Questions tagged [rop]

Question 1

Jump-oriented Programming: Why is it better/easier to jump to the dispatcher gadget than to jump from one functional gadget directly to another functional gadget? My understanding of JOP: In jump-...

Question 2

I am trying to do a returntolibc exploit. The goal is to gain a shell with root privilege by calling setuid(0) and then system("/bin/sh"). I have been agonizing over trying to get this thing ...

Question 3

I usually use a different method to push /bin/sh in rdi to get a shell, but I wanted to try this one : Put in case that I can control the RIP and there are no limitations or filters. So I can execute ...

Question 4

I'm trying to decide between AMD or Intel for a new build. I was reading about protection from ROP-attacks and it seems like Intel and AMD are handling this in different ways. AMD Zen 3 and later ...

Question 5

I am facing a CTF challenge in which I have to conduct an attack using a ROP chain on this program below: #include <stdio.h> #include <stdint.h> #include <stdbool.h> #include <sys/...

Question 6

I have the following problem: I have this C program and I have done buffer overflow using ROP gadgets. I have a problem with the output. I want to stop the printf() call in the vuln function to get ...

Question 7

I'm doing a binary challenge from pwnable.kr and I'm examining a some ROP gadget. Until now I've always used gadget ending with ret or syscall/int 0x80, but now ROPgadget gave me a gadget ending with ...

Question 8

In rop, often a gadget has an undesired pop or push in the middle. For a pop, we handle this simply by adding a dummy value to our chain: it is popped, and all is well. What about a push: What do we ...

Question 9

It seems 64 bits adresses must end in two null bytes. But strcpy will copy only one null byte in the entire payload.

Question 10

Here is the code: import struct buf = "" buf += "A" * 552 buf += struct.pack('<Q', 0x401493) # pop rdi; ret buf += struct.pack('<Q', 0x7ffff7f79152) # /bin/sh buf += ...

Question 11

I'm confused now about how the order is set up for the ROP chain. Let's say we'd like to make a chain below in C: open("myfile", O_RDONLY); read(3, buf, 100); in payload: p32(OPEN_ADDR) p32(...

Question 12

I'm doing a pretty bog-standard return-to-libc attack and I'm in a bit of a pickle. I first got the entire attack working with my local version of libc, then I used the version of libc provided by the ...

Question 13

Being gadgets change per each system and architecture (do they?), how would an attacker be able to determine the offsets of various Return Oriented Programming gadgets, would an attacker first need to ...

Question 14

let say hacker want to come over the aslr or he want to call function that doesn't exists in user program ,can he insert to the return address address to the share library function or this functions ...

Question 15

I recently was studying x86 buffer overflows + ret2libc attacks from https://www.ret2rop.com/2018/08/return-to-libc.html and I noticed the order is as follows: bytes to fill buffer + address of system ...

Stack Exchange Network

Questions tagged [rop]

Jump-Oriented Programming: Why is it better/easier to jump to the dispatcher gadget than to jump from one functional gadget directly to another?

Bash deletes null bytes in exploit input for ROP/returntolibc

push /bin/sh to get a shell

Intel CET more secure than AMD Shadow Stack?

64-bit ROP-based Buffer Overflow Attack

Buffer Overflow with ROP Chain Output Problem

ROP - ret VS ret 0

Rop: Handling a `push` in the middle of a gadget

How can I build ROP chains on 64 bits if my payload is copied through strcpy? [duplicate]

ROP executes system("/bin/sh") but does not attach to it

Question about RTL (or ROP) chaining order

Segfault after reaching system

How do attackers determine ROP gadgets remotely?

is it possible to call libc function with rop

Understanding ret2libc return address location

Hot Network Questions