Don't like this style? Click here to change it! blue.css
OK so this is another cool tool for your PWN utility belt.
Here's the promise:
With that kind of power you can set the instruction pointer to any location and pass it whatever arguments you need.
You could rework the location of the entire stack.
A pretty powerful PWN primitive.
Let's see it in action.
I have the binary for you at /ctf/srop/vuln if you'd like to follow along.
There are also several write-ups on the internet out there which you can use to get started when you're ready.
So our job is to execve("/bin/sh\x00") and we can control all of the registers at once.
Since we have to manufacture a win function we need to:
The pwntools ELF tool is awesome.
elf.writable_segments is a list of any segments that are writable.
elf.writable_segments.header['p_paddr'] although fart around don't copy paste this one.
pwntools makes this easy:
So we've found a writable segment, let's call it:
We need to write to the
dataseg and craft our own baby stack over there.
So that might look something like this: