ROP ROP #6

Before you proceed any further, make sure you have all the requirements fulfilled.

  • ASM knowledge
  • Debugger familiarity
  • GDB
  • Basic ROP knowledge
  • Brain

Setup

In this post, we will try to learn ROP (Return Oriented Programming) by using ropemporium fluff 32bit binary. Lets setup our machine for debugging by installing PEDA and downloading the target binary.

We have downloaded the binary and extracted it, time to start gdb.

Crash

As with all the previous ropemporium 32bit binaries, our return pointer overwrite happened at 44 offset from first character of our payload.

Gadgets

I’ve shortlisted the gadgets above which we are going to use, please note that for the first gadget we can use a simpler instruction like pop ebx;ret but I’ve used this one to show the possibilities. Alright lets make the plan

  • xor edx with edx itself which will set edx to 0.
  • Pop value (buffer location) from stack to ebx
  • xor edx with ebx which will set edx=ebx because we already made it null.
  • Interchange edx with ecx, ecx now holds buffer pointer.
  • xor edx with edx again.
  • Pop value (‘/bin’) from stack to ebx 
  • xor edx with ebx which will set edx=ebx again.
  • Move data from from edx (‘/bin’) to memory location at ecx
  • Repeat the above step to move ‘/sh’ next to ‘/bin’.

Sounds great, lets run our program as server and craft our payload.

The problem here is the pop ebx gadget at 0x8048696 in our gadgets list followed by a xor instruction on the lower 1byte of EBX register which messes things a bit, lets check that in gdb.

As we can see, our /bin/sh string got messed up due to xor instruction, to overcome this we will simply pre xor the value in our payload so that it will become /bin/sh at our memory location, we will modify our bin and sh variable in our exploit.

Everything is in place so lets test our exploit.

The Leak!

This method is the exact similar to write4 method which I’ve posted earlier. For this method we can modify our exploit to accept an input at our arbitrary memory location which we can reference later on to system() without needing to worry about calculating offsets. We will modify our second payload to use fgets() to copy our input buffer to our decided memory location but in order to do that, we need need to modify our first payload to leak the file pointer which is a required argument for fgets(). Below is our newly created exploit for this method

Time to test our new methodology and see if it works or not.

There can be multiple solutions for the same problem and the only barrier is our creativity and imagination.

——END——

Published by

Leave a Reply

Your email address will not be published. Required fields are marked *