WCTF 2018 binja Editorial
1 like812 views
The document describes a .NET reversing challenge that appears simple but has a deception. Through static analysis, it seems the challenge involves decrypting a resource to obtain matrices A, B, C and vectors d, y, then calculating the flag as A^-1B^-1C^-1(y - d). However, running this approach yields an incorrect flag. The truth is that the binary modifies the just-in-time compiled code and method descriptor table to alter the real behavior of functions 3, 4, and 5, decrypting the real code from the resource.
![On malloc
1. Round up requested size to multiple of 0x10
2. Scan arena->chunks and find a chunk which satisfies
(chunk->size & 1) == 0 // chunk is not in use
&& aligned_requested_size <= arena->chunk[idx].size
3. If found, set LSB of arena->chunks[idx].size and return
arena->chunks[idx].ptr
4. If not found, create a new chunk at arena->top
5. Add new chunk to arena->chunks
6. Return the address of new chunk](https://image.slidesharecdn.com/editorial-180708105601/85/WCTF-2018-binja-Editorial-8-320.jpg)
![On free
1. Find target chunk from arena->chunks
2. Clear LSB of arena->chunks[idx].size](https://image.slidesharecdn.com/editorial-180708105601/85/WCTF-2018-binja-Editorial-9-320.jpg)
![Vulnerability
On malloc:
1. Round up requested size to multiple of 0x10
2. Scan arena->chunks and find a chunk which satisfies
(chunk->size & 1) == 0 // chunk is not in use
&& aligned_requested_size <= arena->chunk[idx].size
3. If found, set LSB of arena->chunks[idx].size and return
arena->chunks[idx].ptr
4. If not found, create a new chunk at arena->top
5. Add new chunk to arena->chunks
6. Return the address of new chunk](https://image.slidesharecdn.com/editorial-180708105601/85/WCTF-2018-binja-Editorial-10-320.jpg)
![Let's confirm it
$ ./test
[mmap 1] 0x7fc03cd9b000
[mmap 2] 0x7fc03cd9a000
[mmap 3] 0x7fc03cd99000
[mmap 4] 0x7fc03cd98000
[mmap 5] 0x7fc03cd97000
$ ulimit -s unlimited; ./test
[mmap 1] 0x2b0b265a1000
[mmap 2] 0x2b0b265a2000
[mmap 3] 0x2b0b265a3000
[mmap 4] 0x2b0b265a4000
[mmap 5] 0x2b0b265a5000
higher to lower
lower to higher
Note: This behavior has been removed in Linux 4.13
(The challenge was running on Linux 4.4)](https://image.slidesharecdn.com/editorial-180708105601/85/WCTF-2018-binja-Editorial-18-320.jpg)
![About MethodDesc
0:003> !DumpMT -md 00007fff180e5b00
(snip)
MethodDesc Table
Entry MethodDesc JIT Name
00007fff181f0090 00007fff180e5a98 NONE WCTF2018Rev.Lib.Verify(System.String)
00007fff181f0098 00007fff180e5aa8 NONE WCTF2018Rev.Lib.Func(Int32)
00007fff181f00a0 00007fff180e5ab8 NONE WCTF2018Rev.Lib.Func2()
00007fff181f00a8 00007fff180e5ac8 NONE WCTF2018Rev.Lib.Func3(Byte[], Byte[])
00007fff181f00b0 00007fff180e5ad8 NONE WCTF2018Rev.Lib.Func4(Byte[], Byte[])
00007fff181f00b8 00007fff180e5ae8 NONE WCTF2018Rev.Lib.Func5(Byte[], Byte[])
0:003> dq 00007fff180e5a98 l 6
00007fff`180e5a98 00280005`20000003 00007fff`181f0090 <- MethodDesc for Verify
00007fff`180e5aa8 00280006`20020004 00007fff`181f0098 <- MethodDesc for Func
00007fff`180e5ab8 00280007`20040005 00007fff`181f00a0 <- MethodDesc for Func2
Entry pointMethodTokens etc.](https://image.slidesharecdn.com/editorial-180708105601/85/WCTF-2018-binja-Editorial-32-320.jpg)
![Precode to JITted code
PrecodeForFunc1:
=> call PrecodeFixupThunk
pop rsi ; dummy instruction
db m_MethodDescChunkIndex_Func1
db m_PrecodeChunkIndex_Func1
dq MethodDescBase
PrecodeFixupThunk:
