RWCTF-3rd JunkAV writeup
2021-01-11 01:00:00 Author: bestwing.me(查看原文) 阅读量:244 收藏

I made a challenge name JunkAV for RWCTF 3rd . This is an oob write vulnerability caused by a upx processing PE program. Congratulations to CodeR00t and 217 who solved it during the game.

Thank @leommxj for contributing to this challenge

Details

Vulnerability is in the PeFile::rebuildRelocs function of pefile.cpp in upx 3.96 .

When calling the unoptimizeReloc function

  1. The size of the relocn can be controlled by the user, so the allocation size can be controlled.
  2. The 1024-1033 guild will flip the data.
  3. When the data is flipped later, the jc variable on line 1021 becomes controllable, and finally the oob write is completed on line 1023

Exploit

Reference

https://landave.io/2020/11/bitdefender-upx-unpacking-featuring-ten-memory-corruptions/


文章来源: https://bestwing.me/RWCTF-3rd-writeup.html
如有侵权请联系:admin#unsafe.sh