Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
Key Takeaways
The video demonstrates reverse engineering and identifying bugs in a binary using IDA and GDB, with a focus on exploiting a double free vulnerability to gain control of the program. The challenge is a 32-bit Linux binary that uses ASLR, and the goal is to gain remote code execution.
Full Transcript
welcome to the video write up of the cookbook Challenge from the Boston Key party CTF 2016 I actually solved this challenge during the CTF this time so it's not a video write up based on write ups from other people and uh I've tweeted about it because I spent 24 hours or so on this challenge which was a little bit over my skill but I learned a lot along the way and so I'm going to show you now uh how I did it the cookbook challenge gave six points which was one point more than the other pable that were released at the same time and it says that the top Che wrote this cookbook for me but I think it has an extra secret recipe and it was provided a Target set and the server and port for this running service which you could connect to during the CTF and interact with the service to exploit and gain a remote code execution when we unpack the target set we find the cookbook binary which is a 32-bit Linux binary so that is pretty cool because then I can actually use my Ida license which only has 32bit and we get a liip c which is an indication that uh the binary uses aslr or at least the system has aslr enabled because we then need this when we leak addresses of lipy to calculate offsets of different functions and stuff like that so that is a good indication on what we will face I use vagrant as a virtual box wrapper so I now connect to my Linux machine to my Linux VM running in Virtual box and I copy the target set into the shared folder so I can access the files in my Linux system so this is at the moment uh the Linux V I'm running I connected to it with SSH so unpacking it and ready to go so let's have a first look at it with when we execute it it asks for our name and it has this cool asky uh cook and then there's this menu where you can type in certain letters to navigate the menu and you can list ingredients and look at recipes you can as you can see you can add ingredients you can create a new recipe you can discard the recipe you're working on right now you can save it you can print it and so forth so there's a fairly complex menu where you can in interact with it you can you know for example I just added an ingredient to a recipe and hex 41 of that ingredient uh so I add another ingredient like water a hex 40 of it and then I can list the uh ingredients that are in this current recipe so that's the functionality basically of this program just to get a feeling for it and not to overlook something just play around with it a little bit and so you get a mental picture of the functionality of the program there's also a functionality to to name your cookbook where you have to specify the length of um how long the name of the cookbook should be and then you can enter the name for it and here I show you something an error that will occur which you might find while just playing around with it but maybe you don't which you could also easily fuss if you just random stuff against it so now we remove the cookbook name and if you remove it again just trigger R again we get this error a double free or corruption or top which is indicating that there is an uh you know a double free with the Heap it's basically very clear so this is something you could find during initial investigation I personally didn't I looked at the I started reverse engineering it in Ida and then realize those issues but it's clearly something you could find also with just throwing randomly the menu items against in fuz it so now I've loaded the binary in Ida and I start reverse engineering it so but where to start so the first thing I do is I look at these strings embedded in the binary because we know there's a like this string C menu and if we look at what the start of the program basically is we can figure out and start tracing the execution in Ida from the start so the first string when we execute the cookbook is what's your name so this is also what we want to look for in Ida but what I also do is I start um taking notes of the functionality and certain stuff of the behavior which is important because there a fairly complex menu with many with a lot of functionality and so you want to know which you know which menu item is responsible for a certain Behavior so I write down now that the first thing that we get is what's your name and then after that we uh get access to the uh to the menu and then let's explore the menu so L just list the ingredients uh our PR receipt book but add ingredient provides us another sub men for adding a new ingredient so I'm just you know taking notes of this fact that when we get add ingredient we enter a different menu so I'm cycling through the other things and if we get type c we create a recipe which is another submenu so we I I also just take notes of that well yeah and uh otherwise you know there are some more functionality but it's not really a submenu so for now I just you know leave it at that now let's find this string in Ida what's your name there it is so then we can look for the cross references what is referencing the string and we find this one function here which seems to um to um print this um this question and then you can also see it does um it allocates 40 hex bytes and then afterwards it doesn't f get so it's reading the reading your name uh into the allocated um for the hex big area and this function is called from this other function here which looks like maybe uh the main function because there's an indication that they use alarm which is very typical for CTF challenges because they will create an alarm which is basically just like an a timeout they wait for in case the binary