Broze ropchain is a simple pwn challenge with a 32 bit binary.
The first step is to check the protection of the binary with checksec util:
How we can see there isn’t any protection and then is easy to pwn. Moreover, the binary is statically compiled:
this means that is easy find the gadgets for our ropchain, in fact, running ROPgadget util, we can obtain directly a ropchain with –ropchain option:
here there is only a problem, some gadget, in address, has the byte value ‘0a’ that is interpreted as “new line” from gets function, then need to replace these gadgets with another valid without ‘0a’. The final result is the following exploit:
And finally run it: