I made a challenge name JunkAV for RWCTF 3rd . This is an oob write vulnerability caused by a upx processing PE program. Congratulations to CodeR00t and 217 who solved it during the game.
Thank @leommxj for contributing to this challenge
Vulnerability is in the PeFile::rebuildRelocs function of pefile.cpp in upx 3.96 .
When calling the unoptimizeReloc function
- The size of the relocn can be controlled by the user, so the allocation size can be controlled.
- The 1024-1033 guild will flip the data.
- When the data is flipped later, the
jcvariable on line 1021 becomes controllable, and finally the oob write is completed on line 1023
generated upx compressed program :