pop rax
movzx r10, byte ptr [rax+2] ; m_PrecodeChunkIndex
movzx r11, byte ptr [rax+1] ; m_MethodDescChunkIndex
mov rax, qword ptr [rax+r10*8+3] ; MethodDescBase
lea r10, [rax+r11*8] ; r10=&MethodDesc[r11]
jmp ThePreStub](https://image.slidesharecdn.com/editorial-180708105601/85/WCTF-2018-binja-Editorial-34-320.jpg)
![Precode to JITted code
PrecodeForFunc1:
call PrecodeFixupThunk
pop rsi ; dummy instruction <= rax
db m_MethodDescChunkIndex_Func1
db m_PrecodeChunkIndex_Func1
dq MethodDescBase
PrecodeFixupThunk:
=> pop rax
movzx r10, byte ptr [rax+2] ; m_PrecodeChunkIndex
movzx r11, byte ptr [rax+1] ; m_MethodDescChunkIndex
mov rax, qword ptr [rax+r10*8+3] ; MethodDescBase
lea r10, [rax+r11*8] ; r10=&MethodDesc[r11]
jmp ThePreStub](https://image.slidesharecdn.com/editorial-180708105601/85/WCTF-2018-binja-Editorial-35-320.jpg)
![Precode to JITted code
PrecodeForFunc1:
call PrecodeFixupThunk
pop rsi ; dummy instruction <= rax
db m_MethodDescChunkIndex_Func1
db m_PrecodeChunkIndex_Func1
dq MethodDescBase
PrecodeFixupThunk:
pop rax
=> movzx r10, byte ptr [rax+2] ; m_PrecodeChunkIndex
movzx r11, byte ptr [rax+1] ; m_MethodDescChunkIndex
mov rax, qword ptr [rax+r10*8+3] ; MethodDescBase
lea r10, [rax+r11*8] ; r10=&MethodDesc[r11]
jmp ThePreStub](https://image.slidesharecdn.com/editorial-180708105601/85/WCTF-2018-binja-Editorial-36-320.jpg)
![Precode to JITted code
PrecodeForFunc1:
call PrecodeFixupThunk
pop rsi ; dummy instruction
db m_MethodDescChunkIndex_Func1
db m_PrecodeChunkIndex_Func1
dq MethodDescBase
PrecodeFixupThunk:
pop rax
movzx r10, byte ptr [rax+2] ; m_PrecodeChunkIndex
movzx r11, byte ptr [rax+1] ; m_MethodDescChunkIndex
=> mov rax, qword ptr [rax+r10*8+3] ; MethodDescBase
lea r10, [rax+r11*8] ; r10=&MethodDesc[r11]
jmp ThePreStub](https://image.slidesharecdn.com/editorial-180708105601/85/WCTF-2018-binja-Editorial-37-320.jpg)
![Precode to JITted code
PrecodeForFunc1:
call PrecodeFixupThunk
pop rsi ; dummy instruction
db m_MethodDescChunkIndex_Func1
db m_PrecodeChunkIndex_Func1
dq MethodDescBase
PrecodeFixupThunk:
pop rax
movzx r10, byte ptr [rax+2] ; m_PrecodeChunkIndex
movzx r11, byte ptr [rax+1] ; m_MethodDescChunkIndex
mov rax, qword ptr [rax+r10*8+3] ; MethodDescBase
=> lea r10, [rax+r11*8] ; r10=&MethodDesc[r11]
jmp ThePreStub](https://image.slidesharecdn.com/editorial-180708105601/85/WCTF-2018-binja-Editorial-38-320.jpg)
![Precode to JITted code
ThePreStub:
; save registers to stack
; (snip)
; call PreStubWorker
lea rcx, [rsp+0x68]
mov rdx, r10 ; MethodDesc
call PreStubWorker ; do JIT compilation and update MethodDesc
; restore registers
; (snip)
jmp rax ; jump to compiled code](https://image.slidesharecdn.com/editorial-180708105601/85/WCTF-2018-binja-Editorial-39-320.jpg)
![JITted Func2
The real behavior of Func3, 4, and 5
● Func3
○ Extract the real code of Func4 and Func5 from resource
○ X1
= AX0
● Func4: X2
= Bt
5
X1
^ [0x5a, 0x5a, ..., 0x5a]
● Func5: 10.times{ X3
= C (X2
^ [B1,1
, B1,2
, ..., B1,32
]) }
real Func5
real Func4
Precodes
real Func3
Func3 entry point
Func4 entry point
Func5 entry point
Func2 entry point
MethodDesc array](https://image.slidesharecdn.com/editorial-180708105601/85/WCTF-2018-binja-Editorial-42-320.jpg)
WCTF 2018 binja Editorial
- 1. WCTF 2018 binja Editorial
- 3. Overview ● A simple memo manager which uses original heap allocator ● You are dropped into an unprivileged shell ● Can you exploit the binary and gain your privilege?
