Skip to content

Instantly share code, notes, and snippets.

@breadchris
Created April 23, 2015 16:00
Show Gist options
  • Save breadchris/deda47c322a3531113ee to your computer and use it in GitHub Desktop.
Save breadchris/deda47c322a3531113ee to your computer and use it in GitHub Desktop.
PicoCTF2014 Hardcore ROP
void randop() {
munmap((void*)0x0F000000, MAPLEN);
void *buf = mmap((void*)0x0F000000, MAPLEN, PROT_READ|PROT_WRITE, MAP_ANON|MAP_PRIVATE|MAP_FIXED, 0, 0);
unsigned seed;
if(read(0, &seed, 4) != 4) return;
srand(seed);
for(int i = 0; i < MAPLEN - 4; i+=3) {
*(int *)&((char*)buf)[i] = rand();
if(i%66 == 0) ((char*)buf)[i] = 0xc3;
}
mprotect(buf, MAPLEN, PROT_READ|PROT_EXEC);
puts("ROP time!");
fflush(stdout);
size_t x, count = 0;
do x = read(0, ((char*)&seed)+count, 555-count);
while(x > 0 && (count += x) < 555 && ((char*)&seed)[count-1] != '\n');
}
int main(int argc, char *argv[]) {
struct stat st;
if(argc != 2 || chdir(argv[1]) != 0 || stat("./flag", &st) != 0) {
puts("oops, problem set up wrong D:");
fflush(stdout);
return 1;
} else {
puts("yo, what's up?");
alarm(30); sleep(1);
randop();
fflush(stdout);
return 0;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment