Skip to main content

Solving Ropemporium - ret2win - 32 bit , 64 bit


There are plenty of great tutorials / writeups out there in the internet on these topics. As pwning is not my regular job I am documenting the topics I have learnt by reading other blogs/writeups and learning few topics in hard way. This also helps me to warmup the same topics from time to time and document some topics that I encountered and that which didn't go as smooth as the writeup. Also I will be updating the same topic from time to time with anything new I learnt. Like improving the exploit , finding new ways to solve the same topic by reading other blogs etc., some impressive methods of solving from other authors

The challenge is from https://ropemporium.com/ . I will be solving both 32 bit and 64 bit versions of the binary

Solving ret2win - 32 bit

Steps :

  • Create a unique pattern
  • Send the pattern
  • Find the pattern offset after the crash from the EIP
  • Find the address we wish to jump
  • The create the final payload with the offset we wish to jump
Creating a pattern of 100 bytes and sending it as input

pattern create 100

pattern search 0x6161616b


Offset is found at 44


We need to jump to ret2win ( 0x0804862c ) to get the flag

 Writing the final exploit


Solving ret2win - 64 bit

This is quite similar like the 32 bit, however some notable difference in there. We will start by doing the same, pattern create 100 bytes, and sending the same as input


Finding the offset : Method 1 

We see we cannot run pattern search from RIP because the maximum value RIP can hold is 0x00007fffffffffff. So we will use the value at RBP which we found after the crash. In terms of memory, the RIP location is 8 bytes after RBP. So lets find the offset at which RBP gets overwritten.


 So RIP offset = RBP offset + 8 = 32 + 8 = 40

Finding the offset : Method 2  ( This method did not work with 32 bit version. I don't know why and I need to find out )

 for i in $(seq 20 50); do echo "Sending Bytes $i"; python2 -c "print \"│A\"*$i"| ./ret2win >/dev/null;done

I observed that till the length Illegal instruction is triggered, its the offset. ( I am using Ubuntu 20.04.1 LTS )


Now that we have got the offset time to write the exploit. Please note this exploit will not work and I will explain why it wont work.

Before that we find the location where need to jump, i.e the location of ret2win which is at 0x00400756



We ran the exploit, but we didn't get our flag

So I decided to write the exploit in a file and then try to debug, why the exploit failed

An error related to some instruction  movaps is encountered and reading few blogs / stackoverflow posts/ revealed that the issue is due to alignment ( https://stackoverflow.com/questions/54393105/libcs-system-when-the-stack-pointer-is-not-16-padded-causes-segmentation-faul )   


We can overcome this with relatively easy way , putting a return address before the address we wish to jump.

We can use ROPGadget here to find a return address , a RET is sufficient for our payload which can be found at 0x0040053e



Fixing that , the exploit works perfectly and we can get the flag.


References

  • https://faraz.faith/2019-07-19-rop-emporium-challenges/
  • https://blog.lamarranet.com/index.php/rop-emporium-split-solution/
  • https://bestestredteam.com/2020/05/08/rop-emporium-0x01/
  • https://stackoverflow.com/questions/54393105/libcs-system-when-the-stack-pointer-is-not-16-padded-causes-segmentation-faul 

Popular posts from this blog

KringleCon : Sans Holiday Hack 2018 Writeup

SANS HOLIDAY HACK 2018 Writeup , KRINGLECON The objectives  Orientation Challenge  Directory Browsing  de Bruijn Sequences  Data Repo Analysis  AD Privilege Discovery  Badge Manipulation  HR Incident Response  Network Traffic Forensics  Ransomware Recovery  Who Is Behind It All? First I go to Bushy Evergreen and try to solve the terminal challenge . Solving it is fairly easy , Escape_Key followed by  ":q" without quotes After this we move to the kiosk and solve the questions The question were based on the themes of previous Holiday Hack Challenges. Once we answer it correctly we get the flag. For this I visited Minty Candycane and I tried to solve the terminal challenge.  The application has command injection vulnerability , so injecting a system command with the server ip allows execution of the command. So first I perform an `ls` operation to list of the directory contents , followed by a cat of t
Read more

Linux Privilege Escalation : SUID Binaries

After my OSCP Lab days are over I decided to do a little research and learn more on Privilege Escalation as it is my weak area.So over some series of blog post I am going to share with you some information of what I have learnt so far. The methods mentioned over here are not my own. This is something what I have learnt by reading articles, blogs and solving CTFs SUID - Set User ID The binaries which has suid enabled, runs with elevated privileges. Suppose you are logged in as non root user, but this suid bit enabled binaries can run with root privileges. How does a SUID Bit enable binary looks like ? -r- s r-x---  1 hack-me-bak-cracked hack-me-bak         7160 Aug 11  2015 bak How to find all the SUID enabled binaries ? hack-me-bak2@challenge02:~$ find / -perm -u=s 2>/dev/null /bin/su /bin/fusermount /bin/umount /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/gpasswd /usr/bin/newgrp /usr/bin
Read more

Bluetooth Low Energy : Build, Recon,Enumerate and Attack !

Introduction In this post I will try to share some information on bluetooth low energy protocol. Bluetooth Low Energy ( BLE ) is Bluetooth 4.0.It has been widely used in creating "smart" devices like bulbs that can be controlled by mobile apps, or electrical switches that can be controlled by mobile apps. The terms Low Energy refers to multiple distinctive features that is operating on low power and lower data transfer. Code BLE Internals and Working The next thing what we need to know is a profile. Now every bluetooth device can be categorized based on certain specification which makes it easy. Here we will take a close look into two profiles of Bluetooth which is specifically designed for BLE. Generic Access Profile (GAP) - This profiles describes how two BLE devices defines discovery and establishment of connection with each other. There are two types of data payload that can be used. The Advertising Data Payload and Scan Response Payload . The GAP uses br
Read more