Aoool: My challenge for DEFCON CTF Finals 2019

Tags: #defcon, #ctf, #pwn.

This is a quick blog post discussing aoool, a challenge/service I wrote for DEFCON CTF Finals 2019 (co-hosted with the OOO team).

In short, aoool is a C++ web server with support for a custom nginx-like config and support for OSL, the OOO Scripting Language, a (simple) JITted language written from scratch.

Depending on the configuration, the server would interpret a given file as raw text or as osl. When interpreted as raw text, the server would just return the file to the user as-is. When interpreted as osl, instead, the server would actually JIT the OSL script (that is, it would convert OSL textual representation to machine code) and execute it.

OSL is quite simple, but it supports both integer and strings variables. However, it (intentionally) did not support any command that would allow attackers to easily shell-out and steal flags that way.

The intended bugs: OSL implementation actually had 5/6 intended type confusion bugs in the JITter (e.g., you could add strings to integer, and that would lead to some interesting pointer manipulation primitives). There were also a couple of logic bugs that, for example, would allow attackers to leak flags by combining path traversals bugs with log-leaking functionality.

I've open sourced the service on github.

There you can find more notes on the service, the implementation of OSL, the JITter (if you grep for bug, you will find some detailed notes on the intended bugs), and my exploits.