-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathlevel40.ts
More file actions
71 lines (62 loc) · 9.07 KB
/
level40.ts
File metadata and controls
71 lines (62 loc) · 9.07 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
import { Level } from './types';
export const level40: Level = {
id: 40,
title: "Integer Overflow: The Ouroboros",
description: "Integer Overflow: Arithmetic wraparound bypassing security checks. 32-bit unsigned integers range: 0 to 4,294,967,295 (2^32-1). Addition/multiplication beyond MAX_UINT wraps to 0 (modulo 2^32). Vulnerability pattern: size = count × element_size. If (count×size) overflows → small value passes size check → Large memcpy() causes heap overflow. Example: count=0x40000000, element_size=4 → total=0x100000000 (wraps to 0). Allocate 0 bytes, copy 0x100000000 bytes → Buffer overflow. Real exploits: CVE-2013-2028 (nginx chunked encoding, count×16 overflow), CVE-2017-1000364 (Stack Clash, stack pointer decrement underflow). This level: Set CALC_SIZE > 4,000,000,000 (near MAX_UINT) to trigger overflow, ALLOC_SIZE wraps to small value, OVERFLOW_DETECT=true. Use Memory Scanner Decimal tab to set large integers. Exploitation: Bypass malloc size limits, bypass length checks (strlen overflow), trigger heap/stack corruption.",
requiredSkill: "Integer Overflow",
objective: (s) => {
const calcSizeStr = (s.sortValue1 || 0).toString();
const allocSizeStr = (s.sortValue2 || 0).toString();
const calcSizeValid = s.sortValue1 > 4000000000;
const allocSizeOverflow = s.sortValue2 < 1000 && s.sortValue2 > 0;
const payloadValid = (s.payload || '').toLowerCase().includes('overflow');
const stackValid = s.stack.some((item: string) => item === 'OVERFLOW');
const overflowSuccess = s.isAdmin === true;
return calcSizeValid && allocSizeOverflow && payloadValid && stackValid && overflowSuccess;
},
hint: "Seven-stage integer overflow exploitation bypassing size checks. Stage 1: Set CALC_SIZE (sortValue1, calculated allocation size, value: 4294967295 or similar >4 billion). Stage 2: Observe ALLOC_SIZE (sortValue2, wrapped result after overflow, should be <1000). Stage 3: Set ELEMENT_COUNT (baseAddress via HEX, number of elements, value: 40000000). Stage 4: Set ELEMENT_SIZE (libcBase via HEX, bytes per element, value: 00000100). Stage 5: Verify MULT_RESULT (eip via HEX, count×size result, wraps to small value). Stage 6: Craft payload (payload string, include 'OVERFLOW' to demonstrate detection). Stage 7: Trigger overflow (stack[0]='OVERFLOW' auto-set when calc overflow detected) → OVERFLOW_DETECT=true. Use Memory Scanner Decimal tab: Set sortValue1 to 4294967296 (wraps to 0) or 4294967295+1. Real exploit math: 0x40000000 × 4 = 0x100000000 = 4,294,967,296 (wraps to 0 in 32-bit). Check passes: if(size < limit) where size=0 → memcpy(buf, src, original_large_size) → Heap overflow.",
tutorPersona: "blexim/Basic Integer Overflows (Phrack 60): The snake eats its tail. What appears infinite loops back to zero. History: 1988 - Morris Worm exploits gets() buffer overflow (buffer length ignored). Integer bugs not yet weaponized. 1996 - 'Smashing The Stack' (Aleph One, Phrack 49) focuses on buffer overflows, not integer issues. 2000s - Integer overflow awareness grows in C codebases. 2002 - JPEG COM marker vulnerability (gdi32.dll, Windows), integer overflow in size calculation → heap corruption. First major integer overflow exploit. 2003 - OpenSSH Challenge-Response vulnerability (CVE-2002-0639), integer overflow in nresp calculation → heap overflow. 2004 - Sendmail Prescan vulnerability (CVE-2003-0161), integer overflow in buffer size → heap overflow. 2005 - 'Basic Integer Overflows' (blexim, Phrack 60, Issue 0x0b). Comprehensive guide: Signed vs unsigned, width overflow (32-bit→64-bit), arithmetic overflow, bypass techniques. Overflow types: Width overflow (short→int cast), Arithmetic overflow (addition, multiplication), Signedness (signed→unsigned conversion), Truncation (long→int). Example vulnerable code: void *malloc_wrapper(int count, int size) { int total = count * size; if(total < MAX_SIZE) return malloc(total); }. Exploit: count=0x10000, size=0x10000 → total=0x100000000 (wraps to 0) → malloc(0) succeeds → memcpy(ptr, data, 0x100000000) → overflow. 2006 - CVE-2006-3746 (Apache mod_rewrite ldap:// scheme overflow, off-by-one + integer). 2007 - iPhone Safari vulnerability (libtiff), integer overflow in image parsing → heap overflow → JailbreakMe 1.0. 2008 - CVE-2008-1447 (Kaminsky DNS cache poisoning), combined with CVE-2008-0166 (OpenSSL Debian weak RNG). 