Questions tagged [rop]
Return-oriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing.
14
questions with no upvoted or accepted answers
1
vote
0
answers
47
views
Jump-Oriented Programming: Why is it better/easier to jump to the dispatcher gadget than to jump from one functional gadget directly to another?
Jump-oriented Programming: Why is it better/easier to jump to the dispatcher gadget than to jump from one functional gadget directly to another functional gadget?
My understanding of JOP:
In jump-...
1
vote
0
answers
131
views
Kernel ROP crashes running OS
I was experimenting to see if I can make an ROP chain within the kernel. In the kernel debugging mode, I can make the first jump to an arbitrary gadget address without any problem. But the problem ...
1
vote
0
answers
329
views
puts(address of stack) does not print the string pointed by the address
I am trying to do ROP using gadget chaining technique on a 64-bit machine.
This is the source code:
#include<stdio.h>
int main(){
char * str = "Hello World!";
char buf[4];
puts(str)...
0
votes
0
answers
26
views
Jump-Oriented Programming: Harder than ROP because the registers need to be prepared individually? + Turing complete, but large overhead/slow?
Full title: Jump-Oriented Programming: Is it harder than traditional return-oriented programming because you need to manually prepare all the addresses and registers or is there a different reason?
...
0
votes
0
answers
93
views
Bash deletes null bytes in exploit input for ROP/returntolibc
I am trying to do a returntolibc exploit. The goal is to gain a shell with root privilege by calling setuid(0) and then system("/bin/sh"). I have been agonizing over trying to get this thing ...
0
votes
0
answers
110
views
push /bin/sh to get a shell
I usually use a different method to push /bin/sh in rdi to get a shell, but I wanted to try this one :
Put in case that I can control the RIP and there are no limitations or filters. So I can execute ...
0
votes
0
answers
94
views
Trying to ret2text on 64bit program issues, can't jump to shell
Here is the elf summary of the program:
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
This is the ...
0
votes
0
answers
701
views
Intel CET more secure than AMD Shadow Stack?
I'm trying to decide between AMD or Intel for a new build. I was reading about protection from ROP-attacks and it seems like Intel and AMD are handling this in different ways.
AMD Zen 3 and later ...
0
votes
1
answer
316
views
64-bit ROP-based Buffer Overflow Attack
I am facing a CTF challenge in which I have to conduct an attack using a ROP chain on this program below:
#include <stdio.h>
#include <stdint.h>
#include <stdbool.h>
#include <sys/...
0
votes
0
answers
191
views
Buffer Overflow with ROP Chain Output Problem
I have the following problem: I have this C program and I have done buffer overflow using ROP gadgets. I have a problem with the output.
I want to stop the printf() call in the vuln function to get ...
0
votes
0
answers
173
views
Question about RTL (or ROP) chaining order
I'm confused now about how the order is set up for the ROP chain.
Let's say we'd like to make a chain below
in C:
open("myfile", O_RDONLY);
read(3, buf, 100);
in payload:
p32(OPEN_ADDR)
p32(...
0
votes
1
answer
883
views
ROP execute a shell with execl() - /bin/sh: 0: Can't open
A vulnerable C program to stack buffer overflow, requires 112 byte stuffing to get to return address of the calling function. Here the Strcpy() is the vulnerable function.
void f(char *name){
char ...
0
votes
0
answers
272
views
Is JIT-compiler required for JIT-ROP attack?
I have been studying up on the concept of Just-in-Time (JIT) ROP attack (https://cs.unc.edu/~fabian/papers/oakland2013.pdf), and came across this question which I have not been able to find the ...
-1
votes
1
answer
251
views
is it possible to call libc function with rop
let say hacker want to come over the aslr or he want to call function that doesn't exists in user program ,can he insert to the return address address to the share library function or this functions ...