Recently I've finished the Practical Malware Analysis book and I've wanted to familiarise myself a bit more with the Win32 API. After spending a good amount of time on setting up Visual Studio C++ for MASM (Microsoft Macro Assembler) I wanted to stab myself in the eye with a rusty …

Earlier this week I ran into a fairly old format string bug in the Exuberant Ctags implementation, and it turns out this particular issue was fixed back in November 2009. However it wasn't picked up by vendors at the time. This isn't a critical issue, but seeing this fixed in …

or, how I found multiple vulnerabilities on a lazy Sunday afternoon

Earlier this year the NSA released Ghidra, a reverse engineering suite with support for a large number of CPU/MCU instruction sets. While I have some experience with Hopper and radare2 I wanted to play with Ghidra to poke …

ret2csu, the final ROP Emporium challenge. This one is GLIBC-specific but nonetheless it is a fun exercise which forces you to look beyond the standard functions which the application author wrote and instead explore other parts of the binary which are essentially provided by the ecosystem.

Exploring the binary

Not …

The pivot challenge creates a situation where stack space is limited. This means that our full payload cannot be stored on the stack and instead must be located elsewhere in memory. However in order to start executing the code pointed to from the new stack we have to swap stacks …

Fluff was a challenge that is actually challenging, up to the point where you have a realisation and from there on it's fairly straightforward.

Exploring the binary

Nothing special going on still with this binary in terms of canaries or the likes:

[*] '/home/jasper/ropemporium/fluff/fluff'
    Arch:     amd64-64-little
    RELRO …

The previous challenge taught a very important pattern of "the mover" by performing chunked writes of arbitrary data into memory. This next challenge deals with a illegal or bad characters. Most everyone who has written exploits before has run into them at some point. Manually searching for which bytes are …

With basic knowledge of how the GOT and PLT work and how function calls go through them along with a basic understanding of the amd64 ABI calling convention we can start looking for real gadgets now. In fact in this assignment we'll look at a really helpful way of loading …

After familiarising ourselves with a simple buffer overflow in ret2win to overwrite the return address first, and then searching and using our first real gadget in split we will now focus on the Procedure Linkage Table (PLT). While here the functions that need to be called will all be using …

In the previous post I tried to explain what ROP is and how I solved the ROP Emporium ret2win. This write-up will be about the second challenge: split. We'll look at finding our first gadget and how to go about using it in a chain.

Exploring the binary

First explore …