Skip to main content

Reiterate the Concept of ROP back to basic ◉_◉ (day 60)


Back again with the ROP challenge this time we will go back again to basic training to strengthen our understanding more about this exploitation. You maybe start to get sick of me doing this loop of refreshing material, well this is just my preference of study since many people are so impatient and want to go to the next level but how can you go to the next level if you cannot master the basic right? ( this is the wisdom that I got for rewatching Avatar Last Airbender :) LOL)

alright cool!

This post was inspired by the 4th picoctf2014 challenge which is "rop4" (link: https://github.com/ctfs/write-ups-2013/tree/master/pico-ctf-2013/rop-4)

but I altered the source code little bit to align with my objective:

#include <stdio.h>
#include <unistd.h>
#include <string.h>

char exec_string[20];

void exec_the_string() {
    execlp(exec_string, exec_string, NULL);
}

void call_me_with_cafebabe(int cafebabe) {
    if (cafebabe == 0xcafebabe) {
        strcat(exec_string, "/sh");
    }
}

void call_me_with_two_args(int deadbeef, int cafebabe) {
    if (cafebabe == 0xcafebabe && deadbeef == 0xdeadbeef) {
        strcat(exec_string, "/bin");
    }
}

void vulnerable_function() {
    char buf[128];
    read(STDIN_FILENO, buf, 512);
}

void main(){
    vulnerable_function();
}

so from this source code, we need to chain call_me_with_two_args and call_me_with_cafebabe function together to concatenate the string "/bin" and "/sh". Don't need to be confused with the execlp() function this is equivalent to execve() function


compile the following source code with this specification. We will turn off the canary and PIE protection in the binary but ASLR and NX is still on

I'm not going to waste your time we will skip the "how many offsets that we need" part and tell you that we need 140 offset to overwrite the EIP.

next is to craft the first phase of the payload that will set the "/bin" string to the global variable exec_string.

first, we need to know the location of this call_me_with_two_args :



For all of you who just start learning may incline to set the stack in the following way:

| call_me_with_two_args function        |
| call_me_with_cafebabe                      |
| param1                                              |
| param2                                              |
| param3 (for call_me_with_cafebabe) |

so after we successfully passed the two parameters for call_me_with_two_args function we will jump to call_me_with_cafebabe function with param3

but this is actually wrong and could mess up the flow of the ROP since the leftover variable from two parameters still reside in the stack we need to pop these two params and we can continue the execution

how to do that?

like the title suggests we are going to use ROP gadget to pop the stack, you can find it using peda by:


 

It's pretty simple to read the results, for example popret means that "pop x ; ret" (take out one value from the stack) and pop2ret means "pop x; pop x; ret" (take out two values from the stack). x is going to be the name of registers (ebx, esp, edi) it is doesn't matter what register you choose as long the sequence of the pop and ret is align with our execution

cool from this information we can supply the first phase of our rop to be like this


let's go through the execution one by one so we know that we set the stack right:



lets put a breakpoint at the end of vulnerable_function and run the peda with the python script we just create:

(gdb-peda) r <<< $(python exploit.py)





now if you step through the execution by typing:

(gdb-peda) ni

you will end up in the call_me_with_two_args function and if you look at the function there are two comparisons going just like the source code listed this will match the first two params that we passed in the ROP

 



we passed the two comparisons and if you remember from the source code that the "/bin" string will be stored in the global variable called exec_string and if we go down through the execution we can see it is stored in the address 0x804a024 and it was moved to the eax register.



and then along the line all it's left will be poping the stack



the first pop, take out the0x deadbeef from the stack



the second pop will be getting rid the 0xcafebabe value from our stack cool :)

so we know how the ROP gadget work in detail manner lets update script to called the second function which is call_me_with_cafebabe and with the parameter of 0xcafebabe and then finally called the exec_the_string() function to execute the shell





we need to get the location of the last two mentioned functions and then we construct our script to be like this:


If we execute the script again with peda when you try to debug it and try to examine the stack at the end of the execution you can see that we successfully go to the second function and bypass the comparison

 



finally, as you can see the global variable is concatenated with the "/sh" string and we can get a shell from it






you can try it by running the payload outside the gdb:



cool :) so we did it we are able to construct a working rop exploitation

that's all folks, hope you enjoy it


Labels:

Comments

Post a Comment

Popular posts from this blog

Having fun analyzing nginx log to find malicious attacker in the net (ง'̀-'́)ง (day 37)

  What makes you sleepless at night? is it because of a ghost or scary stories? is it because you have an important meeting tomorrow? or is it because you have an exam? For me, what keeps me up all night is that I keep thinking about what happens to a website that I just created, is it safe from an attacker (certainly not) or did I missing some security adjustments that lead to vulnerability? well I'm not the best secure programmer in the world, I'm still learning and there is a big possibility that I can make a mistake but for me, a mistake can be a valuable investment to myself or yourself to be better so from this idea, I want to know more about what attackers casually do when attacking a website. Here in this post, I'm going to show you how I analyzed attack to the website that I have permission to design and also some interesting findings that I could get from the analysis Background: All of this analysis comes from the traffic that is targeted to th
Post a Comment
Read More »

Utilize Pwntools for crafting ROP chain :') (day 69)

who doesn't like pwntools? it is a very versatile tool and can be customized according to our need using the python script but did you need to know that pwntools itself can help us to automatically craft a rop chain for us? so in this post, I will show you how to make rop chain less painful and make pwntools do all the heavy lifting. To demonstrate this I will use the binary challenge callme 64 bit from ropemporium link: https://ropemporium.com/challenge/callme.html Crashing the app: Like any other exploitation process, we need to crash the program by generating a long string pattern to determine the offset. based on the information from the above figure we can see that we required to provide 40 bytes of offset Fun stuff: now this where the fun stuff began write the following python script: as in the guideline of the challenged said we need to chain the function call by first to call the callme_one function, callme_two function and then callme_three funct
Post a Comment
Read More »

WriteUp PWN tarzan ROP UNICTF ಠ_ಠ (day 61)

So in this post, I'm going to talk about how to solve the Tarzan pwn challenge from UNICTF 2019. Back in the day when the competition is still going I couldn't finish it and don't have any clue to solve this but this time I was able to finish it :) Also in this post, we will be going to be heavily focused on how to utilize pwntools to construct a ROP chain. If you kinda confused about my explanation in this post you can refer to this following youtube video, link: https://www.youtube.com/watch?v=gWU2yOu0COk I build the python script based on this video Ok, let's get started! In this challenge, you will get two binary first go with tarzan and libc-2.29.so by providing .so file it tell us what version library that the target machine is using this could help us to do ROP chain. first, we run the Tarzan binary to get the basic idea of the program work and as you can see it just show you some text, newline and when you try to input something it doesn't gi
Post a Comment
Read More »