ROP Emporium - fluff

Fluff was a challenge that is actually challenging, up to the point where you have a realisation and from there on it’s fairly straightforward. Exploring the binary Nothing special going on still with this binary in terms of canaries or the likes: [*] '/home/jasper/ropemporium/fluff/fluff' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) And again usefulFunction() contains a reference to system(): [0x00400650]> afl 0x004005a0 3 26 sym.

ROP Emporium - badchars

The previous challenge taught a very important pattern of “the mover” by performing chunked writes of arbitrary data into memory. This next challenge deals with a illegal or bad characters. Most everyone who has written exploits before has run into them at some point. Manually searching for which bytes are considered bad can be rather time consuming so plenty of tools have incorporated automatic detection. In our case the input characters which will result in badbytes have also been provided to us to make it easier to focus on the actual exploit.

ROP Emporium - write4

With basic knowledge of how the GOT and PLT work and how function calls go through them along with a basic understanding of the amd64 ABI calling convention we can start looking for real gadgets now. In fact in this assignment we’ll look at a really helpful way of loading arbitrary data into memory. Exploring the binary Just like before, let’s start off by exploring the binary bit to get a feel for what we’re dealing with here:

ROP Emporium - callme

After familiarising ourselves with a simple buffer overflow in ret2win to overwrite the return address first, and then searching and using our first real gadget in split we will now focus on the Procedure Linkage Table (PLT). While here the functions that need to be called will all be using three arguments, thus exposing a little bit more of the amd64 calling convention. Exploring the binary It should be a familiar routine by now to check the binary for any compiled-in security measures, followed by looking for strings and functions.

ROP Emporium - split

In the previous post I tried to explain what ROP is and how I solved the ROP Emporium ret2win. This write-up will be about the second challenge: split. We’ll look at finding our first gadget and how to go about using it in a chain. Exploring the binary First explore the binary to see what we’re up against: $ rabin2 -I split | grep nx nx true $ rabin2 -z split [Strings] Num Paddr Vaddr Len Size Section Type String 000 0x000008a8 0x004008a8 21 22 (.