- 4. About the original allocator
- 5. Initializing the heap 1. mmap(NULL, 0x1000, PROT_NONE, ...); // map guard page lower higher libs guard
- 6. Initializing the heap 2. arena = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, ...); // map area for arena lower higher libs guard arena
- 7. Initializing the heap 3. arena->heap_base = mmap(NULL, heap_size, PROT_READ | PROT_WRITE, ...); // map data area lower higher libs guard arena heapdata
- 8. On malloc 1. Round up requested size to multiple of 0x10 2. Scan arena->chunks and find a chunk which satisfies (chunk->size & 1) == 0 // chunk is not in use && aligned_requested_size <= arena->chunk[idx].size 3. If found, set LSB of arena->chunks[idx].size and return arena->chunks[idx].ptr 4. If not found, create a new chunk at arena->top 5. Add new chunk to arena->chunks 6. Return the address of new chunk
- 9. On free 1. Find target chunk from arena->chunks 2. Clear LSB of arena->chunks[idx].size
- 10. Vulnerability On malloc: 1. Round up requested size to multiple of 0x10 2. Scan arena->chunks and find a chunk which satisfies (chunk->size & 1) == 0 // chunk is not in use && aligned_requested_size <= arena->chunk[idx].size 3. If found, set LSB of arena->chunks[idx].size and return arena->chunks[idx].ptr 4. If not found, create a new chunk at arena->top 5. Add new chunk to arena->chunks 6. Return the address of new chunk
- 11. Vulnerability allocating many chunks will make arena->chunks overflow
- 12. Is this exploitable? arena->chunks will overflow but we can't overwrite anything because of guard page :( lower higher libs guard arena heapdata
- 13. But wait... The initialization process relies on the assumption that mmap tries to allocate pages from higher to lower address. Can we break it? lower higher libs guard arena heapdata 1st2nd3rd
- 15. About mmap layout If some condition is met, use bottom-up (from lower to higher address) layout
- 16. About mmap layout If not, use top-down (from higher to lower address) layout
- 18. Let's confirm it $ ./test [mmap 1] 0x7fc03cd9b000 [mmap 2] 0x7fc03cd9a000 [mmap 3] 0x7fc03cd99000 [mmap 4] 0x7fc03cd98000 [mmap 5] 0x7fc03cd97000 $ ulimit -s unlimited; ./test [mmap 1] 0x2b0b265a1000 [mmap 2] 0x2b0b265a2000 [mmap 3] 0x2b0b265a3000 [mmap 4] 0x2b0b265a4000 [mmap 5] 0x2b0b265a5000 higher to lower lower to higher Note: This behavior has been removed in Linux 4.13 (The challenge was running on Linux 4.4)
- 19. Is this challenge exploitable? We can change mmap layout to bottom-up style since we can do "ulimit -s unlimited". So yes, it is exploitable! lower higher libs guard arena heapdata
- 20. Solution 1. ulimit -s unlimited 2. Launch the binary 3. Allocate many chunks to make arena->chunks overflow 4. Break link list of memo 5. GOT leak & GOT overwrite (eg. atoi -> gets) 6. Hijack the control flow and read the flag file
- 22. Overview ● .NET reversing challenge which looks very easy at a first glance
- 23. Static analysis with dnSpy
- 24. Static analysis with dnSpy Read and decrypt resource
- 25. Deconstructing resource IV (0x10 bytes) key (0x10 bytes) encrypted data (0xc40 bytes) A (0x400 bytes) B (0x400 bytes) C (0x400 bytes) d (0x20 bytes) y (0x20 bytes) AES-128-CBC 32 × 32 matrix column vector
- 26. Static analysis with dnSpy Func3: x1 := Ax0 Func4: x2 := Bx1 Func5: x3 := Cx2 +d x0 := input is x3 == y ?
