hso groupie

What

hso groupie is a pwnable challenge in Real World CTF 4th. The challenge asks
players to write an exploit for the pdftohtml utility in Xpdf 4.03, running on
Debian unstable. The intended bug is the one documented in
A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution.

The bug is also not fixed in Poppler as of Jan 23.
I picked the original Xpdf for this challenge due to a few
funny sanity checks,
which could trivially be bypassed as JBIG2Stream::readPageInfoSeg is just too
buggy, might give extra lulz.

Team ‘NeSE’ solved it within the first 90 minutes of the game, likely due to
they have a prepared exploit ready for the same target. In hindsight due to
the bug being quite popular the challenge probably just shouldn’t happen.

Is there a writeup?

No. I don’t have time for a full writeup.

The exploit really just does what this blog post
said, except the “build a computer” part, as there is no need to search memory
or do complicated exploit engineering due to the nature of the challenge (on
Linux, only needs a PoC exploit instead of a weaponized one). A few
full-adders is enough for computing address at fixed offset and run
system("whatever").

The exploit code is also (hopefully) reasonably readable, so you may just read
that.

GitHub

View Github