-
get segfault for 64 bit, the 64+context.bytes are 72, and this seems to be the correct offset for the 64bit example.
on 32 bit
p.send(fit({76: rop.chain(), 200: dlresolve.payload}))
getting stil…
-
cant spawn a shell with arguments
```
rop = ROP(program, base=0x00007fffffffe400)
rop.call('execve', [b'/bin/sh', [[b'/bin/sh'], [b'-p'], [b'-c'], [b'ls']], 0])
chain_1 = b''
chain_1 += b'\x00'*…
-
Hi,
the bug which is responsible for the 'additional' gadget in the ropchain is fixed.
It would have been good if I had known this earlier ;)
So, if you want you can change your lessen6 scrip…
sashs updated
4 years ago
-
wasn't able to spawn a shell with command as parameter:
```py
bin_sh = libc.address + 0x111111
rop = ROP(program, base=0x7fffffffe460)
rop.call('execve', [bin_sh, [[b'/bin/sh'], [b'-c'], [b'whoami…
-
hello, I have a question (might sound noob, I know)
but, why does ROPGadget successfully create the python code of the ROP chain sometimes, and some other times it doesnt?
And when it doesn't, wha…
-
This feature should enable user to easily set a gdb breakpoint in a `ROP.chain()` from a pwntools script.
Perhaps it could be implemented under the `rop` module.
Examples of possible successful…
-
I was doing this challenge: https://2020.ctf.link/assets/files/kernel-rop-bf9c106d45917343.tar.xz
and the gadget `0xffffffff8246dc83: push rax; ret;` is returned for the extracted vmlinux. I used it …
-
Would it be possible to make the C sources available so we can modify and re-compile the ROP chains?
-
Let me know if I'm doing something stupid:
```
$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.14.3
BuildVersion: 18D21c
$ ./exploit id
2018-12-22 12:20:37 [+] Resolving symbols...
201…
timwr updated
5 years ago
-
Hello,
I got an idea. I want to implement a feature on r2 that when the user puts a debugger to a point, turring, finds a set of gadgets to use together for stack buffer overflow attacks.
http:/…