hangs they can kill it which is typical for CTF challenges that they don't have many a lot of hanging processes so we can also look at the next function and that is called afterwards which looks like printing some s key stuff and in fact it's printing this uh cook here as you can see here so this is definitely the function that will print the cook what is the next function in this list uh so this function do cause two different functions let's have a look at the first one there seems to be some names like onion and water that looks like the initial ingredients that are already in the binary uh in the menu or that that are already available if you list them so this is probably initializing the ingredients um for this binary you know those are just names you come up with now maybe later you realize the function is doing something else but for now this is what I think it's doing and then it it calls for each of these ingredients and calling another function so this might be a function that adds an ingredient to something you know I already rears engine it so I know that there is a list of ingredients obviously where like an kind of like an array but it's not a real array it's has its own structure so I know that it has to do with adding this ingredient to the list but yeah the the next function after we we initialize those ingredients is looks a bit more convoluted a bit more it looks different but it also has those strings in there and if you look at those strings closely and if you think about what else was already initialized at the start which is was those uh those basic receipts that were already in the binary so uh this is probably just initializing the recipes available at the start of the program so that is in it the recipe and this all is then just initializing The cookbook okay what's the next function ah that looks familiar that seems to be the main menu with all our options available and there's this huge um jump table where depending on the input we will execute different things so uh we can just start going through them one by one and start understanding what they are doing after you read F gets a value this is one of the options you can choose so it looks like a loop it's looping from the bottom to the top again so it seems likey cycling over something you can also see the dashes and you might be able already to guess what it is but uh maybe we don't know for sure so what I'm doing now is the next step of um as kind of also dynamically analyzing this I take the address of this function and I set a breakpoint and I just uh run this program and then I just hope I find the menu item that triggers this breakpoint playing around with it a little bit and there we hit the breakpoint point so uh this is obviously The Last Action I did was I was listing the um the ingredients available so that lists the ingredients and this ingredient list has to start from somewhere and there is this Global variable in the data segment and um this is a special um segment because even though we use aslr this is like a global variable and uh will have a fixed value which is loaded from uh this address here so it loads the first one whatever is there and moves it into um a local variable and we can see that it's then doing stuff on it and again I looked at it more closely but this is something you would figure out when you step through it that it's cycling in a certain way over the this starting from the first pointer you have there and you can now name This Global variable the ingredient list so let's get to the next function so there's a string percentage s's cookbook and if you print R we know that this is the uh current receipt book that we can print so we can name this function now and then proceed to the next one the next one uh seems to start another menu and if you look at the strings this seems to be the add ingredient submenu as you can see in this function it will print the options in in the menu and then again there's this huge jump table you can see this very nicely on the graph overview on the left in Ida that uh you have all those different options and it looks a little bit more complex than the main menu but in anyway it's just it's very similar so let's move to the next function the next function again seems to uh specify a new menu and we know that this must be then the add recipe menu the next function it says how long is you is the name of your cookbook so that seems to be the functionality to give your cookbook a name because that is asking for the length of the name and we can move on to the next function so this one just seems to take another Global pointer from the data segment and then free it so there seems to be a menu item that just takes it and then freeze something so let's make a break point uh here again in Ida and see which which menu action triggers this breakpoint can try a few things and eventually if we press R so remove the name of the cookbook it will trigger the breakpoint so this is the remove cookbook name then this Global pointer here must be the cookbook name and if you closely there it doesn't set this cookbook name now to zero and that is why we get this double free Arrow if we press capital r two times because it tries to free the same memory again without having any checks in place and if we look at the GI cookbook name now we can see that there's a call to malog with the size that we previously entered with fgets and then the Mello the point that returned by Melo which is the area where the cookbook name will be will be stored in This Global variable cookbook name then let's move on with the next function so here you can see the goodbye thanks for cooking with us so that seems to be quitting the quit message and then here is the which ingredient to exterminate so this seems to be the location that we'll jump to when we want to remove an ingredient and it and when we want to remove an ingredient it seems to call this other