I made a challenge name JunkAV for RWCTF 3rd . This is an oob write vulnerability caused by a upx processing PE program. Congratulations to CodeR00t and 217 who solved it during the game.

Thank @leommxj for contributing to this challenge

Details

Vulnerability is in the PeFile::rebuildRelocs function of pefile.cpp in upx 3.96 .

When calling the unoptimizeReloc function

1. The size of the relocn can be controlled by the user, so the allocation size can be controlled.
2. The 1024-1033 guild will flip the data.
3. When the data is flipped later, the jc variable on line 1021 becomes controllable, and finally the oob write is completed on line 1023

Exploit

• nerated upx compressed program for PoC:

  ​ http://bestwing.me/attachments/rwctf-3rd/JunkAV/gen_exploit_bin.py

• ibuf_mod :

  ​ http://bestwing.me/attachments/rwctf-3rd/JunkAV/ibuf_mod

• IO script:

  ​ http://bestwing.me/attachments/rwctf-3rd/JunkAV/exploit.py

Reference

https://landave.io/2020/11/bitdefender-upx-unpacking-featuring-ten-memory-corruptions/