Problem ROP 2
Hello everyone.
Let's solve the ROP Chal2. Check the mitigations how many in the problem,the same as the last time. This time I wanna use "peda" to solve problems. I describe simply the tool,it is use with "gdb", and display more intelligibly.for example, it is able to use 'checksec' in peda.
gdb-peda$ checksec CANARY : disabled FORTIFY : disabled NX : ENABLED PIE : disabled RELRO : Partial
These explanation will tell us, we are to bypass the NS bit(DEP) only.
And, check the disassembly main function.
gdb-peda$ pdisas main Dump of assembler code for function main: ... 0x080484e8 <+12>: mov DWORD PTR [esp+0x9c],0x0 0x080484f3 <+23>: mov DWORD PTR [esp+0x8],0x1 0x080484fb <+31>: mov DWORD PTR [esp+0x4],0x804a060 0x08048503 <+39>: mov DWORD PTR [esp],0x0 0x0804850a <+46>: call 0x8048370 <read@plt> 0x0804850f <+51>: cmp eax,0x1 0x08048512 <+54>: je 0x804851e <main+66> ... 0x08048528 <+76>: mov DWORD PTR [esp+0x8],eax 0x0804852c <+80>: mov DWORD PTR [esp+0x4],0x804a061 0x08048534 <+88>: mov DWORD PTR [esp],0x0 0x0804853b <+95>: call 0x8048370 <read@plt> 0x08048540 <+100>: movsx eax,al 0x08048543 <+103>: mov DWORD PTR [esp+0x9c],eax 0x0804854a <+110>: mov eax,DWORD PTR [esp+0x9c] 0x08048551 <+117>: add eax,0x1 0x08048554 <+120>: test eax,eax ... 0x0804857e <+162>: call 0x8048380 <memcpy@plt> 0x08048583 <+167>: call 0x80483d0 <fork@plt> 0x08048588 <+172>: test eax,eax 0x0804858a <+174>: jne 0x80485cc <main+240> 0x0804858c <+176>: mov DWORD PTR [esp+0x10],0x8048680 0x08048594 <+184>: lea eax,[esp+0x1c] 0x08048598 <+188>: mov DWORD PTR [esp+0x14],eax 0x0804859c <+192>: mov DWORD PTR [esp+0x18],0x0 0x080485a4 <+200>: mov DWORD PTR [esp],0x1 0x080485ab <+207>: call 0x8048390 <sleep@plt> 0x080485b0 <+212>: mov DWORD PTR [esp+0x8],0x0 0x080485b8 <+220>: lea eax,[esp+0x10] 0x080485bc <+224>: mov DWORD PTR [esp+0x4],eax 0x080485c0 <+228>: mov DWORD PTR [esp],0x8048680 0x080485c7 <+235>: call 0x80483c0 <execve@plt> ...