DEFCON 25 Quals r0pbaby 2015年5月19日


 

description

r0pbaby_542ee6516410709a1421141501f03760.quals.shallweplayaga.me:10436

This is a x64 ELF binary. We can find vulnerability

% ./r0pbaby_542ee6516410709a1421141501f03760
Welcome to an easy Return Oriented Programming challenge...
Menu:
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
: 3
Enter bytes to send (max 1024): 24
AAAAAAAAAAAAAAAAAAAAAAAA
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
: Bad choice.
zsh: segmentation fault (core dumped) ./r0pbaby_542ee6516410709a1421141501f03760

To use system function, find “/bin/sh” from libc and ropgadget, “pop rdi; ret”
We can get libc function address.  From libcdb, we can get almost same libc binary used in remote server.

Here is an exploit code.

Leave a Reply