Rop, rop, rop
Rop to the top!
Slip and slide and ride that rhythm…

Here’s some binary and source. Navigate to /problems/roptothetop/ on the shell server to try your exploit out!

Let’s analyze the file first.

The file is 32-bit ELF executable file which is dynamically linked with a non-executable stack.

In the source code, we can see the function fun_copy copies our input string to a fixed-length buffer. Let’s use De Bruijn pattern to calculate the return address’ offset.

So, our return adress’ offset is 44. Let’s find the the_top function’s address. The address is static since PIE is not enabled.

So, the address is 0x080484db. All we need to do is send an argument such that it has 44 characters of padding and the following 4 bytes \xdb\x84\x04\x08.

Let’s run the binary on their server and get our flag.

The flag is actf{strut_your_stuff}.