- 27. Pretty easy, eh? According to static analysis, the input x should satisfy: C B Ax + d = y So, we should be able to get the flag by: flag = A-1 B-1 C-1 (y - d)
- 28. Pretty easy, eh? According to static analysis, the input x should satisfy: C B Ax + d = y So, we should be able to get the flag by: flag = A-1 B-1 C-1 (y - d) $ sage -python solver.py
- 29. Pretty easy, eh? According to static analysis, the input x should satisfy: C B Ax + d = y So, we should be able to get the flag by: flag = A-1 B-1 C-1 (y - d) $ sage -python solver.py flag: FAKEFLAGFAKEFLAGFAKEFLAGFAKEFLAG $ challenge.exe Enter your flag: FAKEFLAGFAKEFLAGFAKEFLAGFAKEFLAG Wrong :(
- 30. The truth
- 31. About MethodDesc In .NET, each method has a structure called "MethodDesc" (Method Descriptor). MethodDesc holds informations like: ● Lower bytes of MethodToken ● Has the method been already JITted? ● Is the method static? ● Method's entry point etc. There are several types of MethodDesc, but this time we will only focus on the basic one which is used for regular IL methods.
- 32. About MethodDesc 0:003> !DumpMT -md 00007fff180e5b00 (snip) MethodDesc Table Entry MethodDesc JIT Name 00007fff181f0090 00007fff180e5a98 NONE WCTF2018Rev.Lib.Verify(System.String) 00007fff181f0098 00007fff180e5aa8 NONE WCTF2018Rev.Lib.Func(Int32) 00007fff181f00a0 00007fff180e5ab8 NONE WCTF2018Rev.Lib.Func2() 00007fff181f00a8 00007fff180e5ac8 NONE WCTF2018Rev.Lib.Func3(Byte[], Byte[]) 00007fff181f00b0 00007fff180e5ad8 NONE WCTF2018Rev.Lib.Func4(Byte[], Byte[]) 00007fff181f00b8 00007fff180e5ae8 NONE WCTF2018Rev.Lib.Func5(Byte[], Byte[]) 0:003> dq 00007fff180e5a98 l 6 00007fff`180e5a98 00280005`20000003 00007fff`181f0090 <- MethodDesc for Verify 00007fff`180e5aa8 00280006`20020004 00007fff`181f0098 <- MethodDesc for Func 00007fff`180e5ab8 00280007`20040005 00007fff`181f00a0 <- MethodDesc for Func2 Entry pointMethodTokens etc.
