add SECCON2016/tinypad/src and binary built myself

Author: thinkycx

.gitignore

@@ -3,3 +3,6 @@ heap/*
 peda-session-*.txt
 .gdb_history
 *.sw[po]
+*.idb
+*.i64
+.DS_Store

SECCON2016/tinypad/src/Makefile

@@ -0,0 +1,18 @@
+CC = gcc
+CFLAGS =-c -std=gnu11 -fstack-protector-all -fPIC
+LDFLAGS = -Wl,-z,now -Wl,-z,relro #-pie
+
+sources = tinypad.c pwnio.c
+objects = $(sources:.c=.o)
+solution= tinypad
+
+.PHONY: clean
+all: $(sources) $(solution)
+
+$(solution): $(objects)
+	$(CC) $(LDFLAGS) $(objects) -o $@
+.c.o:
+	$(CC) $(CFLAGS) $< -o $@
+
+clean:
+	rm $(objects) $(solution)

SECCON2016/tinypad/src/README.md

@@ -0,0 +1,17 @@
+# tinypad
+
+__keywords__: heap exploitation, glibc, Use After Free, malloc\_consolidate, poisoned NUL byte, House of Einherjar
+
+## What's This?
+"tinypad" is a pwnable challenge for SECCON 2016 Online CTF as pwn300.  
+
+## My Intended Solution
+After analysis, we can get two vulnerabilities, Use After Free(leak only) and Non-NUL terminated string.  
+A fastbin-sized free()'d chunk and one smallbin-sized `malloc()` lead a fastbin into `unsorted_chunks` so we can leak the address of `main_arena` and calculate the base address for libc.   
+Now, we can corrupt a chunk size by writing into Non-NULL terminated string but we are not able to use House of Force due to limited request size for an allocation. House of Einherjar is suitable in this case.   
+Now, we can forge the list of pads and get an arbitrary memory read and a partial write.   
+
+It's enough to write up. See the detail in "exploit\_tinypad.py".  
+
+___Good pwn time,___  
+@hhc0null

SECCON2016/tinypad/src/pwnio.c

@@ -0,0 +1,111 @@
+#include "pwnio.h"
+
+static inline ssize_t _read_n(int fd, char *buf, size_t n)
+{
+    if(buf == NULL) return -1;
+    if(n == 0) return 0;
+
+    ssize_t rx = 0;
+
+    while(rx < n) {
+        ssize_t r = read(fd, buf + rx, n - rx);
+        if(r < 0) {
+            // interupted or under non-block?
+            if(errno == EAGAIN || errno == EINTR) continue;
+            // another reason.
+            return -1;
+        } 
+        // sending finished.
+        if(r == 0) break;
+        rx += r;
+    }
+
+    return rx;
+}
+
+static inline ssize_t _write_n(int fd, const char *buf, size_t n)
+{
+    if(buf == NULL) return -1;
+    if(n == 0) return 0;
+
+    ssize_t tx = 0;
+
+    while(tx < n) {
+        ssize_t r = write(fd, buf+tx, n - tx);
+        if(r < 0) {
+            // interupted or under non-block?
+            if(errno == EAGAIN || errno == EINTR) continue;
+            // another reason.
+            return -1;
+        }
+        // sending finished.
+        if(r == 0) break;
+        tx += r;
+    }
+
+    return tx;
+}
+
+static inline void _dummyinput(int c)
+{
+    if(!c) return;
+    char dummy = '\0';
+    while(dummy != c) 
+        read_n(&dummy, 1);
+}
+
+extern ssize_t read_n(char *buf, size_t n)
+{
+    return _read_n(STDIN_FILENO, buf, n);
+}
+
+extern ssize_t read_until(char *buf, size_t n, int c)
+{
+    size_t rx = 0;
+
+    while(rx < n) {
+        ssize_t r = _read_n(STDIN_FILENO, buf + rx, 1);
+        if(r < 0) return -1;
+        if(r == 0 || buf[rx] == c) break;
+        rx += 1;
+    }
+    buf[rx] = '\0';
+
+    if(rx == n && buf[n-1] != '\n')
+        _dummyinput(c);
+
+    return rx;
+}
+
+extern ssize_t write_n(const char *buf, size_t n)
+{
+    return _write_n(STDOUT_FILENO, buf, n);
+}
+
+extern ssize_t write_errn(const char *buf, size_t n)
+{
+    return _write_n(STDERR_FILENO, buf, n);
+}
+
+extern ssize_t writeln(const char *buf, size_t n)
+{
+    ssize_t sum = 0;
+    sum += write_n(buf, n);
+    sum += write_n("\n", 1);
+    return sum;
+}
+
+extern ssize_t writerrln(const char *buf, size_t n)
+{
+    ssize_t sum = 0;
+    sum += write_errn(buf, n);
+    sum += write_errn("\n", 1);
+    return sum;
+}
+
+extern int read_int(void)
+{
+    char buf[18] = {};
+    read_until(buf, (sizeof(buf)/sizeof(buf[0])) - 1, '\n');
+    return atoi(buf);
+}

