I made a challenge name JunkAV for RWCTF 3rd . This is an oob write vulnerability caused by a upx processing PE program. Congratulations to CodeR00t and 217 who solved it during the game.
Thank @leommxj for contributing to this challenge
Details
Vulnerability is in the PeFile::rebuildRelocs function of pefile.cpp in upx 3.96 .
When calling the unoptimizeReloc function
- The size of the relocn can be controlled by the user, so the allocation size can be controlled.
- The 1024-1033 guild will flip the data.
- When the data is flipped later, the
jc
variable on line 1021 becomes controllable, and finally the oob write is completed on line 1023
Exploit
nerated upx compressed program for PoC:
http://bestwing.me/attachments/rwctf-3rd/JunkAV/gen_exploit_bin.py
ibuf_mod :
IO script:
http://bestwing.me/attachments/rwctf-3rd/JunkAV/exploit.py
Reference
https://landave.io/2020/11/bitdefender-upx-unpacking-featuring-ten-memory-corruptions/