Questions tagged [rop]
Return-oriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing.
36
questions
5
votes
1
answer
1k
views
How does GCC's -mmitigate-rop work?
GCC 6 has a flag, -mmitigate-rop, which compiles binaries in a way that reduces the number gadgets exploitable by ROP. The GCC documentation explaining this feature is minimal:
-mmitigate-rop
Try ...
4
votes
1
answer
2k
views
Where in a binary can '/bin/sh' be written to get a shell?
I've come across some behaviour in a CTF challenge that seems very strange and I was wondering if someone could help me understand it.
The CTF challenge was the can-you-gets-me challenge in ...
3
votes
1
answer
3k
views
Why ret2libc is not working in the below code on x86_64?
I am trying to bypass DEP in x86_64 (64 bit - ASLR OFF). I have my own vulnerable code and I have also written an exploit code with a basic ROP to jump into system() with parameter "/bin/sh",...
3
votes
2
answers
3k
views
Stack location range on linux for user process
In Linux, with ASLR enabled, is there a range of addresses where user stack address lies? What about heap, instruction addresses(text section)? In general, is it possible to look at an address and ...
3
votes
1
answer
2k
views
Return-oriented programming: Address of system() contains NULL byte
Disclaimer: I am asking this question solely for educational purposes.
I am trying to chain some function calls using return-oriented programming, exploiting a vulnerable binary which uses strcpy(). ...
2
votes
2
answers
1k
views
Cannot build a ROP chain
My ROP exploit crashes with segmentation fault for unknown reason.
This is a vulnerable code (compiled via command gcc h2.c -no-pie -fno-stack-protector -m32 -o h2):
#include <stdio.h>
#include &...
2
votes
2
answers
2k
views
ROP executes system("/bin/sh") but does not attach to it
Here is the code:
import struct
buf = ""
buf += "A" * 552
buf += struct.pack('<Q', 0x401493) # pop rdi; ret
buf += struct.pack('<Q', 0x7ffff7f79152) # /bin/sh
buf += ...
2
votes
1
answer
2k
views
segmentation fault at strcpy while perforforming a buffer overflow
I have this code that I need to use to perform a ret2libc
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[])
{
char buf[256];
printf("buff is at:%p\n",buf);
...
2
votes
1
answer
472
views
How to use "jmp" in ROP
I'm trying to put together a ROP chain. I'm looking for a gadget to do the following:
mov rdi, rdx ; mov rbp, rsp ; ret;
But instead, I have a gadget like this :
mov rdi, rdx ; mov rbp, rsp ; ...
1
vote
1
answer
706
views
ROP Attack :Force the program to manipulate an instruction as a gadget
I'm doing basic exploitation test on a simple program with fiew lines of code. I intend to exploit a buffer overflow vulnerability to perform a ROP attack.
To gather the available gadgets I use ...
1
vote
2
answers
917
views
Rop: Handling a `push` in the middle of a gadget
In rop, often a gadget has an undesired pop or push in the middle.
For a pop, we handle this simply by adding a dummy value to our chain: it is popped, and all is well.
What about a push: What do we ...
1
vote
2
answers
604
views
How do attackers determine ROP gadgets remotely?
Being gadgets change per each system and architecture (do they?), how would an attacker be able to determine the offsets of various Return Oriented Programming gadgets, would an attacker first need to ...
1
vote
1
answer
1k
views
Understanding ret2libc return address location
I recently was studying x86 buffer overflows + ret2libc attacks from https://www.ret2rop.com/2018/08/return-to-libc.html and I noticed the order is as follows:
bytes to fill buffer + address of system ...
1
vote
1
answer
12k
views
How to find address of system() in an executable - ROP exploit
I'm trying to find the address of system() in a code repo that I'm trying to exploit using Return Oriented Programming (for a course project). The code has included stdlib.h but it has not used system(...
1
vote
1
answer
343
views
ROP on MIPS Doesn't Land Where Calculated
I am working on exploiting an application on MIPS to further my knowledge of ROP chaining. The library I am trying to build a ROP chain is libuClibc-0.9.30.3.so. I found a gadget that I want to use ...