Just hope that some of the libc leaks remains near our controlled chunks. First we need to mark our chunks with a recognize-able pattern and start heap dump with `START\n` and end it with `END\n`, the python script will be the one in charge to make it looks nicer. This really helps A LOT when taking a dump of heap layout. Return FFI::new("unsigned long long",false,true) įunction encrypt_impl($in,$blks,$key,$out)") $obj=FFI::new("unsigned long long",false,true) This challenge expose these 2 functions with FFI in PHP, but to actually interact with it, we can only run it from the wrapper in ``, So, that our output buffer that only has `` actually far from enough and this also confirms our initial guess that overflow can occurs. *** stack smashing detected ***: terminatedĪfter playing around a little more with the library, I found out that every 1 plain text byte maps to 8 bytes in the encrypted buffer. Memset(stack.buf2, 0, sizeof stack.buf2) Įncrypt(stack.buf1, 0x100, KEY, stack.buf2) Īnd after running that code, we immediately got a crash!ĠE0 95 B5 D1 05 E0 58 E8 2F 08 FB 7F 18 8C F6 62 2C |. Memset(stack.buf1, 0x41, sizeof stack.buf1) Void DumpHex(const void* data, size_t size) So, I created a small C program to test it out, The first step is to get to know how these 2 functions works. It could be ok-ish, but it shows overflow could happen if the output buffer isn't as big as it should be. Nothing too serious, but if the one that uses the library are not careful it could leads to something unexpected. This could mean output buffer length isn't checked. It takes 2 pointer to input and output buffer, but only take 1 size for input as parameter. Void decrypt(void* in,unsigned int size,unsigned long long key,void* out) ĭesign wise, you can actually see there's a flaw from the parameters alone. Void encrypt(void* in,unsigned int size,unsigned long long key,void* out) I didn't reverse crypt.so even until the end of the competition, but it only has 2 simple exported function, You are expected to execute /readflag and get flag. This time I setup ANOTHER php environment with crypt.so ( you can use all the functions in too just like ctfhub ) and disable some dangerous functions. You must have noticed something pwnable in MISC-ctfhub.