Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

Added tools and fixed typos

Browse source
This commit is contained in:
7Rocky 2024-04-06 15:01:06 +02:00
parent b2ce11dbfa
commit 1d9352d8be
1 changed files with 7 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-return-oriented-programing.md
View file

@ -24,6 +24,10 @@ Other ways to support HackTricks:
2. **Gadget Chaining**: The attacker then carefully selects and chains gadgets to perform the desired actions. This could involve setting up arguments for a function call, calling the function (e.g., `system("/bin/sh")`), and handling any necessary cleanup or additional operations.
3. **Payload Execution**: When the vulnerable function returns, instead of returning to a legitimate location, it starts executing the chain of gadgets.
### Tools
Typically, gadgets can be found using **[ROPgadget](https://github.com/JonathanSalwan/ROPgadget)**, **[ropper](https://github.com/sashs/Ropper)** or directly from **pwntools** ([ROP](https://docs.pwntools.com/en/stable/rop/rop.html)).
## ROP Chain in x86 Example
### **x86 (32-bit) Calling conventions**
@ -37,7 +41,7 @@ First, let's assume we've identified the necessary gadgets within the binary or
* `pop eax; ret`: This gadget pops the top value of the stack into the `EAX` register and then returns, allowing us to control `EAX`.
* `pop ebx; ret`: Similar to the above, but for the `EBX` register, enabling control over `EBX`.
* `mov [ebx], eax; ret`: Moves the value in `EAX` to the memory location pointed to by `EBX` and then returns.
* `mov [ebx], eax; ret`: Moves the value in `EAX` to the memory location pointed to by `EBX` and then returns. This is often called a **write-what-where gadget**.
* Additionally, we have the address of the `system()` function available.
### **ROP Chain**
@ -60,7 +64,7 @@ p = process(binary.path)
bin_sh_addr = next(binary.search(b'/bin/sh\x00'))
# Address of system() function (hypothetical value)
system_addr = 0xdeadcode
system_addr = 0xdeadc0de
# A gadget to control the return address, typically found through analysis
ret_gadget = 0xcafebabe # This could be any gadget that allows us to control the return address
@ -105,7 +109,7 @@ And we know the address of the **system()** function.
Below is an example using **pwntools** to set up and execute a ROP chain aiming to execute **system('/bin/sh')** on **x64**:
```python
pythonCopy codefrom pwn import *
from pwn import *
# Assuming we have the binary's ELF and its process
binary = context.binary = ELF('your_binary_here')