Ret2Win
Last updated
Last updated
Hello there! "ret2win" is the first ROP (Return Oriented Programming) challenge from ROP Emporium, and it is pretty easy to solve.
In this challenge we don't have any source code to analyze. To begin, we can verify which protections are present in the binary. Checksec is a useful tool that can be used for this validation.
Well, we can see that the NX is enabled in the binary, therefore we can't running shellcode.
Now we need to find the functions into the binary, for this we can use the GDB to analyze the binary. On GDB there is a command called "Info functions" that returns the functions in the binary.
For this binary there are three functions that I found, main(), pwnme() and ret2win().
Analyzing the functions we realized that ret2win() calls system. We can see that "0x400943" is copied to EDI.
Currently, our objective is to identify the pattern to overwrite the buffer, thereby gaining control of the RIP (Instruction Pointer). By using GDB + GEF we can send a pattern and observe how the stack and register information have changed.
pattern create <lenght> -> to create a pattern
By sending our pattern, we noticed that the RIP was not overwritten, however, upon looking at the RSP register I noticed that was overwritten with our pattern, thereby we can find the right offset just using gdb + gef and searching the pattern from RSP.
To find the pattern through the RSP register, we just need to run the following command:
pattern search $rsp
Now that we have the right pattern to gain RIP control and the address of the ret2win() function, we need a return address, and for that, I used a powerful tool called 'ropper', which helps us to get a useful return address.
ropper -f ret2win --search ret
Alright, our return address, as you can see, is the final 053e. Now, we have everything we need to exploit this.
Let's create a simple exploit using pwntools. Basically, our payload will be constructed in a specific order: pattern + ret + ret2win.
Finally, we can run our exploit to receive the flag :)
