Questions tagged [rop]
Return-oriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing.
36
questions
1
vote
0
answers
45
views
Jump-Oriented Programming: Why is it better/easier to jump to the dispatcher gadget than to jump from one functional gadget directly to another?
Jump-oriented Programming: Why is it better/easier to jump to the dispatcher gadget than to jump from one functional gadget directly to another functional gadget?
My understanding of JOP:
In jump-...
- 11
0
votes
0
answers
23
views
Jump-Oriented Programming: Harder than ROP because the registers need to be prepared individually? + Turing complete, but large overhead/slow?
Full title: Jump-Oriented Programming: Is it harder than traditional return-oriented programming because you need to manually prepare all the addresses and registers or is there a different reason?
...
- 11
0
votes
0
answers
89
views
Bash deletes null bytes in exploit input for ROP/returntolibc
I am trying to do a returntolibc exploit. The goal is to gain a shell with root privilege by calling setuid(0) and then system("/bin/sh"). I have been agonizing over trying to get this thing ...
- 1
0
votes
0
answers
103
views
push /bin/sh to get a shell
I usually use a different method to push /bin/sh in rdi to get a shell, but I wanted to try this one :
Put in case that I can control the RIP and there are no limitations or filters. So I can execute ...
- 1
0
votes
0
answers
94
views
Trying to ret2text on 64bit program issues, can't jump to shell
Here is the elf summary of the program:
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
This is the ...
- 1
0
votes
0
answers
670
views
Intel CET more secure than AMD Shadow Stack?
I'm trying to decide between AMD or Intel for a new build. I was reading about protection from ROP-attacks and it seems like Intel and AMD are handling this in different ways.
AMD Zen 3 and later ...
- 1
0
votes
1
answer
311
views
64-bit ROP-based Buffer Overflow Attack
I am facing a CTF challenge in which I have to conduct an attack using a ROP chain on this program below:
#include <stdio.h>
#include <stdint.h>
#include <stdbool.h>
#include <sys/...
0
votes
0
answers
191
views
Buffer Overflow with ROP Chain Output Problem
I have the following problem: I have this C program and I have done buffer overflow using ROP gadgets. I have a problem with the output.
I want to stop the printf() call in the vuln function to get ...
0
votes
1
answer
438
views
ROP - ret VS ret 0
I'm doing a binary challenge from pwnable.kr and I'm examining a some ROP gadget.
Until now I've always used gadget ending with ret or syscall/int 0x80, but now ROPgadget gave me a gadget ending with ...
- 103
1
vote
2
answers
902
views
Rop: Handling a `push` in the middle of a gadget
In rop, often a gadget has an undesired pop or push in the middle.
For a pop, we handle this simply by adding a dummy value to our chain: it is popped, and all is well.
What about a push: What do we ...
- 267
0
votes
1
answer
386
views
How can I build ROP chains on 64 bits if my payload is copied through strcpy? [duplicate]
It seems 64 bits adresses must end in two null bytes. But strcpy will copy only one null byte in the entire payload.
- 143
2
votes
2
answers
2k
views
ROP executes system("/bin/sh") but does not attach to it
Here is the code:
import struct
buf = ""
buf += "A" * 552
buf += struct.pack('<Q', 0x401493) # pop rdi; ret
buf += struct.pack('<Q', 0x7ffff7f79152) # /bin/sh
buf += ...
- 121
0
votes
0
answers
170
views
Question about RTL (or ROP) chaining order
I'm confused now about how the order is set up for the ROP chain.
Let's say we'd like to make a chain below
in C:
open("myfile", O_RDONLY);
read(3, buf, 100);
in payload:
p32(OPEN_ADDR)
p32(...
- 103
0
votes
1
answer
616
views
Segfault after reaching system
I'm doing a pretty bog-standard return-to-libc attack and I'm in a bit of a pickle.
I first got the entire attack working with my local version of libc, then I used the version of libc provided by the ...
- 111
1
vote
2
answers
602
views
How do attackers determine ROP gadgets remotely?
Being gadgets change per each system and architecture (do they?), how would an attacker be able to determine the offsets of various Return Oriented Programming gadgets, would an attacker first need to ...
- 11