UIUCTF Kernel_Memory_Leak

2020-07-20

Kernel_Memory_Leak

The kernel is leaking memory to the user! That's probably not good, right?

One of the syscalls can be convinced to leak the kernel stack. Find the leak and you'll receive a flag. Keep leaking kernel secrets until you see the }.

(Hint: finding the leak is half the battle, getting it to leak the entire flag requires some outside the box thinking)

Author: ravi

Disclaimer I was unable to solve this challenge until after the CTF had officially ended.

Solution

I wasn’t able to find the syscall that was vulnerable until about an hour after the CTF had ended. It was then shared that the vulnerable call was alert at this point I decided to see if I could use that to solve the rest of the challenge. We can call this syscall from within the rash shell without using binexec.

alert example

It function fairly simply. alert [text to be displayed as an alert] We start trying different inputs seeing if we can generate some kind of an error that we can use to figure out what is going on behind the scenes. We try special characters, inputting more data then can be displayed and alert (unfortunately) handles it like a champ. We then try checking for some kind of format string vulnerability.

KernelPanic

Oh dear. Kernel Panic. That’s not good. Or is it? That address 0x75607563 looks rather interesting. If we convert the hex to ascii we get some familiar characters, uiuc That looks like the beginning of a flag doesn’t it?

We reboot our VM and try again. This time we use %cs as this will leak the date as readable characters and allow us to save space in the alert box.

alert %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c

This gives us most of the flag it seems. uiuctf{aed05bs4417$#4c644 But we seem to be missing some of it.

Kernel Panics

Now we have a slight problem. We have some of the flag but alert box won’t display the rest of the flag. The challenges descriptions says we might need to “think outside the box” and fortunately, I have an idea. Remember how we first tried to get data using the alert function we caused a kernel panic? That actually leaked the hex codes of the first several characters. Maybe we can use kernel panics to leak characters getting cut off by the alert box.

Sure enough we can.

alert %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%s

This allows us to leak two more bytes but we haven’t got a closing bracket so we add a few more characters and cause another panic.

alert %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%s

Kernel Panic!!! And we get the final bytes of the flag. Totally worth it. Sorry, pwnyOS.

We convert the final hex codes to ascii and now have the rest of the flag. uiuctf{aed05ba24417$#4c64411096}

UIUCTF Whats_A_Syscall