Writeup: 3x17

We will start by looking at the protections of the binary and we realize that NX is enabled so it will not let us execute code in memory. 

First we see that our attack vector are two inputs but we do not know the iteration that the program returns to us. 

So we will have to open gdb and analyze the code in search of how to exploit it and perform the important task of reverse engineering. After seeing with file command that the binary is statically linked we run strace command and the functions write and read are called twice and if in the first read we introduce characters and in the second too we realize that it gives a bad address error.

We see the pseudocode generated by hopper disassembler and we realize that in the first read function you have to pass in decimal the value of a memory address or also using python str(address). Then there is a call function that pass the same pointer that will be transformed into a corresponding value in little-endian of the memory address being the return value in the RAX register. Once the memory address is obtained in little-endian in the second read function, RSI register passed as argument will be our pointer where the data or the content that we input as users of this program will be written in this memory address. Therefore we have write primitive. Cool!. 

But what memory address do we enter in the first read? and what content do we enter in the second read? We will have to perform reversing and see what interaction exists with our introduced data. For our testing we are only going to introduce two random memory addresses in a section that is writable in the binary. 

We start writting our exploit. 

Also we need attach our debugger with gdb and use raw_input for pausing. After some iteraction we get and important call RDX that we would have some control of that but always use this memory address: 0x402960. This memory address correspond a this function. 

We take note and locate an important call from which we could have control so we enter into anyway in the function.

Then we find the call to a function that we can control call QWORD PTR [rbp+rbx*8+0x0]. It will always be pivoting depending on the value of RBX register between the address 0x4b40f0 and plus 8 bytes. 

If we input in the first read function the memory address 0x4b40f0 and will write in it the data in the second read function that we want, in this case we can write first memory address 0x402960 and second memory address corresponding to the function where it calls the read functions so 0x401b6d. Boom! We have hijacking redirection flow and run again.

Now we edit our exploit and send the corresponding .bss memory address and data we will send some A's to see how it reacts and it will send us again addr string therefore that means that we can write as many times as we want in a section of the binary (ROP) and then again hijacking redirection flow to call oriented programming and getting shell. 

In order to create our strategy we will need a location where we can write our rop gadgets but for that we have to have controlled ret and chain the rop to be able to execute the shell. We can create our rop from address 0x4B4100 and the last one read it will be like this:

We need in data 0x401c4b: leave;ret and 0x401697: ret, because it is essential to be able to chain the rop since with the leave instruction is set RSP as the value of RBP and then pop RSP. We enter inside the call with "si" and take a look of RSP and RBP registers. 

RSP register will be when leave instruction is executed=0x4b40f0 so we create a fake stack frame because next instruction is pop RSP and RET is pointing just in 0x401697. Boom! Pwned we can execute our ROP in a fake stack frame.

Now it would be ret; ret and we already started our ROP to run the syscall and get the shell!