Questions tagged [rop]
The rop tag has no summary.
12 questions
1 vote
1 answer
176 views
How can I forge a minimal C program that analyzed through ROPgadget catches at least one sub rsp, {some-offset} ; ret?
Is just a very concrete question. If is it possible to write a C program (and how) that once passed through ROPgadget app, it throws, at least, this/one/a: sub rsp, 0x{some-offset} ; ret I would like ...
- 133
0 votes
1 answer
154 views
ROP: System function not printing results to stdout
in oder to solve a CTF-Challenge I have to construct a small ROP-chain. The scope of the ROP chain is to print the content of the `flag` file. I already constructed the ROP-chain, but it seems that ...
1 vote
1 answer
339 views
How does PIE mitigate exploits?
I read a tutorial where they compiled with the -no-pie option. Is it because the .text segment will be loaded at a random address, therefore making the address of gadgets founds inside it useless ?
- 11
0 votes
0 answers
100 views
system doesn't invoke /bin/sh
I am learning libc shellcode attacks and trying to execute /bin/sh from system I can execute other commands from system like whoami and ls -a but can not run /bin/sh the following works string = b&...
- 109
1 vote
0 answers
64 views
xIP vs xSP vs xBP: How to choose the target?
We have 32bit & 64bit binaries, and in ROP (Return Oriented Programming), we sometimes target RSP/ESP, sometimes RIP/EIP, (maybe) sometimes RBP/EBP (I'm new to this, haven't seen RBP used yet). In ...
1 vote
0 answers
186 views
RopGadget buffer overflow
I have a question, I have a device that i can perform on it buffer overflow. The problem is that is that there is an ASLR(on all addresses in /proc/binary/maps, but not on the binary itself, but all ...
- 71
1 vote
2 answers
193 views
BufferOverflow - Cannot push a specific return address on the stack
I'm currently playing with buffer overflow and ROP-chains, and I'm facing a weird behavior that I don't know how to deal with. I don't know why, but i cannot correctly push the address of my first ...
- 719
2 votes
1 answer
481 views
ROP chain: Buffer Overflow Return Pointer
I am trying to get a ROP exploit to work on Ubuntu 18.04 LTS 64bit. I have a 64 bit binary (Nx enabled, ASLR disabled) with vuln function as follows: public vuln vuln proc near var_100= byte ptr -...
2 votes
1 answer
1k views
How to reverse engineer a Black Box?
I am trying to reverse engineer / research a black box system, this is, a system for which there is no public information at all. Let's say the system is a modern handheld console. I have already ...
- 154
4 votes
2 answers
661 views
Can't trace MIPS embedded device remotely
I'm trying to debug a remote device using gdbserver and IDA Pro. I'm attached to the correct PID and I'm able to step through instructions until the point where I redirect $pc to my ROP chain. At the ...
- 41
3 votes
1 answer
487 views
Reverse engineering POST request body
I have a POST request that had spawned a PHP webshell. It has exploited the REST API vulnerability in WordPress versions 4.7.0 and 4.7.1. The body of the request is in binary (possibly gzip-compressed)...
- 131
1 vote
2 answers
1k views
What is this protection that seems to prevent ROP when ASLR in ON?
I was doing some tests to train myself to ROP when ASLR is ON and NX is enabled. I created this small program for testing purpose #include <stdio.h> #include <stdlib.h> #include <...
- 475