing reloc relocating relocation relocations replaced request/response result reversing ridiculous right ron root/name/# rpm run san section sections seed sends several shell shurdles1/2/3 simple solution some something somewhat source spawn spec special specifically spot steam sure taking target that the them there this thought to: top trick turn turtle update using value want wants was way weird what when where which while will windows with would writeups writeups: wrote years you |
| Tags | |
| Stories | |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.