[DEF CON CTF 2017 quals ] faggin write-up

Categories Uncategorized
faggin is the last pawnable challenge in defcon 2017 quals. I did not solve it in the CTF, and there is no write-ups for this challenge, So I wrote this article.

faggin is an intel 4004 emulator, intel 4004 is invented by Federico Faggin.
Use flirt signature I made to make reversing easier.
After a quick reverse(about 10 minutes), It is easy to know:
  1. It accepts 0x800 bytes as some opcodes and store them onto the stack
  2. The major function is an interpreter or a VM, the handlers are a 256 size function pointer array on the stack
  3. the rough structure of the interpreter(see picture)
  4. The logic is relative complex, can not figure out what they are doing
  5. rough understanding of some of the instruction handler’s semantic
Then I decided to fuzz all the opcodes.
Fuzzing tips:
  1. avoid the useless instructions
  2. avoid some infinite loop instructions ( black hole)
  3. I did not implement any module to detect the crash(it is easy to implement with pwntools’ “process” module),instead, I am too lazy to do that, a crash is  easy to trigger(about 10 runs or so).
Fuzzing findings:
  1. It is possible to modify the fp array
  2. suspect function sub_0x8049740
  3. out of bounds write(3 places)
  4. possible to modify fp array starting from offset( 0x81 )
Exploit:
1.reverse the semantics of related opcode handler, and modify a function pointer to our first “add exp, **; ret;” gadget
2.do some ROP with my tool “autorop”
3.useful gadget:
0x080a9439 : add esp, 0xc8 ; pop ebx ; ret
references:
https://en.wikipedia.org/wiki/Federico_Faggin
http://www.intel4004.com/faggin_career.htm
https://en.wikipedia.org/wiki/Intel_4004
http://e4004.szyc.org/iset.html

 

No Comments

Leave a Reply