function here when we look into it it looks fairly complex and doing seems to do a lot of stuff so for now I put this aside and I don't want to uh reverse engineer that one but we can guess that this might be the function because there's a free afterwards it might try to find the ingredient that um you want to exterminate and remove and free it so maybe that is what it's doing so let's note this down now that we are done with the main menu we can move into one of the submenus the first entry of this submenu seems to maloc something so let's set a breako at this address and see which um actually menu item it is first I thought I was in the add ingredient submenu and I was confused that nothing of it will trigger it so I looked again around uh to verify in which submenu I'm currently in so I got a quit out of the add ingredient menu and get into the create recipe menu from there I can type n for a new recipe which will trigger the break point so apparently this Mello here will allocate a new recipe on the Heap and we can see that it C Alo or Melo or whatever hex 4C bytes on the Heap so we can take notes of this now that this particular menu item will Moc this size on the Heap and the result of this COC will be stored at another Global variable which in this case must be the current recipe we are editing we are creating a new recipe it's allocating it and then storing that address in a global variable and the next menu item which seems to free that uh area um we can verify this by um you know D which seems to discard the recipe and triggering it two times will again will create a double free error on the Heap because we are try to free the same location twice because it doesn't get set back to zero so we know that the discard recipe menu item will free the global variable current recipe which was earlier set from the Malo and we can now fill in also the other stuff that I kind of forgot in the beginning when we give your cookbook a name we can specify a length X and then it will allocate the or maloc the cookbook name with this size and remove cookbook name Will free This Global um pointer again which is again a double free because it does not reset the cookbook name we can look around a little bit more and the next block seems to be the add ingredient functionality in recipe but you know it it's maybe not that important right now and maybe we move on to the add ingredient Sub menu the add ingredient Sub menu again is uh very similar you have the printed menu and then the big jump table so the first entry also moves a global variable in E and checks if it's null or not and then either uh will do something with it call something or print null and this globe variable is again used quite often so we can already make this assumption that this is probably the current ingredient we are editing because uh the first item in the menu is also list ingredient so or print a list current stats basically printing the current ingredient so probably the first function here if we also look at the strings in it with name calor and price is exactly what this menu item does so this will print the current ingredient and based on the current ingredient pointer Global pointer that is set and so this must be the uh the new ingredient functionality because it does MOG and the result of mog will be moved in into this global address and we move a little bit further we can um also find a free which is taking this Global pointer again and then is freeing it but this free is much more interesting because as you see this submenu generally checks if current ingredient is zero or not and then printing can't do it with null and the free will also um after the free it will set the global um pointer to zero and thus preventing us from double freeing it then there are more menus um you know you can look just at the strings that they that are using it and if you are unsure which part is which menu item you can always set a breakpoint and then just uh check out the recipe and see uh which functionality it may be and give the name to the ingredient with G will trigger the breakpoint and you can also see in the information where we broke where the breake P was hit that there is an alloc so this seems to allocate the buffer for the name uh for a particular ingredient and then uh that one is stored in a local variable for now uh the the location of the string or the the allocated area and if there is a current ingredient be edited uh then we will um then we will do an fgs in read it into the uh local uh the address of the local variable so it will read into the stack at uh this allocated area and then it will move the this then it will mem copy this string that was read in to the location of the uh current edited ingredient but not at direct the start it will add eax 8 on it so it will move the current ingredient uh address 8 bytes ahead head and then M Copy the string that was read at this location maybe we can also have a look at this in GDB now because we know that this is a global variable which will always have the same address so we can just look at it what kind of value it will have so we already have created a new uh ingredient so there should be actually a value stored so this seems to be an address where the current ingredient is and then we can print this and yeah it looks null it doesn't seem to be much there but as you remember we just started to write a name to it so if we continue and type something in that will be the name of the ingredient and when we look at it now we can see that at offset Plus 8 so that is plus Z next one is plus 4 and that is Plus 8 at this location we will store the string that was read and remember that reading the string came um we first read into a newly allocated buffer that's why the um name is there doubled if we take a look again at the giv in the name function we see that after we the mem copy we copied it we will free the area that was previously