160 - Some Browser Exploitation and a Format String Bug?
A format-string bug in Trackmania Forever server accessible from server clients, pretty straight forward bug, input in a client RPC gets printed on the server.
Bit of an interesting context though, as the print happened on the server exploitation was blind, and unlike most format string CTF challenges the printed string was stored on the heap, so no easy string pops to get to controlled pointers. However, with no PIE and a statically compiled binary, offsets were predictable and the author pulled off a cool chain by targeting the base pointers stored on the stack to create a write gadget for a more useful primitive.
A couple integer overflows in the the Windows Kernel through the registry, the core problem being that a 16bit integer is used for the
Count field storing the number of subkeys inside an index. Under normal circumstances, when adding new subkeys the registry will automatically divide itself so you won’t have more than ~1000 subkeys, but you can import arbitrarily formatted indexes, using this you can craft one with 65535 keys. Add on more key and it will overflow the
Count field back to 0.
This becomes an issue in conjunction with the
_CM_KEY_NODE.SubKeyCounts value which should remain consistent with the
Count field but is a 32bit integer, so
Count overflows to 0 and the key is written to index 0, but
SubKeyCounts goes beyond
0xFF, so whe doing a lookup by number, the list may be accessed directly by an index greater than
0xFF leading to an out of bounds access.