Cyber Training Guide
CTF WriteupsOther NotesHow-To: Radare2How-To: GDB
  • Cyber Training Guide
  • 0x0: Introduction
    • git-good
    • root-1
    • root-2
    • intro
  • Binary Exploitation (pwn)
    • What is Binary Exploitation?
    • 0x1: ret2win
      • win32
      • win64
      • args
    • 0x2: shellcodes
      • location
      • shell
      • constrained
    • 0x3: format strings
      • format
      • chase
      • bbpwn
    • 0x4: stack canaries
      • canary
      • findme
    • 0x5: ROP
      • rop2win
      • split
      • callme
      • write4
      • badchars
    • 0x6: PIE
      • gimme
      • leak32
      • leak64
    • 0x7: ASLR
      • groundzero
      • stepup
      • ret2plt
    • 0x8: GOT overwrites
      • gotem
      • gotem64
  • Programming
    • What is the Programming Section?
    • 0x9: Data Serialization
      • LinkedOps
      • Tree
      • TeLeVision
    • 0xA: Programming
      • Calorie Counting
      • Hash
      • Rock Paper Scissors
      • Watch the Register
      • Supply Stacks
      • Rope Bridge
      • Mountain Climbers
  • Reverse Engineering (RE)
    • What is Reverse Engineering?
    • 0xB: Ghidra
      • hardcode
      • undo
      • snake
  • Toolkit
    • Using Pwntools
      • Establishing Connection
      • Context
      • Sending/Receiving Data
      • The ELF Class
    • My Workflow
      • Tmux
      • Vim
Powered by GitBook
On this page

Was this helpful?

  1. Binary Exploitation (pwn)

0x1: ret2win

A ret2win is the most straightforward class of binary we can exploit.

The Theory

The crux of the ret2win exploit is that, by default, binaries store essential addresses on the stack. At the same time, when we provide input to the binary, we also write our data to the stack. In vulnerable binaries, we can write more data than allotted by the buffer. If the binary does not take proper precautions to check that we don't write too much data, we can overwrite the function's return address. We can go anywhere we want by overwriting the return pointer in the binary.

The most important idea to note is that we cannot add new instructions to the binary in nearly all cases. We must work with the current instructions to achieve the desired results.

The only time we can add new instructions is using shellcode exploits. This requires the prerequisite that the stack is marked as executable. If this is the case, we can write new instructions to the stack, point the instruction pointer to that location, and force those instructions to execute.

ret2win vulnerable binaries will have a win() function that does a desired action, such as printing a flag. Therefore, the goal of the exploit is to overwrite the return address of the current function with the address of the win() function. This will cause the program to execute the win() function, and print the flag.

PreviousWhat is Binary Exploitation?Nextwin32

Last updated 1 year ago

Was this helpful?