Skip to main content
Information Security

All Questions

Ask Question
Tagged with
9 questions
NewestActiveBountiedUnanswered
1vote
2answers
1kviews

Rop: Handling a `push` in the middle of a gadget

In rop, often a gadget has an undesired pop or push in the middle. For a pop, we handle this simply by adding a dummy value to our chain: it is popped, and all is well. What about a push: What do we ...
SRobertJames's user avatar
SRobertJames
  • 307
1vote
2answers
686views

How do attackers determine ROP gadgets remotely?

Being gadgets change per each system and architecture (do they?), how would an attacker be able to determine the offsets of various Return Oriented Programming gadgets, would an attacker first need to ...
asd40732's user avatar
asd40732
  • 11
1vote
1answer
1kviews

Understanding ret2libc return address location

I recently was studying x86 buffer overflows + ret2libc attacks from https://www.ret2rop.com/2018/08/return-to-libc.html and I noticed the order is as follows: bytes to fill buffer + address of system ...
asd_665's user avatar
asd_665
  • 13
0votes
1answer
416views

Is it possible to use ROP to call legitimate functions even if the stack is not executable?

I read about the hardware protection that blocks the CPU from jumping to stack address. But hacker may still edit the return address to an address in code memory that shouldn't run at that moment. For ...
for the's user avatar
for the
  • 13
2votes
1answer
2kviews

segmentation fault at strcpy while perforforming a buffer overflow

I have this code that I need to use to perform a ret2libc #include <stdio.h> #include <string.h> int main(int argc, char *argv[]) { char buf[256]; printf("buff is at:%p\n",buf); ...
Luigi 's user avatar
Luigi
  • 23
2votes
1answer
505views

How to use "jmp" in ROP

I'm trying to put together a ROP chain. I'm looking for a gadget to do the following: mov rdi, rdx ; mov rbp, rsp ; ret; But instead, I have a gadget like this : mov rdi, rdx ; mov rbp, rsp ; jmp ...
perplex's user avatar
perplex
  • 31
2votes
2answers
2kviews

Cannot build a ROP chain

My ROP exploit crashes with segmentation fault for unknown reason. This is a vulnerable code (compiled via command gcc h2.c -no-pie -fno-stack-protector -m32 -o h2): #include <stdio.h> #include &...
Asm .'s user avatar
Asm .
  • 59
1vote
1answer
698views

Remote Buffer Overflow w/out Memory Leak

I'm working on an exploit development challenge right now in which I've been presented with a compiled binary and I have to exploit it on a remote server. No stack protections have been enabled and ...
leaustinwile's user avatar
leaustinwile
  • 376
3votes
1answer
3kviews

Why ret2libc is not working in the below code on x86_64?

I am trying to bypass DEP in x86_64 (64 bit - ASLR OFF). I have my own vulnerable code and I have also written an exploit code with a basic ROP to jump into system() with parameter "/bin/sh",...
bsdboy's user avatar
bsdboy
  • 51

close