SECCON2016/tinypad/src/pwnio.h

@@ -0,0 +1,16 @@
+#ifndef         _LOWLEVEL_H
+# define        _LOWLEVEL_H
+#include <errno.h>
+#include <fcntl.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+extern ssize_t read_n(char *buf, size_t n);
+extern ssize_t read_until(char *buf, size_t n, int c);
+extern ssize_t write_n(const char *buf, size_t n);
+extern ssize_t write_errn(const char *buf, size_t n);
+extern ssize_t writeln(const char *buf, size_t n);
+extern ssize_t writerrln(const char *buf, size_t n);
+extern int read_int(void);
+#endif

SECCON2016/tinypad/src/tinypad.c

@@ -0,0 +1,200 @@
+#include <ctype.h>
+#include <errno.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include "pwnio.h"
+
+#define PADSIZE         0x4
+const char title[] = "  ============================================================================\n"
+                     "// _|_|_|_|_|  _|_|_|  _|      _|  _|      _|  _|_|_|      _|_|    _|_|_|     \\\\\n"
+                     "||     _|        _|    _|_|    _|    _|  _|    _|    _|  _|    _|  _|    _|   ||\n"
+                     "||     _|        _|    _|  _|  _|      _|      _|_|_|    _|_|_|_|  _|    _|   ||\n"
+                     "||     _|        _|    _|    _|_|      _|      _|        _|    _|  _|    _|   ||\n"
+                     "\\\\     _|      _|_|_|  _|      _|      _|      _|        _|    _|  _|_|_|     //\n"
+                     "  ============================================================================\n";
+const char separator[] = "+------------------------------------------------------------------------------+\n";
+const char menu[] = "+- MENU -----------------------------------------------------------------------+\n"
+                    "| [A] Add memo                                                                 |\n"
+                    "| [D] Delete memo                                                              |\n"
+                    "| [E] Edit memo                                                                |\n"
+                    "| [Q] Quit                                                                     |\n"
+                    "+------------------------------------------------------------------------------+\n";
+
+const char show_index[] = " #   INDEX: ";
+const char show_content[] = " # CONTENT: ";
+const char confirm_content[] = "CONTENT: ";
+
+const char prompt_cmd[] = "(CMD)>>> ";
+const char prompt_size[] = "(SIZE)>>> ";
+const char prompt_content[] = "(CONTENT)>>> ";
+const char prompt_index[] = "(INDEX)>>> ";
+const char prompt_confirm[] = "(Y/n)>>> ";
+
+const char errmsg_no_space_left[] = "No space is left.";
+const char errmsg_no_such_command[] = "No such a command";
+const char errmsg_invalid_index[] = "Invalid index";
+const char errmsg_not_used[] = "Not used";
+
+const char syserr_no_memory_is_available[] = "[!] No memory is available.";
+const char syserr_init_failed[] = "[!] Init failed.";
+const char msg_confirm[] = "Is it OK?";
+const char msg_timeout[] = "Timeout.";
+
+const size_t memo_maxlen = 0x100;
+struct {
+    char buffer[0x100]; // make a fakechunk.
+    struct {
+        size_t size;
+        char *memo;
+    } page[4];
+} tinypad;
+
+static inline void dummyinput(int c)
+{
+    if(!c) return;
+    char dummy = '\0';
+    while(dummy != c) 
+        read_n(&dummy, 1);
+}
+
+
+int getcmd()
+{
+    int cmd = '\0';
+
+    write_n(menu, strlen(menu));
+
+    write_n(prompt_cmd, strlen(prompt_cmd)); 
+    read_until((char *)&cmd, 1, '\n');
+    write_n("\n", 1);
+
+    return toupper(cmd);
+}
+
+void sighandler(int signum)
+{
+    writeln("\n", 1);
+    switch(signum) {
+        case SIGALRM:
+            writeln(msg_timeout, strlen(msg_timeout));
+            break;
+    }
+    _exit(0);
+}
+
+void init()
+{
+    if(signal(SIGALRM, sighandler) < 0) {
+        goto LABEL_INIT_FAILED;
+    }
+    alarm(30);
+
+    return;
+
+LABEL_INIT_FAILED:
+    writerrln(syserr_init_failed, strlen(syserr_init_failed));
+    _exit(-1);
+}
+
+int main()
+{
+    int cmd = '\0';
+
+    init();
+    
+    write_n("\n", 1);
+    write_n(title, strlen(title));
+    write_n("\n", 1);
+    do{
+        for(int i = 0; i < PADSIZE; i++) {
+            char count = '1'+i;
+            writeln(separator, strlen(separator));
+
+            write_n(show_index, strlen(show_index)); writeln(&count, 1);
+            write_n(show_content, strlen(show_content));
+            if(tinypad.page[i].memo) {
+                writeln(tinypad.page[i].memo, strlen(tinypad.page[i].memo));
+            }
+            writeln("\n", 1);
+        }
+        int idx = 0;
+        switch(cmd = getcmd()) {
+            case 'A': {
+                    while(idx < PADSIZE && tinypad.page[idx].size != 0) idx++;
+                    if(idx == PADSIZE) {
+                        writeln(errmsg_no_space_left, strlen(errmsg_no_space_left));
+                        break;
+                    }
+                    int size = -1;
+                    write_n(prompt_size, strlen(prompt_size)); 
+                    size = read_int();
+                    size =  (size <    0x1)? 0x1:
+                            (size <  memo_maxlen)? size: memo_maxlen;
+                    tinypad.page[idx].size = size;
+
+                    if((tinypad.page[idx].memo = malloc(size)) == NULL) {
+                        writerrln("[!] No memory is available.", strlen("[!] No memory is available."));
+                        _exit(-1);
+                    }
+
+                    write_n(prompt_content, strlen(prompt_content));
+                    read_until(tinypad.page[idx].memo, size, '\n');
+                    writeln("\nAdded.", strlen("\nAdded."));
+                } break;
+            case 'D': {
+                    write_n(prompt_index, strlen(prompt_index));
+                    idx = read_int();
+                    if(!(0 < idx && idx <= PADSIZE)) {
+                        writeln(errmsg_invalid_index, strlen(errmsg_invalid_index));
+                        break;
+                    }
+                    if(tinypad.page[idx-1].size == 0) {
+                        writeln(errmsg_not_used, strlen(errmsg_not_used));
+                        break;
+                    }
+
+                    // XXX: UAF
+                    free(tinypad.page[idx-1].memo);
+                    tinypad.page[idx-1].size = 0;
+
+                    writeln("\nDeleted.", strlen("\nDeleted."));
+                } break;
+            case 'E': {
+                    write_n(prompt_index, strlen(prompt_index));
+                    idx = read_int();
+                    if(!(0 < idx && idx <= PADSIZE)) {
+                        writeln(errmsg_invalid_index, strlen(errmsg_invalid_index));
+                        break;
+                    }
+                    if(tinypad.page[idx-1].size == 0) {
+                        writeln(errmsg_not_used, strlen(errmsg_not_used));
+                        break;
+                    }
+
+                    int confirmation = '0';
+                    strcpy(tinypad.buffer, tinypad.page[idx-1].memo);
+                    while(toupper(confirmation) != 'Y') {
+                        write_n(confirm_content, strlen(confirm_content));
+                        writeln(tinypad.buffer, strlen(tinypad.buffer));
+                        write_n(prompt_content, strlen(prompt_content));
+                        // XXX: Not NUL Terminated.
+                        read_until(tinypad.buffer, strlen(tinypad.page[idx-1].memo), '\n');
+                        writeln(msg_confirm, strlen(msg_confirm));
+                        write_n(prompt_confirm, strlen(prompt_confirm));
+                        read_until((char *)&confirmation, 1, '\n');
+                    }
+                    strcpy(tinypad.page[idx-1].memo, tinypad.buffer);
+
+                    writeln("\nEdited.", strlen("\nEdited."));
+                } break;
+            default:
+                writeln(errmsg_no_such_command, strlen(errmsg_no_such_command));
+            case 'Q':
+                break;
+        }
+    } while(cmd != 'Q');
+
+    return 0;
+}