After my last post, I decided to go straight into the Advance Buffer Overflow (ABO) section and practice more ROP. The first ABO exercise was a straight-forward buffer overflow.
ABO #1 source code:
The environment, as usual, was Debian 2.6.32 with NX and ASLR enabled. The binary can be found here.
The technique that will be used throughout this post is known as “GOT dereferencing.” For the interested reader, you can read about the technique here.
The return address can be found at 268 bytes.
I needed the use of two functions for this technique: the targeted function and the pivot function. I used VNSECURITY ROPEME tool to search for gadgets. The binary was rather small so finding certain gadgets was difficult. I was able to find some useful gadgets. The entire gadget list can be found here.
I needed to perform some dummy calculations for (2) and (3). Gadget (2) accesses a memory location. EBX must be a valid memory location minus 0x5d5b04c4 (to obtain the intended address). A valid location can be found at the relocation table. I chose 0x080495a8 (gmon_start) for the first EBX in (2) and 0x080495b0 (strcpy) for the second one in (3).
The calculations for (2) and (3) are simple as shown:
Next, I performed the calculations for the EAX register. EAX will have the offset between system() and strcpy() minus 8 for (2).
The last step was to find a string for system(). A safe option (like in my last post) was to use the string “GNU” from .note.gnu.build-id at 0x08048154.