ROP – Page 5 – WindowsTechs.com

How to use "jmp" in ROP

Posted on March 18, 2020 by perplex

I’m trying to put together a ROP chain. I’m looking for a gadget to do the following:

mov rdi, rdx ; mov rbp, rsp ; ret;

But instead, I have a gadget like this :

mov rdi, rdx ; mov rbp, rsp ; jmp 0x8109b3f7

So, I thought maybe I c… Continue reading How to use "jmp" in ROP→

I was experimenting to see if I can make an ROP chain within the kernel. In the kernel debugging mode, I can make the first jump to an arbitrary gadget address without any problem. But the problem occurs after that. If I want to continue t… Continue reading Kernel ROP crashes running OS→

ROP and NX question

Posted on February 27, 2020 by Rowan

What are the dependencies on using ROP to make NX inert?

I’ve been told to consider the size of the program, loaded libaries, multiprocess programs and any other factors

Continue reading ROP and NX question→

Cannot build a ROP chain

Posted on January 12, 2020 by Asm .

My ROP exploit crashes with segmentation fault for unknown reason.
This is a vulnerable code (compiled via command gcc h2.c -no-pie -fno-stack-protector -m32 -o h2):

#include <stdio.h>
#include <string.h>
#includ… Continue reading Cannot build a ROP chain→

Blind ROP Differentiate between a Stop and Pop gadget

Posted on September 12, 2019 by ultrajohn

My question is about the Blind ROP attack as described in the original paper. When probing for potential gadgets with the help of a stop gadget, how does one know for sure that the guessed address really points to a pop gadge… Continue reading Blind ROP Differentiate between a Stop and Pop gadget→

Remote Buffer Overflow w/out Memory Leak

Posted on August 4, 2019 by leaustinwile

I’m working on an exploit development challenge right now in which I’ve been presented with a compiled binary and I have to exploit it on a remote server. No stack protections have been enabled and ASLR is disabled. I’ve writ… Continue reading Remote Buffer Overflow w/out Memory Leak→

Pwntools not detecting recvline()

Posted on June 1, 2019 by Rich C

I am creating a ROP chain exploit on a 64 bit ELF.
So far I have been able to leak puts in libc and leak memory.

The issue I have is that when I build the second stage of the exploit to call a shell, pwntools is not detectin… Continue reading Pwntools not detecting recvline()→

puts(address of stack) does not print the string pointed by the address

Posted on May 2, 2019 by pankul garg

I am trying to do ROP using gadget chaining technique on a 64-bit machine.

This is the source code:

#include<stdio.h>
int main(){
char * str = “Hello World!”;
char buf[4];
puts(str);
gets(buf);

}

Th… Continue reading puts(address of stack) does not print the string pointed by the address→

Assembly for execve needed

Posted on April 3, 2019 by user415612

I’m trying out ROP and have found address of execve in memory. Can someone point out the following:

In which registers so I need to put the string /sbin/shutdown and -H and NULL so that execve in libc will pick them up exec… Continue reading Assembly for execve needed→

Where in a binary can ‘/bin/sh’ be written to get a shell?

Posted on December 17, 2018 by zack

I’ve come across some behaviour in a CTF challenge that seems very strange and I was wondering if someone could help me understand it.

The CTF challenge was the can-you-gets-me challenge in PicoCTF2018.

It was a ROP challen… Continue reading Where in a binary can ‘/bin/sh’ be written to get a shell?→