Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stage 3 - ROPi #46

Open
koddsson opened this issue Aug 15, 2016 · 9 comments
Open

Stage 3 - ROPi #46

koddsson opened this issue Aug 15, 2016 · 9 comments
Labels
type:pwn

Comments

@koddsson
Copy link
Member

Description

Ritorno orientata programmazione nc ropi.vuln.icec.tf 6500 download file

Solution

Flag is: ``
@koddsson
Copy link
Member Author

Some one just posted this on IRC:

@koddsson koddsson self-assigned this Aug 15, 2016
@koddsson
Copy link
Member Author

Here's a good guide I think

https://www.exploit-db.com/docs/28479.pdf

@koddsson
Copy link
Member Author

I think I have a decent idea how to follow the guides but my assembly-fu is lacking :(

@koddsson koddsson removed their assignment Aug 16, 2016
@koddsson
Copy link
Member Author

Oh yeah forgot to mention that this is probably a "Return-Oriented-Programming" exploit.

@ikornaselur
Copy link
Collaborator

Name seems to indicate it at least 😛

@ikornaselur
Copy link
Collaborator

The pdf guide there is really useful. Me being tired is not helpful though. I've been reading though it and it makes sense.

The application itself is really simple. Main function and four other functions:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  ezy();
  puts("addio!");
  return 0;
}

ssize_t ezy()
{
  char buf; // [sp+10h] [bp-28h]@1

  puts("Benvenuti al convegno RetOri Pro!\nVuole lasciare un messaggio?");
  fflush(stdout);
  return read(0, &buf, 0x40u);
}

int __cdecl ret(int a1)
{
  if ( a1 != -1159991569 )
  {
    puts("chiave sbagliata! :(");
    exit(1);
  }
  fd = open("./flag.txt", 0);
  puts("[+] aperto");
  return fflush(stdout);
}

int __cdecl ori(int a1, int a2)
{
  if ( a1 != -1412567041 && a2 != 2018915346 )
  {
    puts("chiave sbagliata! :((");
    exit(1);
  }
  read(fd, &dati, 0x80u);
  puts("[+] leggi");
  return fflush(stdout);
}

int pro()
{
  puts("[+] stampare");
  printf("%s", &dati);
  return fflush(stdout);
}

Basically we need somehow to call ret, ori and pro in succession to print out the flag.

Will read further up on the ROP attack tomorrow (or just this weekend, it's hard to concentrate after a whole day or work)

@ikornaselur ikornaselur removed their assignment Aug 17, 2016
@ikornaselur
Copy link
Collaborator

ikornaselur commented Aug 17, 2016
edited
Loading

Screw it, I want to solve this.

