There are quite a few gadgets and only 16-byte overflow. But luckily, I find 0x00010364: pop {r3, pc}; using Ropper and

    .text:00010534                 MOV     R1, R3          ; buf
    .text:00010538                 MOV     R0, #0          ; fd
    .text:0001053C                 BL      read
    .text:00010540                 MOV     R3, #0
    .text:00010544                 MOV     R0, R3
    .text:00010548                 SUB     SP, R11, #4
    .text:0001054C                 LDMFD   SP!, {R11,PC}
    .text:0001054C ; End of function main

using IDA.

So if we get our stack layout like

pop {r3,pc} gadget <- ret addr
base
MOV R1,R3 gadget

we're able to read something to `base'.

I choose write shellcode to base and then return to base, thus we get a shell.

---

Exploit here

Follow me if you like this wrtteup :)

Original writeup (https://github.com/bash-c/pwn_repo/blob/master/inCTF2018_wARMup/solve.py).