All Questions
Tagged with rop buffer-overflow
15
questions
1
vote
0
answers
47
views
Jump-Oriented Programming: Why is it better/easier to jump to the dispatcher gadget than to jump from one functional gadget directly to another?
Jump-oriented Programming: Why is it better/easier to jump to the dispatcher gadget than to jump from one functional gadget directly to another functional gadget?
My understanding of JOP:
In jump-...
- 11
0
votes
0
answers
26
views
Jump-Oriented Programming: Harder than ROP because the registers need to be prepared individually? + Turing complete, but large overhead/slow?
Full title: Jump-Oriented Programming: Is it harder than traditional return-oriented programming because you need to manually prepare all the addresses and registers or is there a different reason?
...
- 11
0
votes
0
answers
110
views
push /bin/sh to get a shell
I usually use a different method to push /bin/sh in rdi to get a shell, but I wanted to try this one :
Put in case that I can control the RIP and there are no limitations or filters. So I can execute ...
- 1
0
votes
1
answer
316
views
64-bit ROP-based Buffer Overflow Attack
I am facing a CTF challenge in which I have to conduct an attack using a ROP chain on this program below:
#include <stdio.h>
#include <stdint.h>
#include <stdbool.h>
#include <sys/...
0
votes
0
answers
191
views
Buffer Overflow with ROP Chain Output Problem
I have the following problem: I have this C program and I have done buffer overflow using ROP gadgets. I have a problem with the output.
I want to stop the printf() call in the vuln function to get ...
2
votes
2
answers
2k
views
ROP executes system("/bin/sh") but does not attach to it
Here is the code:
import struct
buf = ""
buf += "A" * 552
buf += struct.pack('<Q', 0x401493) # pop rdi; ret
buf += struct.pack('<Q', 0x7ffff7f79152) # /bin/sh
buf += ...
- 121
0
votes
1
answer
625
views
Segfault after reaching system
I'm doing a pretty bog-standard return-to-libc attack and I'm in a bit of a pickle.
I first got the entire attack working with my local version of libc, then I used the version of libc provided by the ...
- 111
1
vote
1
answer
1k
views
Understanding ret2libc return address location
I recently was studying x86 buffer overflows + ret2libc attacks from https://www.ret2rop.com/2018/08/return-to-libc.html and I noticed the order is as follows:
bytes to fill buffer + address of system ...
- 13
1
vote
1
answer
343
views
ROP on MIPS Doesn't Land Where Calculated
I am working on exploiting an application on MIPS to further my knowledge of ROP chaining. The library I am trying to build a ROP chain is libuClibc-0.9.30.3.so. I found a gadget that I want to use ...
- 121
2
votes
1
answer
2k
views
segmentation fault at strcpy while perforforming a buffer overflow
I have this code that I need to use to perform a ret2libc
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[])
{
char buf[256];
printf("buff is at:%p\n",buf);
...
- 23
2
votes
2
answers
1k
views
Cannot build a ROP chain
My ROP exploit crashes with segmentation fault for unknown reason.
This is a vulnerable code (compiled via command gcc h2.c -no-pie -fno-stack-protector -m32 -o h2):
#include <stdio.h>
#include &...
- 59
4
votes
1
answer
2k
views
Where in a binary can '/bin/sh' be written to get a shell?
I've come across some behaviour in a CTF challenge that seems very strange and I was wondering if someone could help me understand it.
The CTF challenge was the can-you-gets-me challenge in ...
- 143
3
votes
1
answer
2k
views
Return-oriented programming: Address of system() contains NULL byte
Disclaimer: I am asking this question solely for educational purposes.
I am trying to chain some function calls using return-oriented programming, exploiting a vulnerable binary which uses strcpy(). ...
- 151
3
votes
1
answer
3k
views
Why ret2libc is not working in the below code on x86_64?
I am trying to bypass DEP in x86_64 (64 bit - ASLR OFF). I have my own vulnerable code and I have also written an exploit code with a basic ROP to jump into system() with parameter "/bin/sh",...
- 51
1
vote
1
answer
3k
views
Dealing with NULL byte (0x00) in offsets
I'm trying to exploit a strcpy() buffer overflow vulnerability to test ROP attack. I found a very useful gadget at address 0x0000f26c so I am obliged to insert null bytes to the stack to override the ...
- 83