ret2csu, the final ROP Emporium challenge. This one is GLIBC-specific but nonetheless it is a fun exercise which forces you to look beyond the standard functions which the application author wrote and instead explore other parts of the binary which are essentially provided by the ecosystem. Exploring the binary Not much going on with this binary: jasper@ropper:~/ropemporium/ret2csu$ checksec ret2csu [*] '/home/jasper/ropemporium/ret2csu/ret2csu' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) And as expected there is no usefulFunction or usefulGadgets:
The pivot challenge creates a situation where stack space is limited. This means that our full payload cannot be stored on the stack and instead must be located elsewhere in memory. However in order to start executing the code pointed to from the new stack we have to swap stacks! This is called pivoting and let’s get started. Exploring the binary The pivot binary is linked with libpivot.so: jasper@ropper:~/ropemporium/pivot$ checksec pivot [*] '/home/jasper/ropemporium/pivot/pivot' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) RPATH: '.
Fluff was a challenge that is actually challenging, up to the point where you have a realisation and from there on it’s fairly straightforward. Exploring the binary Nothing special going on still with this binary in terms of canaries or the likes: [*] '/home/jasper/ropemporium/fluff/fluff' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) And again usefulFunction() contains a reference to system(): [0x00400650]> afl 0x004005a0 3 26 sym.
The previous challenge taught a very important pattern of “the mover” by performing chunked writes of arbitrary data into memory. This next challenge deals with a illegal or bad characters. Most everyone who has written exploits before has run into them at some point. Manually searching for which bytes are considered bad can be rather time consuming so plenty of tools have incorporated automatic detection. In our case the input characters which will result in badbytes have also been provided to us to make it easier to focus on the actual exploit.
With basic knowledge of how the GOT and PLT work and how function calls go through them along with a basic understanding of the amd64 ABI calling convention we can start looking for real gadgets now. In fact in this assignment we’ll look at a really helpful way of loading arbitrary data into memory. Exploring the binary Just like before, let’s start off by exploring the binary bit to get a feel for what we’re dealing with here: