INCTF Qualifiers - rop [400 pts]
Hey, guy’s recently I took part in the qualifiers for INCTF 2018. Here’s my shot at a writeup for the rop challenge which was a pwn challenge for 400 points. The challenge is a good one especially for a person who is new to binary exploitation.
A case of ROP
From the name of the challenge it’s kinda obvious that it has something to do with return oriented programming. We are presented with two files, one the binary itself and the other libc. We can confirm that this is indeed a rop challenge by running checksec on the binary we got.
As NX is enabled we cannot place shellcode to execute on the stack. Instead we can use the stack to point to so called rop gadgets in order to achieve what we want. These gadgets are known as rop gadgets. You can learn more about rop here and here.
What my plan was or is, was to use ROP and call system with /bin/sh. This should be simple enough if we know 3 things, the offset of the saved instruction pointer, the address of system, the address of the /bin/sh. What we’re basically doing is faking a function call, with the parameters and all.
Getting the offset of the saved instruction pointer is rather easy. I did this locally using ragg2 and r2.
Now let’s create an r2 profile file, nothing fancy.
Let’s run this and find the offset…
So we got the offset. Now moving on to the next part.
ASLR? What ASLR?
So it looks like the server hosting our binary has ASLR enabled, what this means is that libc is actually loaded at different addresses every run. So how do we counter this? Simple, we just need to leak a GOT address. Once we get the GOT address we can make use of that to recalculate our offset of our functions so that it’s correct. But won’t the program exit? It will, but we can prevent this by recalling the main function. Then we can easily supply our payload.
Using simple disassembly by r2 we can see that we have a puts function. Perfect we can make use of that to leak the address of the GOT. Once we get the leak, we can subtract our assumed aka default address with the leaked address. This is the amount of change in the address which we need to account for and recalculate our payload addresses with. This task seemingly daunting is highly simplified with pwn tools.
First we generate an exploit temaplate using pwn tools…
Then we add our exploit inbetween the start and interactive function calls.