ROP Emporium Split (64 Bit) Writeup
This is the 2nd challenge in ROP Emporium. The challenge is pretty straightforward. We have to call the system() functions with the string “/bin/cat flag.txt” to get our flag. So let’s get started with the challenge.
First I start the challenge by checking the type of file the given binary is.
Next, I check the memory protection in the binary by using “checksec”
Now I had to check the functions present in the binary. I used rabin2 to get the details.
rabin2 -i “binary_name”
We have a system() call in some function which we need to find out. Also, rabin2 and gdb don’t give all the functions in the binary. So I used this tool called objdump. “objdump -D binary_name” gave all the functions. There was a usefulFunction() in the binary which had the system call(). I disassembled this function in gdb.
The only difference between a 32 bit and 64 bit is that in a 32-bit challenge we have to push “Address”. Here we have mov RDI,0x40084a. So system() executes with the string inside RDI. So I just had to preload the value of the string into RDI before calling the system call. Also, like the 32-bit challenge, we don’t call the system@plt directly, instead, we note the base address of the system, which is “0x000000000040074b”. I checked what was copied into RDI.
So I need to replace “/bin/ls” with /bin/cat flag.txt in RDI. For this first, I had to search the particular string in GDB.
For poping a value into RDI, I had to use ROPgadget. Then I tried to find a gadget which had pop rdi; ret in the gadget.
This will be perfect for popping the string “/bin/cat flag.txt” into RDI.
Now I tried to find the offset value to overwrite the buffer, padding, and RBP to reach the RIP region. To do this, I used “pattern create” in gdb-peda. Then I used this pattern as input after running the binary inside gdb-peda.
Here we don’t get the overwritten value directly from RIP, We need to check the overwritten value in RBP. Find the offset value for it and then add 8.
So 32 + 8 = 40 bytes of Random characters to overwrite the buffer, padding, and RBP. Then we need to called the pop gadget. Next I have to use address where “/bin/cat flag.txt” was. This way RDI gets the value “/bin/cat flag.txt”. Now I call the system() which takes its parameter from RDI. Here is my exploit.
Executing this should give the flag
WE HAVE OUR FLAG!
Hope you understood the challenge. Do check out my other blogs.
Don’t forget to give some claps if you reached here :) Follow me for more write-ups.
Goodbye:)
