I solved 2 challenge. (bf
, best_php
)
First, seccomp-dump
line CODE JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x0b 0xc000003e if (A != ARCH_X86_64) goto 0013
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x35 0x09 0x00 0x40000000 if (A >= 0x40000000) goto 0013
0004: 0x15 0x07 0x00 0x00000002 if (A == open) goto 0012
0005: 0x15 0x06 0x00 0x00000101 if (A == openat) goto 0012
0006: 0x15 0x05 0x00 0x00000000 if (A == read) goto 0012
0007: 0x15 0x04 0x00 0x00000001 if (A == write) goto 0012
0008: 0x15 0x03 0x00 0x0000000c if (A == brk) goto 0012
0009: 0x15 0x02 0x00 0x0000003c if (A == exit) goto 0012
0010: 0x15 0x01 0x00 0x000000e7 if (A == exit_group) goto 0012
0011: 0x06 0x00 0x00 0x00000000 return KILL
0012: 0x06 0x00 0x00 0x7fff0000 return ALLOW
0013: 0x06 0x00 0x00 0x00000000 return KILL
We found the vulnerability using hand fuzzing... XD
+[[[>+]-<]<<]
It caused bad syscall
errors. We confirmed why these results are coming out.
we did overwrite code_string's address 1 byte.
code_string is a string object, and when we overwrite it by 1 byte, an error occurs in the destructor.
Then we know that we can overwrite 1 byte of code_string. What will you do?
We can change the 1 byte of code_string to point to the return address.
then we can leak libc address,
and overwrite it.
One more thing to think about is the destructor of the string object.