Ret2Libc

Information to connect to a TCP server, the server program (a ELF file) ret2libc, its source code ret2libc.c, and ELF files ld-2.31.so and libc-2.31.so were given.

Reading ret2libc.c, I found a function learn that reads some input via the function gets.
Seeing this, I decided to perform ROP (Return-Oriented Programming) using following sequence of data
to have it output the address of the function puts on the memory and call the function learn again using the result of disassembling of ret2libc via objdump in TDM-GCC.
The function gets here will write what it read from -0x20(%rbp) and %rbp is %rsp after one push from the beginning of the function,
so the return address is 0x28 bytes after the head of data written by the function gets.

• An address of a gadget pop rdi; ret
• An address where the address of the function puts in the memory is stored
• An address of a gadget ret
• An address to have it execute the function puts
• An address of a gadget ret
• An address of the head of the function learn

Here is the actual data to send to the server:

We can obtain the address of the function puts in the memory by sending this file payload_leak.bin via "Send file" in Tera Term and observing the response from the server via Wireshark.

Also, I applied readelf -s command to the file libc-2.31.so to obtain the place in the file of the functions puts and system. Here is the result:

Moreover, I searched for a string /bin/sh from the file libc-2.31.so via a binary editor, finding at the 0x18A152-nd byte. (the first byte is 0th)

Based on these, I created this program payload_gen.pl that takes the address of the function puts in the memory as an argument and generates data to have it execute system("/bin/sh");.

I succeeded to launch the shell by sending generated data via "Send file" in Tera Term. I found an entry flag.txt by executing ls command.

I obtained the flag by executing cat flag.txt command.