### ROPi

> Ritorno orientata programmazione `nc ropi.vuln.icec.tf 6500` [download file](./ropi_1335922d55bc23ddc49a8c5077723113d5cddf02756ad8231e96058188bfc249)

There's a read 0x40 bytes at `0x08048562` when only 0x38 allocated. So it's pretty easy exploitable.

Then you need open file and get fd -> read by that fd -> print read data. So the flow should be ret->ori->pro. Then is simply working with right layer and correct magic nums at [exploit](./ropi_exploit.py).

Flag: `IceCTF{italiano_ha_portato_a_voi_da_google_tradurre}`

Original writeup (https://github.com/EspacioTeam/write-ups/tree/master/2016/icectf/ROPi).