Setup

note: while you can use tools that help find rop gadgets (e.g. ropper), it’s explicitly forbidden to use anything that finds entire rop chains (e.g. angrop)

   

Demo

Your tutor will go over the rop demo

 

There are two solutions for this challenge

  • Use syscalls to invoke execve("/bin/sh", NULL, NULL)
  • Use the existing system() call in the binary

Try solving it both ways before doing the prac.

   

Prac

After completing the demo, work in pairs to solve the rop prac

There’s a number of different ways to solve this, by getting shell