{"id":944,"date":"2021-09-06T07:42:39","date_gmt":"2021-09-06T07:42:39","guid":{"rendered":"https:\/\/hackemall.live\/?p=944"},"modified":"2021-09-06T09:21:11","modified_gmt":"2021-09-06T09:21:11","slug":"write-up-counter-strike-squirrel-offensive-alles-ctf-2021","status":"publish","type":"post","link":"https:\/\/hackemall.live\/index.php\/2021\/09\/06\/write-up-counter-strike-squirrel-offensive-alles-ctf-2021\/","title":{"rendered":"Write-up \ud83d\udd25”Counter Strike: Squirrel Offensive” – ALLES! CTF 2021"},"content":{"rendered":"\n

This challenge involves an old version of CS:GO VScript, which is vulnerable to a UAF bug and a type confusion bug<\/a>.<\/p>\n\n\n\n

UAF by resizing array in sort compare function<\/h2>\n\n\n\n

The sort function of squirrel array is array_sort<\/code> in sqbaselib.cpp<\/code>, which will call _qsort<\/code>:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

The r<\/code> index passed into _qsort<\/code> is fixed at the beginning, so by abusing array.resize<\/code> in compare function, we can retrieve dangling reference to freed objects through compare function parameters.<\/p>\n\n\n\n

By freeing a string then overlap it with an array, the _len<\/code> field of the freed SQString<\/code> object will be overwritten by the _sharedstate<\/code> field of the newly created SQArray<\/code>. It’s a pointer so the value will be very large, and we can use the dangling string to do arbitrary reading over a large heap space after it.<\/p>\n\n\n\n

Type confusion in regexp functions<\/h2>\n\n\n\n

_regexp_*<\/code> functions in sqstdstring.cpp<\/code> retrieve SQRex<\/code> object from the current object using SETUP_REX<\/code> macro:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

The typetag<\/code> parameter is 0<\/code>, means that it will not check for type mismatch. So we can call _regexp_*<\/code> functions using any instance<\/code> object (examples: self-defined classes, external library classes like CS:GO script classes).<\/p>\n\n\n\n

Addresses leaking<\/h2>\n\n\n\n

As we have a long string by using UAF bug above, we can just spray a lot of CScriptKeyValues<\/code> and find one of them using last 2 bytes of SQInstance::vtable<\/code> as they will not be affected by Windows ASLR, then use confusion to watch for changes to _userpointer<\/code> field. But there are other instance<\/code> objects too, and we have no way to be sure that it’s a CScriptKeyValues<\/code> object.<\/p>\n\n\n\n

Fortunately, the tostring<\/code> method will return the type name and the address in memory of any object. For number and string it will just return the value. But we overlapped the freed string with an array, so we can get address of it by calling tostring<\/code> on the array. We can keep allocate new CScriptKeyValues<\/code> object until we get one that lies after our long string and in the range that we can read its data. I won’t go into detail of Source Engine heap in this writeup, but most of the time we will get a satisfied object without triggering Squirrel timeout watchdog.<\/p>\n\n\n\n

By reading the CScriptKeyValues<\/code> object, we can get these values:<\/p>\n\n\n\n