Questions tagged [rop]
Return-oriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing.
36
questions
-1
votes
1
answer
251
views
is it possible to call libc function with rop
let say hacker want to come over the aslr or he want to call function that doesn't exists in user program ,can he insert to the return address address to the share library function or this functions ...
1
vote
1
answer
1k
views
Understanding ret2libc return address location
I recently was studying x86 buffer overflows + ret2libc attacks from https://www.ret2rop.com/2018/08/return-to-libc.html and I noticed the order is as follows:
bytes to fill buffer + address of system ...
1
vote
1
answer
343
views
ROP on MIPS Doesn't Land Where Calculated
I am working on exploiting an application on MIPS to further my knowledge of ROP chaining. The library I am trying to build a ROP chain is libuClibc-0.9.30.3.so. I found a gadget that I want to use ...
0
votes
1
answer
375
views
Is it possible to use ROP to call legitimate functions even if the stack is not executable?
I read about the hardware protection that blocks the CPU from jumping to stack address. But hacker may still edit the return address to an address in code memory that shouldn't run at that moment.
For ...
0
votes
1
answer
883
views
ROP execute a shell with execl() - /bin/sh: 0: Can't open
A vulnerable C program to stack buffer overflow, requires 112 byte stuffing to get to return address of the calling function. Here the Strcpy() is the vulnerable function.
void f(char *name){
char ...
1
vote
1
answer
1k
views
ROP gadget for setuid(zero) - writing argument zero into the stack
Having a program vulnerable to stack based buffer overflow with setuid bit set, and want to fill the buffer with ROP gadgets.
If setuid(0) is needed to spawn a shell with root privilege, then '0' ...
2
votes
1
answer
2k
views
segmentation fault at strcpy while perforforming a buffer overflow
I have this code that I need to use to perform a ret2libc
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[])
{
char buf[256];
printf("buff is at:%p\n",buf);
...
2
votes
1
answer
472
views
How to use "jmp" in ROP
I'm trying to put together a ROP chain. I'm looking for a gadget to do the following:
mov rdi, rdx ; mov rbp, rsp ; ret;
But instead, I have a gadget like this :
mov rdi, rdx ; mov rbp, rsp ; ...
1
vote
0
answers
131
views
Kernel ROP crashes running OS
I was experimenting to see if I can make an ROP chain within the kernel. In the kernel debugging mode, I can make the first jump to an arbitrary gadget address without any problem. But the problem ...
2
votes
2
answers
1k
views
Cannot build a ROP chain
My ROP exploit crashes with segmentation fault for unknown reason.
This is a vulnerable code (compiled via command gcc h2.c -no-pie -fno-stack-protector -m32 -o h2):
#include <stdio.h>
#include &...
1
vote
1
answer
660
views
Remote Buffer Overflow w/out Memory Leak
I'm working on an exploit development challenge right now in which I've been presented with a compiled binary and I have to exploit it on a remote server. No stack protections have been enabled and ...
1
vote
0
answers
329
views
puts(address of stack) does not print the string pointed by the address
I am trying to do ROP using gadget chaining technique on a 64-bit machine.
This is the source code:
#include<stdio.h>
int main(){
char * str = "Hello World!";
char buf[4];
puts(str)...
0
votes
0
answers
272
views
Is JIT-compiler required for JIT-ROP attack?
I have been studying up on the concept of Just-in-Time (JIT) ROP attack (https://cs.unc.edu/~fabian/papers/oakland2013.pdf), and came across this question which I have not been able to find the ...
4
votes
1
answer
2k
views
Where in a binary can '/bin/sh' be written to get a shell?
I've come across some behaviour in a CTF challenge that seems very strange and I was wondering if someone could help me understand it.
The CTF challenge was the can-you-gets-me challenge in ...
3
votes
1
answer
2k
views
Return-oriented programming: Address of system() contains NULL byte
Disclaimer: I am asking this question solely for educational purposes.
I am trying to chain some function calls using return-oriented programming, exploiting a vulnerable binary which uses strcpy(). ...