allocated and this one fcc1 is the so-called Wilderness that is the last value on the Heap which indicates how much free space is there on the Heap so everything that comes after that um value right now is freed Heap and freed doesn't set magically the memory to zero so obviously you you can still find the strings that were previously stored at this area but it's not used by the application anymore so let's look around and um maybe you know start working through the other stuff I'm looking for one particular function I want to have a look at and um again if you look at this and you don't know what it is you can take the address and create a breakpoint in GDB for it and see which menu function will trigger it if you set a price for a current ingredient it will not trigger it but if we set some calories with s then we will trigger it and we can have a look at it it first allocates a new area and we know that this is now set calories and then uh it checks if the current ingredient is zero or not so if we have currently an ingredient and if we have one it will U call a to I on the string that we read which will convert it to an integer and then the result is coming from eax that the return value stored in this local variable of R20 which we can now rename to the calories integ that we have read from standard in and then it also takes the current ingredient address eax and then it stores at the location of this um ingredient it will store the calories so remember the string was started offset Plus 8 but the S the um the calories for an ingredient seems to be stored at fet offset zero and we can verify this by just specifying a number and have a look at it so I will now give this current ingredient the uh calor count of one and I will give it the price of two and then we should if you look at the ingredient in memory we should see exactly one and two in the first thing also note that the string has gone in a second because I accidentally uh screwed some stuff up um this is a new uh ingredient that I added which I didn't specify a name at this at this point but as you can see the calorie count is stored at exactly the address of the current ingredient the price is stored at the offset plus 4 it's the second value and after that at Plus 8 you will have the string the name of the ingredient and we can take notes of this again in our notepad so the price ingredient will write um at the off at the current ingredient plus and that's actually wrong it should have been plus4 uh it will write the integer that we can read and set calories uh at four so I actually mixed this up but you get the idea so basically this is how the reverse engineering works and what I did and obviously I did a lot more because I spent a lot of hours as you know on it so you just work through the Ida and understand function by function maybe you start to get the ideas obviously that you can uh free memory and still write to it and still free it again stuff like that you know that there must be bugs that you could abuse so what I'm doing now is I give a I show my of my exploit and then we will see in part two of this video uh a walk through of my actual exploit in the end and I use so cut now to simulate the servers it will open a TCP port on Port 666 and when I connect to it it will execute the cookbook and I can interact with it like it was with the live challenge now I will open my exploit because I have to do a slight modification with the server and port and then we can also use netcat ourselves to see if it's working so netcat connecting to 127 to Local Host I'm currently on the Linux machine also that's why it's Local Host and then it's presents us with the name and the menu so this is how we can interact with the uh with with the binary and it's like the service like the CTF challenge was when it was like life and you can see now if we trigger the double free we can also see the error on the soad server side but uh the service you are looking at is just you know dying now let me show you my exploit uh first and then in the next part we will have a look at it more closely so there are multiple steps to this exploit as you can see and I paused it every time you have to press enter to continue and it looks very complicated but we will have a look at it and in the end you are presented with a shell where you can execute shell commands and it works nicely you can see that my exploit looks fairly complicated there seem to be a lot of steps involved and I've seen writeups already or proof of concept Cotes from other people on IRC that were simpler than what I did but I'm proud of it myself I did it myself and I'm very proud of it and in the next video we will step through the exploit and look at it what is actually happening here's also the output of the AL live server when I got the flag and you can see here the user it's running with and here the Fleck itself hey my girl doesn't work here and if you remember my Twitter message from the beginning what it did was I had this uh sha one hash in there which was generated by concatenating life overflow Dash with the flag so just basically as a proof that uh I got the flag and solved the challenge before the end and this time I did not just work through writeups from other people I solved it myself which makes me very happy so when you debug the binary in GDB the GDB will uh basically disable aslr for this B binary and all the addresses will be static and in the end your exploit has to work with the aslr on the system enabled anyway and also write your exploit to interact with the remote service so what I do is um uh show you now how I can deal with it so I start the exploit and it's now waiting at a certain address and uh basically now I can use uh can look in the processes and see that cookbook is running and I get can get the um uh process ID from it and then I can use GDB to attach to this process ID so GDB D- P equals to and then uh the PID of uh cookbook and then I can uh attach to this process and then I can start you know uh setting breakpoints investigate the memory uh with the exploit running and this is basically how I developed then my exploit I always written a little part interacting with the process set break points investigate memory and and so forth see you in part two to analyze my exploit step by step [Music]
