Skip to main content

3. Stack Overflow with ROP

Challenge Overview

In this challenge, your goal is to exploit a buffer overflow vulnerability in a simple C program and use a technique called Return-Oriented Programming (ROP) to execute a function named win(). This function requires specific arguments to reveal the contents of the flag.txt file. Your task is to overflow the buffer and chain together small pieces of code (called gadgets) to set the arguments and execute the win() function.

Return-Oriented Programming (ROP)

Return-Oriented Programming (ROP) is an advanced exploitation technique that allows an attacker to control the flow of a program by chaining together small sequences of existing code, known as gadgets. These gadgets, which are already present in the program’s memory, typically end with a ret instruction. By carefully controlling the stack, an attacker can execute these gadgets in a specific order to perform complex tasks, such as calling functions with specific arguments, without needing to inject new code into the program.

To use ROP effectively, you need to understand the calling convention. The calling convention tells you how a program passes arguments to functions and how it returns results. This is important because when you're using ROP gadgets to call a function like win(), you need to know where to put the arguments.

For example, in the x86-64 calling convention:

  • The first argument is placed in the rdi register.
  • The second argument is placed in the rsi register.
  • The third argument is placed in the rdx register.

So, if you want to call win(0x1111, 0x2222, 0x3333), you would need to:

  • Find a gadget that puts 0x1111 into rdi.
  • Find a gadget that puts 0x2222 into rsi.
  • Find a gadget that puts 0x3333 into rdx. Then, jump to the win() function.

By chaining these gadgets together in the right order, you can make the program run the win() function with the exact arguments needed to reveal the flag.

Downlaod

You can download the challenge from our CTF server. (http://kayle.snu.ac.kr:10000/)

Due date

Submission

Once you've obtained the flag, please submit it to our CTF server. Then, submit both your exploit code and a 1-page report through ETL. Your report should briefly explain the code you used to get the flag and how you solved the challenge. Please do not cheat, share your flag, or disclose your solutions. Ensure that your report is strictly limited to 1 page.

Before submitting, use this command to compress your files: zip report.zip solve.py report.pdf. Make sure to rename your exploit code to solve.py and your report to report.pdf before running this command. Finally, submit report.zip through ETL.