0

I'm confused now about how the order is set up for the ROP chain.

Let's say we'd like to make a chain below

in C:

open("myfile", O_RDONLY);
read(3, buf, 100);

in payload:

p32(OPEN_ADDR)
p32(PPR) # pop pop ret
p32(FILE_ADDR_BUF)
p32(0)

p32(READ_ADDR)
p32(PPPR)
p32(3)
p32(BUF)
p32(1024)

p32(0xdeadbeef)

OPEN_ADDR is the address to be returned, so we jump to address of OPEN_ADDR(open()). When the open() function is done, we go to address of PPR. This is my intuitive understand but it seems wrong because the open() function is already done without any prepared parameters and we're trying to execute pop pop ret.

Thank you

Improve this question
2
  • I'm not sure I understand what you are asking; can you clarify?
    – multithr3at3d
    Commented Aug 28, 2021 at 13:12
  • Hi, I was asking how the order is set up. For example in 64bit, the order is intuitive like below [Example that calls open and read system call in order]: p32(PPR) p32(arg1) p32(arg2) p32(OPEN_ADDR) p32(PPPR) p32(arg1) p32(arg2) p32(arg3) p32(READ_ADDR)
    – user257164
    Commented Aug 30, 2021 at 7:43

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .