34C3_CTF

Author: bl4de

2017/34C3_CTF/Digital_Bilboard/Makefile

@@ -0,0 +1,10 @@
+CC=gcc
+CFLAGS=-Wall -O1
+
+all: server
+
+server: server.c billboard.so
+	$(CC) -no-pie -DPORT=12345 -DLIB=\"billboard.so\" -o server server.c $(CFLAGS) -ldl
+
+billboard.so: billboard.c
+	$(CC) -o billboard.so -shared -fPIC billboard.c $(CFLAGS)

2017/34C3_CTF/Digital_Bilboard/billboard-56c33efc813379c674ea0d0a64258b5fa835f8d4.tar.gz

@@ -0,0 +1,57 @@
+#ifndef _MYLIB_H_
+#define _MYLIB_H_
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "module.h"
+
+const char* name = "Digital Billboard";
+const char* info =  "We bought a new digital billboard for CTF advertisement.\n"
+                    "\n"
+                    "Type \"help\" for help :)";
+
+
+struct billboard {
+    char text[256];
+    char devmode;
+};
+struct billboard bb = { .text="Placeholder", .devmode=0 };
+
+void set_text(int argc, char* argv[]) {
+    strcpy(bb.text, argv[1]);
+    printf("Successfully set text to: %s\n", bb.text);
+    return;
+}
+
+void shell(int argc, char* argv[]) {
+    if (bb.devmode) {
+        printf("Developer access to billboard granted.\n");
+        system("/bin/bash");
+    } else {
+        printf("Developer mode disabled!\n");
+    }
+    return;
+}
+
+void help(int argc, char* argv[]) {
+    printf("This is helpful.\n");
+    return;
+}
+
+
+void initialize_module(module_t* module, registration_function register_command) {
+    
+    module->name = name;
+    module->info = info;
+
+    register_command("set_text", "<text>\t\t", "Set the text displayed on the board", set_text);
+    register_command("devmode", "\t\t", "Developer mode", shell);
+
+   
+    strcpy(bb.text, "Welcome to 34C3 JUNIOR CTF");
+}
+
+#endif

2017/34C3_CTF/Digital_Bilboard/billboard.c

@@ -0,0 +1 @@
+XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX1

2017/34C3_CTF/Digital_Bilboard/billboard.so

@@ -0,0 +1,29 @@
+#ifndef MODULE_H
+#define MODULE_H
+
+#define MIN(a,b) (((a)<(b))?(a):(b))
+
+#include <link.h>
+
+typedef void (*handle_command_function)(int, char**);
+typedef void (*registration_function)(const char*, const char*, const char*, handle_command_function);
+
+
+
+typedef struct command {
+    const char* name;
+    const char* usage;
+    const char* description;
+    handle_command_function function;
+    struct command* next;
+} command_t;
+
+typedef struct module {
+    const char* name;
+    const char* info;
+    Elf64_Addr base;
+    command_t* commands;
+} module_t;
+
+
+#endif

2017/34C3_CTF/Digital_Bilboard/exploit

@@ -0,0 +1,236 @@
+#define _GNU_SOURCE
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <stdio.h>
+#include <dlfcn.h>
+#include <string.h>
+#include <pwd.h>
+#include <grp.h>
+#include <link.h>
+#include <dlfcn.h>
+
+#include "module.h"
+
+
+#define BACKLOG 32
+
+#define logf(...) fprintf(stderr, __VA_ARGS__)
+
+
+
+module_t module;
+struct sockaddr_in client;
+
+void (*initialize_module)(module_t* m, registration_function r);
+
+void module_info(int argc, char* argv[]) {
+    printf("************************************\n");
+    printf("Information about the loaded module:\n");
+    printf("Name: %s\nBase address: %p\n", module.name, (void*) module.base);
+    printf("************************************\n");
+}
+
+void register_command(const char* name, const char* usage, const char* desc, handle_command_function function) {
+    command_t* command = malloc(sizeof(command_t));
+    command->name = name;
+    command->usage = usage;
+    command->description = desc;
+    command->function = function;
+    command->next = NULL;
+
+    if (module.commands == NULL) {
+        module.commands = command;
+        return;
+    }
+
+    // append to end of list
+    command_t* cur = module.commands;
+    while(cur->next != NULL) {
+        cur = cur->next;
+    }
+    cur->next = command;
+}
+
+void help(int argc, char* argv[]) {
+    command_t* command = module.commands;
+    while (command != NULL) {
+        printf("%s %s\t(%s)\n", command->name, command->usage, command->description);        
+        command = command->next;
+    }
+}
+
+void load_module() {
+    char* error;
+    void* handle = dlopen(LIB, RTLD_LAZY);
+    if (!handle) {
+        logf("Error on dlopen %s: %s\n", LIB, dlerror());
+        exit(EXIT_FAILURE);
+    }
+    dlerror();
+    struct link_map* lm = (struct link_map*) handle;
+    module.base = lm->l_addr;
+
+    initialize_module = dlsym(handle, "initialize_module");
+    printf("%p\n", initialize_module);
+    if ((error = dlerror()) != NULL)  {
+        logf("%s\n", error);
+        exit(1);
+    }
+    initialize_module(&module, register_command);
+
+    register_command("help", "\t\t\t", "Show this information", help);
+    register_command("modinfo", "\t\t", "Show information about the loaded module", module_info);
+    logf("Module successfully loaded.\n");
+}
+
+
+
+int init_socket() {
+    // create socket
+    int sockfd = socket(AF_INET, SOCK_STREAM, 0);
+    if (sockfd < 0) {
+        perror("Unable to create socket.");
+        exit(EXIT_FAILURE);
+    }
+    // reusable sockfd
+    int val = 1;
+    if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, (void*) &val, sizeof val) < 0) {
+        perror("Unable to set socket option REUSEADDR.");
+        exit(EXIT_FAILURE);
+    }
+    // bind socket
+    struct sockaddr_in addr;
+    addr.sin_family = AF_INET;
+    addr.sin_addr.s_addr = INADDR_ANY;
+    addr.sin_port = htons(PORT);
+    if (bind(sockfd, (struct sockaddr*) &addr, sizeof(addr)) < 0) {
+        perror("Unable to bind socket.");
+        exit(EXIT_FAILURE);
+    }
+    // set backlog
+    if (listen(sockfd, BACKLOG) < 0) {
+        perror("Unable to set backlog.");
+        exit(EXIT_FAILURE);
+    }
+    return sockfd;
+}
+
+
+
+void handle_input(char* buf) {
+    int argc = 0;
+    char* argv[256];
+    char* token = strtok(buf, " \n");
+    if (!token) {
+        return;
+    }
+    while (argc < sizeof(argv) && token) {
+        argv[argc] = token;
+        argc++;
+        token = strtok(NULL, " \n");
+    }
+
+    command_t* cur = module.commands;
+    while (cur != NULL) {
+        if (!strcmp(cur->name, argv[0])) {
+            cur->function(argc, argv);
+            break;
+        }
+        cur = cur->next;
+    }
+    if (cur == NULL) {
+        printf("Command not found.\n");
+    }
+    return;
+}
+
+void interact() {
+    printf("*\n* %s\n*\n%s\n> ", module.name, module.info);
+    fflush(stdout);
+    static char buf[4096];
+    while (1) {
+        if (fgets(buf, 4096, stdin) != NULL) {
+            handle_input(buf);
+            printf("> ");
+        } else {
+            break;
+        }
+    }
+}
+
+void drop_privs() {
+    char* user = "challenge";
+    struct passwd* pw = getpwnam(user);
+    if (pw == NULL) {
+        logf("User \"%s\" does not exist", user);
+        exit(EXIT_FAILURE);
+    }
+    if (setgroups(0, NULL) != 0) {
+        perror("Error on setgroups");
+        exit(EXIT_FAILURE);
+    }
+    if (setgid(pw->pw_gid) != 0) {
+        perror("Error on setgid");
+        exit(EXIT_FAILURE);
+    }
+    if (setuid(pw->pw_uid) != 0) {
+        perror("Error on setuid");
+        exit(EXIT_FAILURE);
+    }
+}
+
+int main(int argc, char* argv[]) {
+    
+    int sockfd = init_socket();
+    logf("Server listening on port %d\n", PORT);
+  
+    if (signal(SIGCHLD, SIG_IGN) == SIG_ERR) {
+        perror("Error setting SIGCHILD handler.");
+        return EXIT_FAILURE;
+    }
+
+    load_module();
+
+    while (1) {
+        socklen_t client_len = sizeof(client);
+        int client_fd = accept(sockfd, (struct sockaddr*) &client, &client_len);
+        if (client_fd < 0) {
+            perror("Error creating socket for incoming connection");
+            exit(EXIT_FAILURE);
+        }
+        logf("New connection from %s on port %d\n", inet_ntoa(client.sin_addr), htons(client.sin_port));
+
+        int pid = fork();
+        if (pid < 0) {
+            perror("Unable to fork");
+            exit(EXIT_FAILURE);
+        }
+
+        if (pid == 0) { // client
+            alarm(300);
+            close(sockfd);
+
+            dup2(client_fd, 0);
+            dup2(client_fd, 1);
+            setvbuf(stdout, NULL, _IONBF, 0);
+
+            drop_privs();
+
+            interact();
+
+            close(client_fd);
+            logf("%s:%d disconnected\n", inet_ntoa(client.sin_addr), htons(client.sin_port));
+            exit(EXIT_SUCCESS);
+        } else {        // server
+            logf("%s:%d forked new process with pid %d\n", inet_ntoa(client.sin_addr), htons(client.sin_port), pid);
+            close(client_fd);
+        }
+
+    }
+}