From 7c970f316f0dbcf85a5ea03ba86c5046b78d3c7f Mon Sep 17 00:00:00 2001
From: John <purplehippo999@gmail.com>
Date: Thu, 9 Mar 2017 02:56:41 -0600
Subject: [PATCH] Added a simple rop problem

Needs to be built on a linux machine and the binary put in the
files/description so that its easier to solve. Also needs to be put on
the shell.
---
 simple-rop/Makefile       |  2 ++
 simple-rop/description.md |  3 +++
 simple-rop/flag.txt       |  1 +
 simple-rop/grader.py      |  4 ++++
 simple-rop/problem.yml    |  7 +++++++
 simple-rop/simple-rop.c   | 25 +++++++++++++++++++++++++
 6 files changed, 42 insertions(+)
 create mode 100644 simple-rop/Makefile
 create mode 100644 simple-rop/description.md
 create mode 100644 simple-rop/flag.txt
 create mode 100644 simple-rop/grader.py
 create mode 100644 simple-rop/problem.yml
 create mode 100644 simple-rop/simple-rop.c

diff --git a/simple-rop/Makefile b/simple-rop/Makefile
new file mode 100644
index 0000000..96f2342
--- /dev/null
+++ b/simple-rop/Makefile
@@ -0,0 +1,2 @@
+(all):
+	gcc -m32 -o simple-rop -fno-stack-protector -O0 simple-rop.c
\ No newline at end of file
diff --git a/simple-rop/description.md b/simple-rop/description.md
new file mode 100644
index 0000000..feda140
--- /dev/null
+++ b/simple-rop/description.md
@@ -0,0 +1,3 @@
+On the shell there is a folder `<insert location>`.
+Read flag.txt
+[Source](${simple-rop.c})
\ No newline at end of file
diff --git a/simple-rop/flag.txt b/simple-rop/flag.txt
new file mode 100644
index 0000000..43e31ae
--- /dev/null
+++ b/simple-rop/flag.txt
@@ -0,0 +1 @@
+easyctf{r0p_7o_v1ct0ry}
\ No newline at end of file
diff --git a/simple-rop/grader.py b/simple-rop/grader.py
new file mode 100644
index 0000000..31e162c
--- /dev/null
+++ b/simple-rop/grader.py
@@ -0,0 +1,4 @@
+def grade(random, key):
+    if key.find("r0p_7o_v1ct0ry") != -1:
+        return True, "Correct!"
+    return False, "Nope."
diff --git a/simple-rop/problem.yml b/simple-rop/problem.yml
new file mode 100644
index 0000000..14f06a3
--- /dev/null
+++ b/simple-rop/problem.yml
@@ -0,0 +1,7 @@
+title: Simple Rop
+category: Binary Exploitation
+value: 75
+author: r3ndom
+autogen: false
+files:
+  - simple-rop.c
diff --git a/simple-rop/simple-rop.c b/simple-rop/simple-rop.c
new file mode 100644
index 0000000..f3c33e3
--- /dev/null
+++ b/simple-rop/simple-rop.c
@@ -0,0 +1,25 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+void print_flag();
+void what_did_you_say();
+
+int main(int argc, char* argv[])
+{
+    gid_t gid = getegid();
+    setresgid(gid, gid, gid);
+    what_did_you_say();
+    return 0;
+}
+
+void print_flag()
+{
+    system("cat flag.txt");
+}
+
+void what_did_you_say()
+{
+    char buff[64];
+    gets(buff);
+    printf("You said: %s\n", buff);
+}