Here are found ROP gadgets using this tool

Gadgets information
============================================================
0x08048917 : adc al, 0x41 ; ret
0x08048612 : add al, 0x24 ; mov al, byte ptr [0xe8080487] ; ret
0x08048490 : add al, 0x24 ; xor al, 0xa0 ; add al, 8 ; call eax
0x080484cd : add al, 0x24 ; xor al, 0xa0 ; add al, 8 ; call edx
0x080484cb : add al, 0xc7 ; add al, 0x24 ; xor al, 0xa0 ; add al, 8 ; call edx
0x080484f8 : add al, 8 ; add ecx, ecx ; ret
0x08048494 : add al, 8 ; call eax
0x080484d1 : add al, 8 ; call edx
0x08048478 : add al, 8 ; cmp eax, 6 ; ja 0x8048487 ; ret
0x0804867c : add byte ptr [eax], al ; add byte ptr [eax], al ; leave ; ret
0x0804867d : add byte ptr [eax], al ; add cl, cl ; ret
0x08048390 : add byte ptr [eax], al ; add esp, 8 ; pop ebx ; ret
0x0804867e : add byte ptr [eax], al ; leave ; ret
0x08048914 : add cl, byte ptr [eax + 0xe] ; adc al, 0x41 ; ret
0x0804867f : add cl, cl ; ret
0x08048910 : add eax, 0x2300e4e ; dec eax ; push cs ; adc al, 0x41 ; ret
0x080484f5 : add eax, 0x804a044 ; add ecx, ecx ; ret
0x080484b2 : add eax, edx ; sar eax, 1 ; jne 0x80484bf ; ret
0x080484fa : add ecx, ecx ; ret
0x080486e9 : add esp, 0x1c ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret
0x08048392 : add esp, 8 ; pop ebx ; ret
0x0804851a : and al, 0x10 ; lahf ; add al, 8 ; call eax
0x08048491 : and al, 0x34 ; mov al, byte ptr [0xd0ff0804] ; leave ; ret
0x080484ce : and al, 0x34 ; mov al, byte ptr [0xd2ff0804] ; leave ; ret
0x080484ca : and al, 4 ; mov dword ptr [esp], 0x804a034 ; call edx
0x08048378 : call 0x8048466
0x08048496 : call eax
0x080484d3 : call edx
0x080484b5 : clc ; jne 0x80484bc ; ret
0x0804847b : clc ; push es ; ja 0x8048484 ; ret
0x0804847a : cmp eax, 6 ; ja 0x8048485 ; ret
0x08048915 : dec eax ; push cs ; adc al, 0x41 ; ret
0x08048566 : dec ecx ; ret
0x08048911 : dec esi ; push cs ; xor byte ptr [edx], al ; dec eax ; push cs ; adc al, 0x41 ; ret
0x080486e8 : fild word ptr [ebx + 0x5e5b1cc4] ; pop edi ; pop ebp ; ret
0x0804848d : in al, dx ; sbb bh, al ; add al, 0x24 ; xor al, 0xa0 ; add al, 8 ; call eax
0x08048918 : inc ecx ; ret
0x08048610 : inc edi ; add al, 0x24 ; mov al, byte ptr [0xe8080487] ; ret
0x080484f6 : inc esp ; mov al, byte ptr [0xc9010804] ; ret
0x0804847d : ja 0x8048482 ; ret
0x080488d7 : jmp dword ptr [ecx]
0x080484b6 : jne 0x80484bb ; ret
0x080486e7 : jne 0x80486d1 ; add esp, 0x1c ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret
0x0804851c : lahf ; add al, 8 ; call eax
0x08048498 : leave ; ret
0x080486ea : les ebx, ptr [ebx + ebx*2] ; pop esi ; pop edi ; pop ebp ; ret
0x08048393 : les ecx, ptr [eax] ; pop ebx ; ret
0x080484f7 : mov al, byte ptr [0xc9010804] ; ret
0x08048493 : mov al, byte ptr [0xd0ff0804] ; leave ; ret
0x080484d0 : mov al, byte ptr [0xd2ff0804] ; leave ; ret
0x08048614 : mov al, byte ptr [0xe8080487] ; ret
0x08048477 : mov al, byte ptr [0xf8830804] ; push es ; ja 0x8048488 ; ret
0x080484f4 : mov byte ptr [0x804a044], 1 ; leave ; ret
0x08048518 : mov dword ptr [esp], 0x8049f10 ; call eax
0x0804848f : mov dword ptr [esp], 0x804a034 ; call eax
0x080484cc : mov dword ptr [esp], 0x804a034 ; call edx
0x0804867b : mov eax, 0 ; leave ; ret
0x08048460 : mov ebx, dword ptr [esp] ; ret
0x0804845f : nop ; mov ebx, dword ptr [esp] ; ret
0x0804845d : nop ; nop ; mov ebx, dword ptr [esp] ; ret
0x0804845b : nop ; nop ; nop ; mov ebx, dword ptr [esp] ; ret
0x080486f8 : nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; ret
0x080486f9 : nop ; nop ; nop ; nop ; nop ; nop ; nop ; ret
0x080486fa : nop ; nop ; nop ; nop ; nop ; nop ; ret
0x080486fb : nop ; nop ; nop ; nop ; nop ; ret
0x080486fc : nop ; nop ; nop ; nop ; ret
0x080486fd : nop ; nop ; nop ; ret
0x080486fe : nop ; nop ; ret
0x080486ff : nop ; ret
0x08048617 : or al, ch ; ret
0x08048495 : or bh, bh ; ror cl, 1 ; ret
0x080484d2 : or bh, bh ; ror cl, cl ; ret
0x08048479 : or byte ptr [ebx + 0x17706f8], al ; ret
0x080484f9 : or byte ptr [ecx], al ; leave ; ret
0x080484b1 : pop ds ; add eax, edx ; sar eax, 1 ; jne 0x80484c0 ; ret
0x080486ef : pop ebp ; ret
0x080486ec : pop ebx ; pop esi ; pop edi ; pop ebp ; ret
0x08048395 : pop ebx ; ret
0x080486ee : pop edi ; pop ebp ; ret
0x080486ed : pop esi ; pop edi ; pop ebp ; ret
0x08048916 : push cs ; adc al, 0x41 ; ret
0x08048912 : push cs ; xor byte ptr [edx], al ; dec eax ; push cs ; adc al, 0x41 ; ret
0x08048695 : push ebx ; call 0x8048467
0x0804847c : push es ; ja 0x8048483 ; ret
0x08048694 : push esi ; push ebx ; call 0x8048468
0x080484b3 : rcl cl, 1 ; clc ; jne 0x80484be ; ret
0x0804837e : ret
0x080484ae : ret 0xeac1
0x0804819c : ret 0xf3a5
0x08048497 : ror cl, 1 ; ret
0x080484d4 : ror cl, cl ; ret
0x080484b4 : sar eax, 1 ; jne 0x80484bd ; ret
0x08048461 : sbb al, 0x24 ; ret
0x080486eb : sbb al, 0x5b ; pop esi ; pop edi ; pop ebp ; ret
0x0804848e : sbb bh, al ; add al, 0x24 ; xor al, 0xa0 ; add al, 8 ; call eax
0x080484af : shr edx, 0x1f ; add eax, edx ; sar eax, 1 ; jne 0x80484c2 ; ret
0x08048375 : sub esp, 8 ; call 0x8048469
0x08048492 : xor al, 0xa0 ; add al, 8 ; call eax
0x080484cf : xor al, 0xa0 ; add al, 8 ; call edx
0x08048476 : xor al, 0xa0 ; add al, 8 ; cmp eax, 6 ; ja 0x8048489 ; ret
0x08048913 : xor byte ptr [edx], al ; dec eax ; push cs ; adc al, 0x41 ; ret

