ROP ROP #2

ROP ROP #2

Before you proceed any further, make sure you have all the requirements fulfilled.

  • ASM knowledge
  • Debugger familiarity
  • GDB
  • Basic ROP knowledge
  • Brain

Setup

In this post, we will try to learn ROP (Return Oriented Programming) by using ropemporium split 32bit binary. Lets setup our machine for debugging by installing PEDA and downloading the target binary.

We have downloaded the binary and extracted it, time to start gdb.

Crash

This time I’ve placed a break point on the ret instruction at the end of pwnme function, I did that to show which value will overwrite our return pointer. Now once gdb hits our breakpoint, press ‘n’ to step over return and see how it works.

We’ve found the offset to control our EIP. Lets have a look at all the available functions

Disassemble the usefulFunction because it sounds too obvious here.

usefulFunction has a call to system() which takes a memory address to string ‘/bin/ls‘ as argument. What if we can return our EIP directly to 0x8048657 and place an address on stack to some other useful string? But for that we need to find these useful string first

The string at 0x804a030 looks perfect and we can use this memory address in our payload to achieve our goal.

Flag

In order to get the flag, we will create a payload which should have a pointer to string ‘/bin/cat flag.txt‘ on stack along with address of system().

We have our flag, can we use this issue to get a system shell instead?

/bin/sh

We saw that the binary imports fgets(), printf(), puts() and system() from GLIBC library. Also the checksec reports that this binary is not compiled with -fPIC flag (PIE: Disabled) which means that the binary will always be loaded at the same place in memory. Checkec also reports that this binary is NX enabled which means we can’t just execute anything from stack so we probably need to utilize ROP in order to bypass DEP/ASLR. How we can use all this info to attempt a successful exploitation in order to get a shell?

It looks like we need to leak some memory data from our target binary in order to craft a working payload. We will pass a memory address which will resolve to libc function at runtime to printf which will cause the binary to leak memory information. We also need to write our string ‘/bin/sh’ somewhere in the program memory which will be done in the data section of the binary. Lets use this info to craft our payload.

——END——

Leave a Reply

Your email address will not be published. Required fields are marked *