- 33. Precode to JITted code PrecodeForFunc1: call PrecodeFixupThunk pop rsi ; dummy instruction db m_MethodDescChunkIndex_Func1 db m_PrecodeChunkIndex_Func1 PrecodeForFunc2: call PrecodeFixupThunk pop rsi ; dummy instruction db m_MethodDescChunkIndex_Func2 db m_PrecodeChunkIndex_Func2 dq MethodDescBase ; pointer to the first element of MethodDesc array
- 34. Precode to JITted code PrecodeForFunc1: => call PrecodeFixupThunk pop rsi ; dummy instruction db m_MethodDescChunkIndex_Func1 db m_PrecodeChunkIndex_Func1 dq MethodDescBase PrecodeFixupThunk: pop rax movzx r10, byte ptr [rax+2] ; m_PrecodeChunkIndex movzx r11, byte ptr [rax+1] ; m_MethodDescChunkIndex mov rax, qword ptr [rax+r10*8+3] ; MethodDescBase lea r10, [rax+r11*8] ; r10=&MethodDesc[r11] jmp ThePreStub
- 35. Precode to JITted code PrecodeForFunc1: call PrecodeFixupThunk pop rsi ; dummy instruction <= rax db m_MethodDescChunkIndex_Func1 db m_PrecodeChunkIndex_Func1 dq MethodDescBase PrecodeFixupThunk: => pop rax movzx r10, byte ptr [rax+2] ; m_PrecodeChunkIndex movzx r11, byte ptr [rax+1] ; m_MethodDescChunkIndex mov rax, qword ptr [rax+r10*8+3] ; MethodDescBase lea r10, [rax+r11*8] ; r10=&MethodDesc[r11] jmp ThePreStub
- 36. Precode to JITted code PrecodeForFunc1: call PrecodeFixupThunk pop rsi ; dummy instruction <= rax db m_MethodDescChunkIndex_Func1 db m_PrecodeChunkIndex_Func1 dq MethodDescBase PrecodeFixupThunk: pop rax => movzx r10, byte ptr [rax+2] ; m_PrecodeChunkIndex movzx r11, byte ptr [rax+1] ; m_MethodDescChunkIndex mov rax, qword ptr [rax+r10*8+3] ; MethodDescBase lea r10, [rax+r11*8] ; r10=&MethodDesc[r11] jmp ThePreStub
- 37. Precode to JITted code PrecodeForFunc1: call PrecodeFixupThunk pop rsi ; dummy instruction db m_MethodDescChunkIndex_Func1 db m_PrecodeChunkIndex_Func1 dq MethodDescBase PrecodeFixupThunk: pop rax movzx r10, byte ptr [rax+2] ; m_PrecodeChunkIndex movzx r11, byte ptr [rax+1] ; m_MethodDescChunkIndex => mov rax, qword ptr [rax+r10*8+3] ; MethodDescBase lea r10, [rax+r11*8] ; r10=&MethodDesc[r11] jmp ThePreStub
- 38. Precode to JITted code PrecodeForFunc1: call PrecodeFixupThunk pop rsi ; dummy instruction db m_MethodDescChunkIndex_Func1 db m_PrecodeChunkIndex_Func1 dq MethodDescBase PrecodeFixupThunk: pop rax movzx r10, byte ptr [rax+2] ; m_PrecodeChunkIndex movzx r11, byte ptr [rax+1] ; m_MethodDescChunkIndex mov rax, qword ptr [rax+r10*8+3] ; MethodDescBase => lea r10, [rax+r11*8] ; r10=&MethodDesc[r11] jmp ThePreStub
- 39. Precode to JITted code ThePreStub: ; save registers to stack ; (snip) ; call PreStubWorker lea rcx, [rsp+0x68] mov rdx, r10 ; MethodDesc call PreStubWorker ; do JIT compilation and update MethodDesc ; restore registers ; (snip) jmp rax ; jump to compiled code
- 40. JITted Func2 Precodes What Resources.cctor() does 1. Get the entry point of Func1 (which is not JITted yet) by using MSIL ldftn instruction 2. Simulate PrecodeFixupThunk and calculate the address of MethodDesc array 3. Overwrite the beginning of JITted Func2 4. Modify entry points for Func3, 4, and 5 Func3 entry point Func4 entry point Func5 entry point Func2 entry point MethodDesc array
- 41. What Resources.cctor() does 1. Get the entry point of Func1 (which is not JITted yet) by using MSIL ldftn instruction 2. Simulate PrecodeFixupThunk and calculate the address of MethodDesc array 3. Overwrite the beginning of JITted Func2 4. Modify entry points for Func3, 4, and 5 Precodes JITted Func2 loader Func3 entry point Func4 entry point Func5 entry point Func2 entry point MethodDesc array
- 42. JITted Func2 The real behavior of Func3, 4, and 5 ● Func3 ○ Extract the real code of Func4 and Func5 from resource ○ X1 = AX0 ● Func4: X2 = Bt 5 X1 ^ [0x5a, 0x5a, ..., 0x5a] ● Func5: 10.times{ X3 = C (X2 ^ [B1,1 , B1,2 , ..., B1,32 ]) } real Func5 real Func4 Precodes real Func3 Func3 entry point Func4 entry point Func5 entry point Func2 entry point MethodDesc array
- 43. Fin.