Original Description
Part 1: reverse engineering the functionality of the cookbook binary with IDA
Part 2: Leaking heap address and libc base address
Part 3: Arbitrary write - House of Force
exploit: https://gist.github.com/LiveOverflow/dadc75ec76a4638ab9ea
-=[ 🔴 Stuff I use ]=-
→ Microphone:* https://geni.us/ntg3b
→ Graphics tablet:* https://geni.us/wacom-intuos
→ Camera#1 for streaming:* https://geni.us/sony-camera
→ Lens for streaming:* https://geni.us/sony-lense
→ Connect Camera#1 to PC:* https://geni.us/cam-link
→ Keyboard:* https://geni.us/mech-keyboard
→ Old Microphone:* https://geni.us/mic-at2020usb
US Store Front:* https://www.amazon.com/shop/liveoverflow
-=[ ❤️ Support ]=-
→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
-=[ 🐕 Social ]=-
→ Twitter: https://twitter.com/LiveOverflow/
→ Website: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/
-=[ 📄 P.S. ]=-
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
#ReverseEngineering #CTF
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from LiveOverflow · LiveOverflow · 20 of 60
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
▶
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
LiveOverflow - Trailer
LiveOverflow
Introduction to Linux - Installation and the Terminal - bin 0x01
LiveOverflow
Writing a simple Program in C
LiveOverflow
Writing a simple Program in Python - bin 0x03
LiveOverflow
Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
LiveOverflow
Reversing and Cracking first simple Program - bin 0x05
LiveOverflow
Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
LiveOverflow
ROP with a very small stack - 32C3CTF teufel (pwnable 200)
LiveOverflow
Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
LiveOverflow
Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
LiveOverflow
Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
LiveOverflow
Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
LiveOverflow
Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
LiveOverflow
First Stack Buffer Overflow to modify Variable - bin 0x0C
LiveOverflow
First Exploit! Buffer Overflow with Shellcode - bin 0x0E
LiveOverflow
Buffer Overflows can Redirect Program Execution - bin 0x0D
LiveOverflow
Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
LiveOverflow
Reverse engineering C programs (64bit vs 32bit) - bin 0x10
LiveOverflow
pwnable.kr - Levels: fd, collision, bof, flag
LiveOverflow
Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
LiveOverflow
Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
LiveOverflow
Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
LiveOverflow
Live Hacking - Internetwache CTF 2016 - web50, web60, web80
LiveOverflow
Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
LiveOverflow
A simple Format String exploit example - bin 0x11
LiveOverflow
NEW VIDEOS ARE COMING - loopback 0x00
LiveOverflow
HTML + CSS + JavaScript introduction - web 0x00
LiveOverflow
The HTTP Protocol: GET /test.html - web 0x01
LiveOverflow
Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
LiveOverflow
What is PHP and why is XSS so common there? - web 0x02
LiveOverflow
Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
LiveOverflow
Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
LiveOverflow
Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
LiveOverflow
XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
LiveOverflow
Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
LiveOverflow
New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
LiveOverflow
The Heap: what does malloc() do? - bin 0x14
LiveOverflow
The Heap: How to exploit a Heap Overflow - bin 0x15
LiveOverflow
Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
LiveOverflow
Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
LiveOverflow
Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
LiveOverflow
Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
LiveOverflow
Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
LiveOverflow
Explaining Dirty COW local root exploit - CVE-2016-5195
LiveOverflow
What is CTF? An introduction to security Capture The Flag competitions
LiveOverflow
The Heap: How do use-after-free exploits work? - bin 0x16
LiveOverflow
The Browser is a very Confused Deputy - web 0x05
LiveOverflow
The Heap: Once upon a free() - bin 0x17
LiveOverflow
Simple reversing challenge and gaming the system - BruCON CTF part 1
LiveOverflow
int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
LiveOverflow
The Heap: dlmalloc unlink() exploit - bin 0x18
LiveOverflow
MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
LiveOverflow
TCP Protocol introduction - bin 0x1A
LiveOverflow
Socket programming in python and Integer Overflow - bin 0x1B
LiveOverflow
Linux signals and core dumps - bin 0x1C
LiveOverflow
[Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
LiveOverflow
Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
LiveOverflow
Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
LiveOverflow
How to learn hacking? ft. Rubber Ducky
LiveOverflow
Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
LiveOverflow
More on: Security Basics
View skill →Related Reads
📰
📰
📰
📰
FortiGate Günlükleri #1: UEFI Hataları, Yanlış Launch Mode’lar ve Bir Lisans Bug’ı Avı
Medium · Cybersecurity
Why I built Contextia: stopping secrets before they reach AI chats
Dev.to AI
A clean vulnerability scan doesn't mean you're secure: a Security+ Domain 4 breakdown
Dev.to · TiltedLunar123
The Complete Web Application Penetration Testing Guide (2026)— Part 2
Medium · Cybersecurity
🎓
Tutor Explanation
DeepCamp AI