ROP (Return Orientated Programming)

On July 1, 2015September 25, 2015 By MuttiIn Random, Shellcode

Introduction

Some simple tips for using ROP for exploit development.

GDB

Search for “/bin/sh” string in libc system memory. Assuming the binary has been linked with libc of course.

(gdb) print system
$2 = {<text variable, no debug info>} 0x7ffff7a91c70 <system>
(gdb) find 0x7ffff7a91c70, +999999999999, "/bin/sh"
0x7ffff7b9dc23
(gdb) x /s 0x7ffff7b9dc23
0x7ffff7b9dc23: "/bin/sh"

Tutorials

My favorite ROP tutorial https://www.exploit-db.com/docs/28479.pdf

ROP example https://www.exploit-db.com/papers/13204/

ROP example http://codearcana.com/posts/2013/05/28/introduction-to-return-oriented-programming-rop.html

ROP Utilities

ROP gadget finder http://shell-storm.org/project/ROPgadget/

ROPeMe, very simple setup – https://github.com/packz/ropeme

Demo

Visit one of my previous Protostar challenge write ups where I demonstrate the use of ropeme,

Thank you

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (Address never made public)

Name

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

%d bloggers like this:

Introduction

GDB

Tutorials

ROP Utilities

Demo

Rate this:

Share this:

Like this:

Leave a Reply Cancel reply