PicoCTF 2013 - rop3

This time I tried to solve rop3 challenge from PicoCTF 2013. Below you will find the details...
I started here:

Cool. Next thing was to check the binary with checksec:

Unfortunately NX bit was enabled. :|

... so the idea was to disable No eXecutable bit and then run the shellcode. Let's do it:

Prepared pattern was used to build basic skeleton poc. Now checking:

 Results:

Checking offset:

Looks good. Next we will need read() and mprotect() address:

So far, so good. Now, preparing the poc:

Now the case is to find a good shellcode to use it with our poc (to run our shellcode from fd ;)). A good source of example shellcodes you can find here. :) I used this one created by created by xgc (thanks!):

As you can see there are some differences between last two screens but the reason for that is I switched from Kali VM to another (a little bit older ;)) VM.


See you next time!

Cheers