Exploit
Duplicating the Descriptors
Last updated
Was this helpful?
Duplicating the Descriptors
Last updated
Was this helpful?
I'll include source.c
, but most of it is socket programming derived from . The two relevent functions - vuln()
and win()
- I'll list below.
Quite literally an easy .
Start the binary with ./vuln 9001
.
Basic setup, except it's a remote process:
Once the pause()
is reached, I hook on with radare2 and set a breakpoint at the ret
.
Ok, so the offset is 40
.
Should be fairly simple, right?
What the hell?
But if we look on the server itself:
So we have a shell, but no way to control it. Time to use dup2
.
Since we need two parameters, we'll need to find a gadget for RDI and RSI. I'll use ROPgadget
to find these.
Plonk these values into the script.
Now to get all the calls to dup2()
.
And wehey - the file descriptors were successfully duplicated!
These kinds of chains are where pwntools' ROP capabilities really come into their own:
Works perfectly and is much shorter and more readable!
I pass in a basic pattern and pause directly before:
A shell was popped there! This is the we talked about before.
I've simplified this challenge a lot by including a call to dup2()
within the vulnerable binary, but normally you would leak libc via the and then use libc's dup2()
rather than the PLT; this walkthrough is about the basics, so I kept it as simple as possible.
As we know, we need to call dup2(newfd, oldfd)
. newfd
will be 4
(our connection fd) and oldfd
will be 0
and 1
(we need to call it twice to redirect bothstdin
and stdout
). Knowing what you do about , have a go at doing this and then caling win()
. The answer is below.