ROP Emporium – Write4

Write4 32 Bit In this challenge, there’s no more “/bin/cat flag.txt” string that can be used to get the flag. We can either try to write those string or “/bin/sh” string into memory to get a shell. The steps to achieve it are: 1. Find the writable memory section inside the binary. 2. Find the …

ROP Emporium – Callme

Callme 32 Bit In this challenge, we need to execute callme_one(), callme_two() and callme_three() function sequentially in that order. Each function must contains arguments 1,2,3 e.g. callme_one(1,2,3) to get the flag. Let’s find the EIP offset using Radare2.

EIP offset is 44. Let’s find the callme_one, callme_two, and callme_three function address using objdump.

ROP Emporium – Split

Split 32 Bit In this challenge, the ret2win function is being split into system call and /bin/cat flag.txt string. The objective is to use ROP gadget to execute system call with “/bin/cat flag.txt” string as the argument. Lets find the EIP offset using Radare2.

EIP offset is 44. Find the system@plt address using objdump command. …

ROP Emporium – Ret2Win

Ret2Win 32 Bit In this challenge, we need to redirect the program flow to execute the ret2win address. This can be achieved by overwriting EIP (Instruction Pointer) with the ret2win address. This challenge can be done using simple echo command or pwntools. I use Radare2 and pwntools to solves this challenge. First thing first, lets …