SeeTF 2022 - Pointytail
Pointy Tail
Description
You can download the challenge here
Author: Neobeo
Types in .NET are so confusing: should a Point type be a struct or a class? Let’s have one of each, just to compare.
nc fun.chall.seetf.sg 50007
MD5: 211020d68a6243fa5572b360b27eb8d
Introduction
In this challenge we are given 6 files including the Dockerfile.
The challenge file is in pointytail.dll. First step here we analyze what file is it just type command
1 | $ file pointytail.dll |
The file is compiled by .NET framework, well I never have experience on exploiting .NET before xd, so let’s give a shot.
Okay, next look at the Dockerfile is it the server running on windows or on linux.
1 | FROM mcr.microsoft.com/dotnet/runtime:6.0-focal-amd64 |
The docker pull from mcr.microsoft, at first I thought that’s the windows image. But the docker using apt so it’s a linux image.
The file running by dotnet, so we need to install dotnet first on our machine. For the installation guide you can see one of tutorial Here.
Next, after finished install dotnet just simply run command like this to execute the challenge.
1 | $ dotnet pointytail.dll |
The Bug
For finding the bug, we need to decompile the dll files, to do that we can use decompiler tools ILSpy.
Just download the release file and run the ILSpy.
1 | private static void Main() |
The Main() function declare the PointStruct and fill it with double value, and then call Main2(ref s) function.
The PointStruct it’s look like this.
1 | private struct PointStruct |
Alright, not so complex struct let’s move to Main2()
1 | private static void Main2(ref PointStruct s) |
This function declare PointClass and fill with double value again, the Class it’s look like this:
1 | private class PointClass |
Next Main3() function:
1 | private static void Main3(ref PointStruct s, ref PointClass c) |
The challenge will be start from this function, honestly i dont understand too much about C#. But this code not too complicated, the program will ask our input, if our input start with s followed by the double value, then it will fill the object of s, this same with object of c. And if our input not started with s or c, it will print the result.
1 | $ dotnet pointytail.dll |
Then just attach the pidof at gdb. When we Input s 0 0
the error show Object reference is not set.
Next here I try to convert the first value of s from decimal to hex to see what is that.
1 | def do2hex(f): |
We got Leak an address, because of this leak now I understand a bit about the code, from what I got, in Main3() var s represent as **s, you can see again in Main() function, PointStruct s = pointStruct;
and the pointStruct is PointStruct pointStruct = default(PointStruct);
. So in Main3() function when the program print (object)s.x
instead print the value of pointStruct.x it will print the address pointStruct itself. So that var s will be pointing to var c.\
Oke let me simply this.
var s its a pointer contains value of var c. So with this we found the bug where we can arbitary write and read.
To validate that let’s see at gdb.
As you can see from picture above we can do arbitary write and read with first index of var s, just change it to address where we want to write or read because it’s pointing to var c.\
Gain Shell
We can do arbwrite and arbread and we got leak stack and the mapped area. How to get shell?
If you check vmmap, there’s many rwxp address there from because of dotnet, we can use one of that address to write shellcode.
Because we have stack address, we can leak one of rwxp address from stack. Luckily we have one near the address leak we have.
The offset to the rwxp will be same, With this now we have the rwxp address.
1 | def do2hex(f): |
Next, because the program run on while(1) loop, we need to find address when it jump back.
Now with this we just need to put our shellcode to rwxp, and the overwrite the jump address to our shellcode.
Because we can just write 8 bytes, so we need to divide our shellcode.
1 | sc = asm(shellcraft.sh()) |
Now with this we success gain the shell.
Next run it on nc service, we got some problem, because the environtment is different so the offset its different.
The offset on local is 0x9340 and on server is 0x92b0, with this just change the offset from 0xe9340 to 0xe92b0 to get correct rwxp address.
For full script see Here