diff --git a/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-return-oriented-programing.md b/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-return-oriented-programing.md index 7aa3b257f..98001be9b 100644 --- a/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-return-oriented-programing.md +++ b/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-return-oriented-programing.md @@ -24,6 +24,10 @@ Other ways to support HackTricks: 2. **Gadget Chaining**: The attacker then carefully selects and chains gadgets to perform the desired actions. This could involve setting up arguments for a function call, calling the function (e.g., `system("/bin/sh")`), and handling any necessary cleanup or additional operations. 3. **Payload Execution**: When the vulnerable function returns, instead of returning to a legitimate location, it starts executing the chain of gadgets. +### Tools + +Typically, gadgets can be found using **[ROPgadget](https://github.com/JonathanSalwan/ROPgadget)**, **[ropper](https://github.com/sashs/Ropper)** or directly from **pwntools** ([ROP](https://docs.pwntools.com/en/stable/rop/rop.html)). + ## ROP Chain in x86 Example ### **x86 (32-bit) Calling conventions** @@ -37,7 +41,7 @@ First, let's assume we've identified the necessary gadgets within the binary or * `pop eax; ret`: This gadget pops the top value of the stack into the `EAX` register and then returns, allowing us to control `EAX`. * `pop ebx; ret`: Similar to the above, but for the `EBX` register, enabling control over `EBX`. -* `mov [ebx], eax; ret`: Moves the value in `EAX` to the memory location pointed to by `EBX` and then returns. +* `mov [ebx], eax; ret`: Moves the value in `EAX` to the memory location pointed to by `EBX` and then returns. This is often called a **write-what-where gadget**. * Additionally, we have the address of the `system()` function available. ### **ROP Chain** @@ -60,7 +64,7 @@ p = process(binary.path) bin_sh_addr = next(binary.search(b'/bin/sh\x00')) # Address of system() function (hypothetical value) -system_addr = 0xdeadcode +system_addr = 0xdeadc0de # A gadget to control the return address, typically found through analysis ret_gadget = 0xcafebabe # This could be any gadget that allows us to control the return address @@ -105,7 +109,7 @@ And we know the address of the **system()** function. Below is an example using **pwntools** to set up and execute a ROP chain aiming to execute **system('/bin/sh')** on **x64**: ```python -pythonCopy codefrom pwn import * +from pwn import * # Assuming we have the binary's ELF and its process binary = context.binary = ELF('your_binary_here')