Skip to content

Latest commit

 

History

History
150 lines (92 loc) · 4.13 KB

ret2win.md

File metadata and controls

150 lines (92 loc) · 4.13 KB
description
ROP Emporium!

ret2win

ret2win (AMDv5)

  • Obtain binary

Perform File Checks:

  • Run file against the target binary

View what protections have been enabled on the binary:

  • Run checksec on the binary

  • We see that NX is enabled, this is the No eXecute bit that is also known as Data Execution Prevention -- DEP
  • This technology marks certain ares of the program as executable
  • Meaning that stored input cannot be executed as code
  • The same type of information (even slightly more verbose) can be obtained using rabin2
    • -I will give lots of information pertaining to binary information
  • -i will show a list of functions that have been imported

  • printf, libc, puts, printf are all interesting
  • To view ALL user-created functions, you will utilize rabin2 -qs <binary>

  • This is nice, but it is a little verbose, let's utilize grep and search for more filtered information
  • This is more likely to give us a list of USEFUL functions: 
rabin2 -qs ret2win32 | grep -ve imp -e ' 0 '

  • Next, we will utilize the classic strings binary that we often utilize in CTF's in an attempt to find any useful information or other secrets
    • -n 8 will be useful for only printing strings greater than 8 chars

  • Pay attention to /bin/cat flag.txt as this is the command that will be used to output our flag!
  • However, using rabin2 may be a better idea!
rabin2 -z ret2win32

radare2

Updating prior to use

Start radare2 inspection of ret2win32:

radare2 ret2win32

Run update command:

r2pm -U

r2pm -ci r2dec

gef

{% embed url="https://github.com/hugsy/gef" %}

Setup:

bash -c "$(wget https://gef.blah.cat/sh -O -)"

Use with GDB:

gdb -q
pi import urllib.request as u, tempfile as t; g=t.NamedTemporaryFile(suffix='-gef.py'); open(g.name, 'wb+').write(u.urlopen('https://tinyurl.com/gef-main').read()); gdb.execute('source %s' % g.name)

pwndbg

  • I modified gdbinit.py to automatically invoke pwndbg at startup

Start analyzing ret2win with pwndbg:

gdb ret2win

Obtaining info of functions and symbols:

info functions

Dump assembly:

disassemble ret2win

View assembly of pwnme function:

disassemble pwnme

GDB-Multiarch

Throw binary into pwndbg:

pwn debug --exec <path_to_binary>

Running program:

Viewing Registers: