Author: spipm
Category: Binaries / Reversing
Difficulty: Medium
Credits for the small assembly ELF to go Brian Raiter Teensy ELF article. The ROP chain is a variant of this exploit-db entry by rajvardhan.
This 64 bit ELF writes user input to the stack and immediately rets. It also has NX enabled, making this a ROP challenge.
Our android mother has reached her third trimester, where she started to experience some pain in the right lower back. Before the doctor advises pelvic tilt exercises, you get called on the job for a procedural check on the fetus's programming.
In the code, you see that the fetus is indeed requesting input, but it also seems to have developed a protective mechanism to prevent execution of your data!
Can you hack the fetus and her mother back to health?
Users need to figure out that RAX is set by the amount of bytes that they send, and that RCX already points to a ret instruction. The idea for the ROP chain is:
(no need to set RAX, just send 59 bytes)
sar rsi, 63 (zero rsi)
mov rdi, rsp (move rdi to stack)
add dil, 16 (set rdi to bin/sh buffer)
jmp rcx (rcx = ret by default)
cdq (zero out rdx)
syscall (call sys_execve)
Also see the source code and solve.py.
The flag and the challenge name are a play on words to match a ROP chain with the Right Occiput Posterior (ROP) fetal position.
brck{Th4ts_A_h34ltHy_R1ght_0cc1put_P0st3r10r}