ROP Emporium Ret2win32 (32 Bit) Writeup

Hello world. Ret2win 32 Bits is the first challenge in ROP Emporium. A fairly easy challenge where I had to call the ret2win() function. Before starting with the challenge, make sure your basics are strong. Do read my previous blogs for concepts. Let’s get started with the challenge.

Challenge

We do not get any source code for this challenge. First I had to start with the usual procedure of finding what type of file ret2win32 binary is.

Now I had to figure a way out to find the functions present in the binary ret2win32. I used “info functions” and found pwnme() and ret2win(). Pwnme() did not seem that interesting but ret2win() calls system()

I noted the address of ret2win() here. Next I had to find the offset value to overwrite buffer, padding and EBP to reach EIP. For this I used “Pattern create” inside GDB. Next we run the binary inside GDB and then paste the pattern to find the offset value.

We notice how the Registers has changed here. EIP has been overwritten with “AFAA”. Now we could check the offset value with “pattern offset”. See my blog on Ret2win (64 Bits) for the stack diagram. It give more clarity on how stack works.

So I had to use 44 characters to overwrite the buffer, padding and EBP to use EIP for giving the ret2win() address. I used this exploit to get the flag.

Running this exploit should give us the flag.

WE HAVE OUR FLAG!

Hope you understood the challenge. Do check out my other blogs.

Don’t forget to give some claps if you reached here :) Follow me for more writeups.

Goodbye:)