Playing with Sigreturn-Oriented Programming (SROP)

Jan 6, 2020 | ROP

A Simple Demo Program Playing with the Gadget Exploitation 1. A Simple Demo Program Consider this: //gcc -Wall -Wextra -fno-stack-protector -ggdb -o demo demo.c #include<stdio.h> #include<unistd.h> int main() { puts(“I’m unexploitable!”); char...

Even more “hidden” gadgets in __libc_csu_init()

Dec 1, 2019 | ROP

TL;DR: Returning to <__libc_csu_init+93> gives us control on %rsp. Additionally, returning to <__libc_csu_init+95> and <__libc_csu_init+97> let us control %rbp and %rsi, respectively, with shorter payloads. Introduction More “hidden”...

A “hidden” gadget in __libc_csu_init()

Nov 28, 2019 | ROP

TL;DR: The last two bytes of __libc_csu_init() is actually a pop rdi; ret gadget. Introduction Revisiting ROP Emporium: ret2csu Conclusion 1. Introduction Today I read this interesting post about __libc_csu_init(). Let’s first take another look at our two gadgets...

ROP Emporium: ret2csu write-up

Nov 24, 2019 | ROP, write-up

Introduction Binary information __libc_csu_init() CALL issue Constructing ROP chain Conclusion 1. Introduction This ret2csu challenge from ropemporium.com teaches a new ROP technique presented at Black Hat Asia 2018 called return-to-csu. You can download the binary...

DEF CON CTF Qualifier 2015: r0pbaby write-up

Nov 20, 2019 | ROP, write-up

Introduction Learning about the binary Locating return address First attempt MOVAPS issue From user to root Conclusion 1. Introduction Recently I started learning how to pwn. As recommended by Atum, I decided to start from this challenge from DEF CON CTF qualifier...