Summary

ret2csu was a tough challenge from the rop emporium that required the pwner to call an imported function with three arguments in a tiny executable. The caveat was that there was no obvious gadget to set the third argument. Therefore, the pwner had to return to the __libc_csu_init function to set the RDX register with a mov instruction. As much as this works in practice, it also has numerous side effects that require comensation to get the final exploit to work. You can read more on the challenge here.

Summary

pivot was a fundamental challenge from the rop emporium that required the pwner to pivot the stack to another location and leak the base address of a shared module and finally invoke a non-imported function. This is a fundamental skill in ROP chaining since in practice, you normally want to invoke non-imported calls from libc. You can read more on the challenge here.

Analyze the Countermeasures

Always analyze binary countermeasures because it will determine our objective for exploiting the binary and what the limitations are. For all my binary exploit development walkthroughs, I will be using pwntools which when installed comes with checksec. This tool analyzes countermeasures in the binary when it was initially compiled:

Summary

badchars was a fundamental challenge from the rop emporium that required the pwner to write a string to an arbitrary memory address, avoiding bad characters. The bad characters needed to be encoded before being processed by the application and further decoded in memory with XOR ROP gadgets. Finally, the memory address we wrote to would need to be passed to a function as an argument to dump the flag’s contents. You can read more on the challenge here.

Summary

fluff was a fundamental challenge from the rop emporium that required the pwner to write a string to an arbitrary memory address using less than ideal gadgets. Finally, the memory address we wrote to would need to be passed to a function as an argument to dump the flag’s contents. You can read more on the challenge here.

Analyze the Countermeasures

Always analyze binary countermeasures because it will determine our objective for exploiting the binary and what the limitations are. For all my binary exploit development walkthroughs, I will be using pwntools which when installed comes with checksec. This tool analyzes countermeasures in the binary when it was initially compiled:

Summary

callme was a simple challenge from the rop emporium that required the pwner to call multiple functions with arguments back-to-back from a shared object file. I will be skipping some basic steps such as finding the offset at which we take control over RIP and analyzing execution flow in the ROP chain. If you wish to see how to do that, you should check out my previous blog posts on Rop Emporium ret2win and split.

Summary

write4 was a fundamental challenge from the rop emporium that required the pwner to write a string to an arbitrary memory address and pass it to a function as an argument. You can read more on the challenge here. I will be skipping some basic steps such as finding the offset at which we take control over RIP and analyzing execution flow in the ROP chain. If you wish to see how to do that, you should check out my previous blog posts on Rop Emporium ret2win and split.