Tags: arm 

Rating:

There are quite a few gadgets and only 16-byte overflow.
But luckily, I find ` 0x00010364: pop {r3, pc};` using Ropper and
```asm
.text:00010534 MOV R1, R3 ; buf
.text:00010538 MOV R0, #0 ; fd
.text:0001053C BL read
.text:00010540 MOV R3, #0
.text:00010544 MOV R0, R3
.text:00010548 SUB SP, R11, #4
.text:0001054C LDMFD SP!, {R11,PC}
.text:0001054C ; End of function main
```
using IDA.

So if we get our stack layout like
```
pop {r3,pc} gadget <- ret addr
base
MOV R1,R3 gadget
```
we're able to read something to `base'.

I choose write shellcode to `base` and then return to base, thus we get a shell.

----------

[Exploit here](https://github.com/bash-c/pwn_repo/blob/master/inCTF2018_wARMup/solve.py)

Follow [me](https://github.com/bash-c) if you like this wrtteup :)

Original writeup (https://github.com/bash-c/pwn_repo/blob/master/inCTF2018_wARMup/solve.py).