There are plenty of great tutorials / writeups out there in the internet on these topics. As pwning is not my regular job I am documenting the topics I have learnt by reading other blogs/writeups and learning few topics in hard way. This also helps me to warmup the same topics from time to time and document some topics that I encountered and that which didn't go as smooth as the writeup. Also I will be updating the same topic from time to time with anything new I learnt. Like improving the exploit , finding new ways to solve the same topic by reading other blogs etc., some impressive methods of solving from other authors
The challenge is from https://ropemporium.com/ . I will be solving both 32 bit and 64 bit versions of the binary
Solving ret2win - 32 bit
Steps :
- Create a unique pattern
- Send the pattern
- Find the pattern offset after the crash from the EIP
- Find the address we wish to jump
- The create the final payload with the offset we wish to jump
pattern search 0x6161616b
We need to jump to ret2win ( 0x0804862c ) to get the flag
Writing the final exploit
Solving ret2win - 64 bit
This is quite similar like the 32 bit, however some notable difference in there. We will start by doing the same, pattern create 100 bytes, and sending the same as input
Finding the offset : Method 1
We see we cannot run pattern search from RIP because the maximum value RIP can hold is 0x00007fffffffffff. So we will use the value at RBP which we found after the crash. In terms of memory, the RIP location is 8 bytes after RBP. So lets find the offset at which RBP gets overwritten.
So RIP offset = RBP offset + 8 = 32 + 8 = 40
Finding the offset : Method 2 ( This method did not work with 32 bit version. I don't know why and I need to find out )
for i in $(seq 20 50); do echo "Sending Bytes $i"; python2 -c "print \"│A\"*$i"| ./ret2win >/dev/null;done
I observed that till the length Illegal instruction is triggered, its the offset. ( I am using Ubuntu 20.04.1 LTS )
We ran the exploit, but we didn't get our flag
So I decided to write the exploit in a file and then try to debug, why the exploit failed
An error related to some instruction movaps is encountered and reading few blogs / stackoverflow posts/ revealed that the issue is due to alignment ( https://stackoverflow.com/questions/54393105/libcs-system-when-the-stack-pointer-is-not-16-padded-causes-segmentation-faul )
We can overcome this with relatively easy way , putting a return address before the address we wish to jump.
We can use ROPGadget here to find a return address , a RET is sufficient for our payload which can be found at 0x0040053e
References
- https://faraz.faith/2019-07-19-rop-emporium-challenges/
- https://blog.lamarranet.com/index.php/rop-emporium-split-solution/
- https://bestestredteam.com/2020/05/08/rop-emporium-0x01/
- https://stackoverflow.com/questions/54393105/libcs-system-when-the-stack-pointer-is-not-16-padded-causes-segmentation-faul