PE32 — Stack buffer overflow basic Rootme (App-System)
Before reading this, I would like you to read my previous Writeups on the Rootme challenge. I won’t explain the basic concept again here. So if you are new to Binary Exploitation, I would highly recommend you to read my blogs to understand my approach.
It would be fair to mention this before starting this challenge. Probably you are reading my write-up for this reason too. This is a PE32 Challenge, so we need to have a windows machine. You can either use a Windows VM or a Windows machine with WSL in it.
We won’t be using our old friend GDB here. Instead we will use another Debugger that has a GUI :)
Let’s get started with the challenge. This is a PE32. Let us have a look at the source code
Let us try analysing the code. We have DEFAULT_LEN set to 16. Inside the main function, we have char “buff[16]”. Then there is gets() function which has no limits on the user input. So that is our place of attack.
We have to use a Windows machine as I said earlier. I will be using Immunity Debugger for this challenge. I will post the download link below.
You might need python 2.7 or above for using this ( It will automatically download with the installation). Now we will see the code in the debugger. We need to know the number of bytes to overwrite the buffer, padding, and stored EBP and then give the return address in EIP.
Using Immunity Debugger and Downloading ch72.exe into Windows machine with SCP
Skip this section if you know how to use Immunity Debugger.
First Download the ch72.exe from the machine to your Windows machine by using the SCP command. Ill just give the format below.
scp -p “port_number” UserName@TargetHost:Source_Path_in_Machine Target_Download_in_Windows
Now you’ll be having the Source file with you. Open your immunity debugger and you’ll find an option called open under the file menu. Open the ch72.exe. Now you can see 4 tabs. The first one is the same code you see in GDB. Top right we have all the register info, which is the same thing as “Info reg” in GDB.
Challenge
After reading the code you’ll understand where the code for main is located. We use the exact technique I used in previous challenges to find the buffer size and padding from the code. Here we can see [EBP-14].
Next, we need the return address, which is nothing but the address of the admin_shell() function. You can locate this code if you scroll up until you reach the first line.
And we get the address for admin_shell().Now what next? As usual, I am going to draw this wonderful stack diagram to make things clear.
Sorry for that bad drawing again :) But I hope you understood the concept. We are ready to write our exploit now. We have to fill 20 + 4 random characters and then fill the EIP with the address of admin_shell() in little-endian format. But then here there is a slight change. We cannot directly execute the exe file in a Linux machine. Here we have an additional script called ./wrapper.sh . This will help us to connect to the windows machine.
And we get our flag !
It is an easy challenge but requires some knowledge of how the stack and immunity debugger works. Would highly recommend newbies like me to draw the entire stack structure to understand.
Do give some claps if you reached here :). And do feel free to ask your doubts in the comment section. It would help others too!
Goodbye :