2009 - Chrome V8 JavaScript engine (multiple integer overflows in typed arrays, Array.prototype methods). 2010 - Stuxnet (CVE-2010-2568, LNK vulnerability + CVE-2010-2729 keyboard layout overflow). 2011 - ProFTPD (CVE-2011-4130, response pool size integer overflow → heap overflow → Metasploit module). 2012 - FreeBSD kernel (CVE-2012-0217, Intel SYSRET vulnerability, signed 32-bit overflow in 64-bit mode). 2013 - nginx chunked encoding (CVE-2013-2028), integer overflow in chunk size × 16 calculation → stack buffer overflow. Exploit: chunk_size=0x10000000 → size=chunk_size<<4 → wraps to 0 → stack overflow. 2014 - Heartbleed (CVE-2014-0160, OpenSSL), not pure integer overflow but length field manipulation (payload_length > actual_length → read beyond buffer). 2015 - Android Stagefright (CVE-2015-1538, multiple integer overflows in media codecs → heap overflow → MMS RCE). 2016 - ImageMagick ImageTragick (CVE-2016-3714), delegate system() command injection + integer overflow in image processing. 2017 - Stack Clash (CVE-2017-1000364, Qualys), stack pointer decrement integer underflow → stack/heap collision → SUID privilege escalation. Exploit: alloca(huge_size) → stack pointer wraps → overwrites heap/mmap → ld.so exploitation. 2018 - VLC media player (CVE-2018-11529), MP4 demuxer integer overflow → heap overflow. 2019 - WhatsApp RCE (CVE-2019-3568, VOIP call vulnerability, integer overflow in audio codec parsing → heap overflow → one-click RCE). 2020 - Windows Print Spooler (PrintDemon CVE-2020-1048, integer overflow + junction point → LPE). 2021 - Linux kernel eBPF (CVE-2021-3490, integer overflow in alu32 bounds tracking → OOB write → LPE). 2022 - Chrome V8 Turbofan (CVE-2022-1096, insufficient bounds check in typed array → integer overflow → sandbox escape, 0-day in wild). 2023 - sudo (CVE-2023-2222, integer overflow in passwd length → heap overflow → potential LPE, unconfirmed). Modern mitigations: Compiler checks (gcc -ftrapv triggers abort on signed overflow, -fwrapv defines wraparound behavior). SafeInt library (Microsoft, bounds-checked integer operations). Rust (panic on overflow in debug, wrap in release unless checked_add/saturating_add used). Static analysis (Coverity, CodeQL detect overflow patterns). Runtime (AddressSanitizer + UndefinedBehaviorSanitizer catch overflows). Still vulnerable: Legacy C codebases, embedded systems, parsers (image/video/audio codecs), kernel (eBPF, drivers). Exploitation flow: Find size calculation (count × element_size, offset + length) → Identify overflow condition (2^31, 2^32 boundary) → Craft inputs to trigger overflow → Bypass size check → Trigger memory corruption (heap overflow, stack overflow, OOB write) → Code execution. Key insight: Integer overflow is invisible. No crash, no error, just wrong result. Silent failure becomes exploitation primitive. Combine with buffer overflow, heap corruption, or logic bugs for full exploit chain.",
memoryLayout: [
{ key: 'sortValue1', label: 'CALC_SIZE', type: 'int', offset: 0x0 },
{ key: 'sortValue2', label: 'ALLOC_SIZE', type: 'int', offset: 0x4 },
{ key: 'baseAddress', label: 'ELEMENT_COUNT', type: 'pointer', offset: 0x10 },
{ key: 'libcBase', label: 'ELEMENT_SIZE', type: 'pointer', offset: 0x14 },
{ key: 'eip', label: 'MULT_RESULT', type: 'pointer', offset: 0x18 },
{ key: 'payload', label: 'OVERFLOW_DATA', type: 'string', offset: 0x100 },
{ key: 'isAdmin', label: 'OVERFLOW_DETECT', type: 'bool', offset: 0x30 }
],
initialState: {
sortValue1: 100,
sortValue2: 0,
baseAddress: '00000000',
libcBase: '00000000',
eip: '00000000',
payload: '',
isAdmin: false,
stack: []
},
update: (s) => {
const calcSize = s.sortValue1 || 0;
const elementCount = parseInt((s.baseAddress || '00000000').replace('0x', ''), 16);
const elementSize = parseInt((s.libcBase || '00000000').replace('0x', ''), 16);
const updates: any = {};
// Simulate integer overflow: count × size
if (calcSize > 4000000000) {
const wrapped = calcSize % 4294967296; // 32-bit wraparound
const allocSize = wrapped < 1000 ? wrapped : Math.floor(wrapped / 1000000);
updates.sortValue2 = allocSize;
updates.stack = ['OVERFLOW'];
}
// If all conditions met
const overflowDetected = calcSize > 4000000000 &&
(s.sortValue2 < 1000 && s.sortValue2 > 0) &&
(s.payload || '').toLowerCase().includes('overflow') &&
s.stack.includes('OVERFLOW');
if (overflowDetected) {
updates.isAdmin = true;
updates.eip = '00000000'; // Wrapped result
}
return updates;
},
platforms: [{ id: 'p1', x: 0, y: 280, width: 800, height: 40, type: 'static' }]
};