Unique gadgets found: 101

@ikornaselur
Copy link
Collaborator

Linked libs, like from the guide

(venv)rogueacid@rogueacid:~/icectf/ropi$ cat /proc/29097/maps
08048000-08049000 r-xp 00000000 fd:01 668170                             /home/rogueacid/icectf/ropi/ropi_1335922d55bc23ddc49a8c5077723113d5cddf02756ad8231e96058188bfc249
08049000-0804a000 r--p 00000000 fd:01 668170                             /home/rogueacid/icectf/ropi/ropi_1335922d55bc23ddc49a8c5077723113d5cddf02756ad8231e96058188bfc249
0804a000-0804b000 rw-p 00001000 fd:01 668170                             /home/rogueacid/icectf/ropi/ropi_1335922d55bc23ddc49a8c5077723113d5cddf02756ad8231e96058188bfc249
f7e23000-f7e24000 rw-p 00000000 00:00 0 
f7e24000-f7fc9000 r-xp 00000000 fd:01 788369                             /lib32/libc-2.19.so
f7fc9000-f7fcb000 r--p 001a5000 fd:01 788369                             /lib32/libc-2.19.so
f7fcb000-f7fcc000 rw-p 001a7000 fd:01 788369                             /lib32/libc-2.19.so
f7fcc000-f7fd0000 rw-p 00000000 00:00 0 
f7fda000-f7fdb000 rw-p 00000000 00:00 0 
f7fdb000-f7fdc000 r-xp 00000000 00:00 0                                  [vdso]
f7fdc000-f7ffc000 r-xp 00000000 fd:01 788362                             /lib32/ld-2.19.so
f7ffc000-f7ffd000 r--p 0001f000 fd:01 788362                             /lib32/ld-2.19.so
f7ffd000-f7ffe000 rw-p 00020000 fd:01 788362                             /lib32/ld-2.19.so
fffdd000-ffffe000 rw-p 00000000 00:00 0                                  [stack]

Based on the screenshot from above.. this is probably dynamic and needs to be found out 'on the fly'?

@ikornaselur
Copy link
Collaborator

ikornaselur commented Aug 17, 2016
edited
Loading

Okay, so, game plan using the rop gadgets:

  1. Call ret with the first param as -1159991569
  2. Call ori with the first param -1412567041 and second param as 2018915346
  3. Call pro
  4. ???
  5. Profit!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:pwn
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@koddsson @ikornaselur